feat: extend cloudflare-proxy to support fetch interception and simplify configuration, while removing redundant dns-fix utility.

CHANGELOG.md

@@ -10,8 +10,9 @@ All notable changes to this project will be documented in this file.
 
 - **Self-hosted n8n** — Runs the latest n8n on HuggingFace Spaces Docker using SQLite (no external DB required).
 - **Persistent Backup** — Automatically syncs the entire n8n workspace (workflows, credentials, database) to a private HF Dataset.
-- **Cloudflare Transparent Proxy** — Built-in fix to bypass platform network blocks for services like Telegram and Discord.
-- **DNS-over-HTTPS (DoH)** — Automatic fallback resolution for domains blocked at the DNS level (e.g., WhatsApp, Telegram).
+- **Cloudflare Transparent Proxy** — Built-in fix to bypass platform network blocks for Telegram, WhatsApp-related APIs, Google integrations, Discord, and other outbound services.
+- **Automatic Cloudflare Worker provisioning** — Hugging8n can now create or update its outbound proxy automatically from `CLOUDFLARE_WORKERS_TOKEN`, matching HuggingClaw's auto-setup flow.
+- **Google node coverage widened** — Worker defaults now cover Google API families more broadly so Sheets, Drive, Gmail, OAuth, and related nodes work without manual domain tuning.
 - **Premium Dashboard** — Beautiful web interface at `/` for real-time uptime monitoring and sync health tracking.
 - **Built-in Keep-Alive** — Integrated UptimeRobot setup tool directly from the dashboard to prevent free HF Spaces from sleeping.
 - **Native Security** — Optimized for n8n v2 native user management with hardened file permissions (`umask 0077`).
@@ -25,7 +26,6 @@ All notable changes to this project will be documented in this file.
 - `start.sh` — Orchestrates startup, validates environment, and manages service lifecycle.
 - `health-server.js` — High-performance namespace proxy and dashboard server.
 - `cloudflare-proxy.js` — Transparently intercepts and routes blocked traffic via Cloudflare Workers.
-- `dns-fix.js` — Monkey-patches Node.js DNS for reliable DoH fallback.
 - `n8n-sync.py` — Robust background sync engine using the `huggingface_hub` API.
 - `start.sh` — Configures environment, restores backup, and launches background sync loop.
 

Dockerfile

@@ -29,16 +29,17 @@ RUN mkdir -p /home/node/app /home/node/.n8n && \
 WORKDIR /home/node/app
 
 COPY --chown=node:node health-server.js /home/node/app/health-server.js
-COPY --chown=node:node dns-fix.js /opt/dns-fix.js
 COPY --chown=node:node cloudflare-proxy.js /opt/cloudflare-proxy.js
+COPY --chown=node:node cloudflare-worker.js /home/node/app/cloudflare-worker.js
+COPY --chown=node:node cloudflare-proxy-setup.py /home/node/app/cloudflare-proxy-setup.py
 
 # Set NODE_OPTIONS after preload scripts are copied
-ENV NODE_OPTIONS="--require /opt/dns-fix.js --require /opt/cloudflare-proxy.js"
+ENV NODE_OPTIONS="--require /opt/cloudflare-proxy.js"
 COPY --chown=node:node n8n-sync.py /home/node/app/n8n-sync.py
 COPY --chown=node:node setup-uptimerobot.sh /home/node/app/setup-uptimerobot.sh
 COPY --chown=node:node start.sh /home/node/app/start.sh
 
-RUN chmod +x /home/node/app/start.sh /home/node/app/setup-uptimerobot.sh
+RUN chmod +x /home/node/app/start.sh /home/node/app/setup-uptimerobot.sh /home/node/app/cloudflare-proxy-setup.py
 
 USER node
 

README.md

@@ -10,8 +10,9 @@ license: mit
 secrets:
   - name: HF_TOKEN
     description: HuggingFace token with write access. Used for automatic workspace backup.
-  - name: CLOUDFLARE_PROXY_URL
-    description: Your Cloudflare Worker URL to bypass platform blocks (Telegram/Discord).
+  - name: CLOUDFLARE_WORKERS_TOKEN
+    description: Optional Cloudflare API token for automatic Worker proxy setup.
+  
 ---
 
 <!-- Badges -->
@@ -42,7 +43,7 @@ secrets:
 - ⚡ **Zero Config:** Duplicate this Space, set `HF_TOKEN`, and start automating – no other setup needed.
 - 💾 **Persistent Backup:** Workflows, credentials, and settings automatically sync to a private HF Dataset, preserving your data across restarts.
 - 🔐 **Secure by Default:** Uses n8n's native user management and restricted file permissions (`umask 0077`).
-- 🌐 **Built-in Connectivity:** Includes Transparent Outbound Proxying and DNS-over-HTTPS (DoH) to bypass Hugging Face networking blocks for Telegram, Discord, and others.
+- 🌐 **Built-in Connectivity:** Includes transparent outbound proxying via Cloudflare Workers for Telegram, WhatsApp-related APIs, Google APIs, Discord, and other external services.
 - 📊 **Premium Dashboard:** Beautiful Web UI at `/` for real-time monitoring of uptime, sync health, and n8n status.
 - ⏰ **Easy Keep-Alive:** Set up a one-time UptimeRobot monitor directly from the dashboard to keep your free Space awake.
 - 🐳 **Optimized Infrastructure:** Minimal resource usage with clean startup logs and production-ready proxying.
@@ -58,7 +59,8 @@ secrets:
 Navigate to your new Space's **Settings**, scroll down to **Variables and secrets**, and add:
 
 - `HF_TOKEN` – Your HuggingFace token with **Write** access (to enable automatic backup).
-- `CLOUDFLARE_PROXY_URL` – *(Optional but Recommended)* Your Cloudflare Worker URL to bypass platform blocks. check [Setup Guide](#-cloudflare-proxy-setup).
+- `CLOUDFLARE_WORKERS_TOKEN` – *(Optional, Recommended)* Cloudflare API token for automatic Worker proxy provisioning.
+- `CLOUDFLARE_PROXY_URL` – *(Optional)* Your Cloudflare Worker URL for outbound proxying if you already have a Worker. Check [Setup Guide](#-cloudflare-proxy-setup).
 - `CLOUDFLARE_PROXY_SECRET` – *(Optional, Security Recommended)* Shared secret used between Space and Worker to prevent proxy abuse.
 
 ### Step 3: Deploy & Initialize
@@ -79,7 +81,31 @@ Use the built-in dashboard at the root URL (`/`) to track:
 
 ## 🌐 Cloudflare Proxy Setup
 
-Hugging Face Free Tier blocks outgoing connections to some services (Telegram, Discord, etc.). Hugging8n includes a transparent proxy system to bypass this.
+Hugging Face Free Tier can be unreliable for outbound connections to some services. Hugging8n includes a transparent proxy system to route external API traffic through Cloudflare Workers.
+
+Automatic setup:
+
+1. Create a Cloudflare API Token for your account's Workers.
+2. Add `CLOUDFLARE_WORKERS_TOKEN` as a Space secret.
+3. Restart the Space.
+
+Hugging8n will:
+
+- create or update a Worker named from your Space host
+- generate a private shared secret automatically
+- export `CLOUDFLARE_PROXY_URL` and `CLOUDFLARE_PROXY_SECRET` before n8n starts
+- transparently proxy outbound external requests through Cloudflare by default
+
+Recommended token setup:
+
+- Secret name: `CLOUDFLARE_WORKERS_TOKEN`
+- Token type: `API Token`
+- Account permission: `Workers Scripts: Edit`
+- Account auto-discovery is built in; `CLOUDFLARE_ACCOUNT_ID` is not required
+
+Do not use a Global API key, tunnel token, worker secret, or another Cloudflare credential here.
+
+Manual setup is also available if you prefer to deploy the Worker yourself:
 
 1. Go to [Cloudflare Workers](https://dash.cloudflare.com/?to=/:account/workers-and-pages).
 2. Create a new Worker using "Start with Hello World!" template
@@ -95,8 +121,16 @@ If you skip steps 8-9, proxying still works. The secret simply adds request auth
 
 Optional Worker vars for tighter control:
 
-- `ALLOWED_TARGETS` (comma-separated, defaults to Telegram/Discord hosts)
-- `ALLOW_PROXY_ALL` (`false` by default; set `true` only if you fully trust your setup)
+- `ALLOWED_TARGETS` (comma-separated; only used when `ALLOW_PROXY_ALL=false`)
+- `ALLOW_PROXY_ALL` (`true` by default; proxies all external traffic except HF-internal hosts)
+
+Default behavior:
+
+- `CLOUDFLARE_PROXY_DOMAINS=*`
+- all external traffic is proxied
+- Hugging Face internal hosts stay direct automatically
+
+That wider default is intentional so Google nodes, Telegram, WhatsApp-related APIs, Discord, and other external integrations work without extra domain tuning.
 
 ## 💾 Persistent Backup
 
@@ -129,8 +163,10 @@ Customize your instance with these environment variables:
 | :--- | :--- | :--- |
 | `GENERIC_TIMEZONE` | `UTC` | Timezone for your n8n instance |
 | `N8N_LOG_LEVEL` | `error` | Set to `info` or `debug` for more details |
-| `CLOUDFLARE_PROXY_DOMAINS` | (default list) | Comma-separated domains to proxy (or `*` for all) |
+| `CLOUDFLARE_WORKERS_TOKEN` | — | Cloudflare API token for automatic Worker setup |
+| `CLOUDFLARE_PROXY_DOMAINS` | `*` | Comma-separated domains to proxy (or `*` for all external traffic) |
 | `CLOUDFLARE_PROXY_SECRET` | — | Optional shared secret for app-to-worker proxy authentication |
+| `CLOUDFLARE_ACCOUNT_ID` | auto | Optional Cloudflare account ID override if you want to pin a specific account |
 | `SPACE_HOST_OVERRIDE` | — | Override detected host for custom domains |
 | `N8N_STARTUP_TIMEOUT` | `180` | Max seconds to wait for n8n readiness before fail-fast |
 | `UPTIMEROBOT_SETUP_ENABLED` | `true` | Enable/disable dashboard helper endpoint |
@@ -162,7 +198,7 @@ docker run -p 7861:7861 --env-file .env hugging8n
 
 ## 🐛 Troubleshooting
 
-- **Telegram/Discord not connecting:** Ensure `CLOUDFLARE_PROXY_URL` is set correctly.
+- **Telegram/Google/WhatsApp not connecting:** Ensure `CLOUDFLARE_WORKERS_TOKEN` or `CLOUDFLARE_PROXY_URL` is set correctly, or keep `CLOUDFLARE_PROXY_DOMAINS=*`.
 - **Workflows not saving:** Check if `HF_TOKEN` has **Write** access to your account.
 - **Space keeps sleeping:** Use the dashboard to set up an UptimeRobot monitor.
 - **Authentication errors:** n8n v2 uses its own internal users; ensure you created the owner account on first run.

cloudflare-proxy-setup.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+
+import json
+import os
+import re
+import secrets
+import sys
+import urllib.error
+import urllib.request
+from pathlib import Path
+
+API_BASE = "https://api.cloudflare.com/client/v4"
+ENV_FILE = Path("/tmp/hugging8n-cloudflare-proxy.env")
+DEFAULT_ALLOWED = [
+    "api.telegram.org",
+    "discord.com",
+    "discordapp.com",
+    "gateway.discord.gg",
+    "status.discord.com",
+    "web.whatsapp.com",
+    "graph.facebook.com",
+    "googleapis.com",
+    "google.com",
+    "googleusercontent.com",
+    "gstatic.com",
+]
+
+
+def cf_request(method: str, path: str, token: str, body: bytes | None = None, content_type: str = "application/json"):
+    req = urllib.request.Request(
+        f"{API_BASE}{path}",
+        data=body,
+        method=method,
+        headers={
+            "Authorization": f"Bearer {token}",
+            "Content-Type": content_type,
+        },
+    )
+    with urllib.request.urlopen(req, timeout=30) as response:
+        payload = json.loads(response.read().decode("utf-8"))
+    if not payload.get("success"):
+        errors = payload.get("errors") or [{"message": "Unknown Cloudflare API error"}]
+        raise RuntimeError(errors[0].get("message", "Unknown Cloudflare API error"))
+    return payload["result"]
+
+
+def slugify(value: str) -> str:
+    cleaned = re.sub(r"[^a-z0-9-]+", "-", value.lower()).strip("-")
+    cleaned = re.sub(r"-{2,}", "-", cleaned)
+    if not cleaned:
+        cleaned = "hugging8n-proxy"
+    return cleaned[:63].rstrip("-")
+
+
+def derive_worker_name() -> str:
+    explicit = os.environ.get("CLOUDFLARE_WORKER_NAME", "").strip()
+    if explicit:
+        return slugify(explicit)
+    space_host = os.environ.get("SPACE_HOST_OVERRIDE", "").strip() or os.environ.get("SPACE_HOST", "").strip()
+    if space_host:
+        base = space_host.replace(".hf.space", "")
+        return slugify(f"{base}-proxy")
+    return "hugging8n-proxy"
+
+
+def render_worker(secret_value: str, allowed_targets: list[str], allow_proxy_all: bool) -> str:
+    allowed_json = json.dumps(allowed_targets)
+    allow_all_js = "true" if allow_proxy_all else "false"
+    secret_json = json.dumps(secret_value)
+    return f"""addEventListener("fetch", (event) => {{
+  event.respondWith(handleRequest(event.request));
+}});
+
+const PROXY_SHARED_SECRET = {secret_json};
+const ALLOW_PROXY_ALL = {allow_all_js};
+const ALLOWED_TARGETS = {allowed_json};
+
+function isAllowedHost(hostname) {{
+  const normalized = String(hostname || "").trim().toLowerCase();
+  if (!normalized) return false;
+  if (ALLOW_PROXY_ALL) return true;
+  return ALLOWED_TARGETS.some(
+    (domain) => normalized === domain || normalized.endsWith(`.${{domain}}`),
+  );
+}}
+
+async function handleRequest(request) {{
+  const url = new URL(request.url);
+  const targetHost = request.headers.get("x-target-host");
+
+  if (PROXY_SHARED_SECRET) {{
+    const providedSecret = request.headers.get("x-proxy-key") || "";
+    if (providedSecret !== PROXY_SHARED_SECRET) {{
+      return new Response("Unauthorized", {{ status: 401 }});
+    }}
+  }}
+
+  let targetBase = "";
+  if (targetHost) {{
+    if (!isAllowedHost(targetHost)) {{
+      return new Response("Target host is not allowed.", {{ status: 403 }});
+    }}
+    targetBase = `https://${{targetHost}}`;
+  }} else if (url.pathname.startsWith("/bot")) {{
+    targetBase = "https://api.telegram.org";
+  }} else {{
+    return new Response("Invalid request.", {{ status: 400 }});
+  }}
+
+  const targetUrl = targetBase + url.pathname + url.search;
+  const headers = new Headers(request.headers);
+  headers.delete("host");
+  headers.delete("cf-connecting-ip");
+  headers.delete("cf-ray");
+  headers.delete("cf-visitor");
+  headers.delete("x-real-ip");
+  headers.delete("x-target-host");
+
+  const proxiedRequest = new Request(targetUrl, {{
+    method: request.method,
+    headers,
+    body: request.body,
+    redirect: "follow",
+  }});
+
+  try {{
+    return await fetch(proxiedRequest);
+  }} catch (error) {{
+    return new Response(`Proxy Error: ${{error.message}}`, {{ status: 502 }});
+  }}
+}}
+"""
+
+
+def write_env(proxy_url: str, proxy_secret: str) -> None:
+    ENV_FILE.write_text(
+        "\n".join(
+            [
+                f'export CLOUDFLARE_PROXY_URL="{proxy_url}"',
+                f'export CLOUDFLARE_PROXY_SECRET="{proxy_secret}"',
+            ]
+        )
+        + "\n",
+        encoding="utf-8",
+    )
+
+
+def main() -> int:
+    existing_url = os.environ.get("CLOUDFLARE_PROXY_URL", "").strip()
+    existing_secret = os.environ.get("CLOUDFLARE_PROXY_SECRET", "").strip()
+    workers_token = (
+        os.environ.get("CLOUDFLARE_WORKERS_TOKEN", "").strip()
+        or os.environ.get("CLOUDFLARE_API_TOKEN", "").strip()
+    )
+
+    if existing_url:
+        if existing_secret:
+            write_env(existing_url, existing_secret)
+        print(f"☁️ Using configured Cloudflare proxy: {existing_url}")
+        return 0
+
+    if not workers_token:
+        return 0
+
+    account_id = os.environ.get("CLOUDFLARE_ACCOUNT_ID", "").strip()
+    try:
+        if not account_id:
+            accounts = cf_request("GET", "/accounts", workers_token)
+            if not accounts:
+                raise RuntimeError("No Cloudflare account available for this token.")
+            account_id = accounts[0]["id"]
+
+        subdomain_info = cf_request(
+            "GET",
+            f"/accounts/{account_id}/workers/subdomain",
+            workers_token,
+        )
+        subdomain = (subdomain_info or {}).get("subdomain", "").strip()
+        if not subdomain:
+            raise RuntimeError(
+                "Cloudflare Workers subdomain is not configured. Enable workers.dev in your Cloudflare account first."
+            )
+
+        worker_name = derive_worker_name()
+        allowed_raw = os.environ.get("CLOUDFLARE_PROXY_DOMAINS", "").strip()
+        allow_proxy_all = not allowed_raw or allowed_raw == "*"
+        allowed_targets = DEFAULT_ALLOWED if allow_proxy_all else [
+            value.strip() for value in allowed_raw.split(",") if value.strip()
+        ]
+        proxy_secret = existing_secret or secrets.token_urlsafe(24)
+        worker_source = render_worker(proxy_secret, allowed_targets, allow_proxy_all)
+
+        cf_request(
+            "PUT",
+            f"/accounts/{account_id}/workers/scripts/{worker_name}",
+            workers_token,
+            body=worker_source.encode("utf-8"),
+            content_type="application/javascript",
+        )
+
+        proxy_url = f"https://{worker_name}.{subdomain}.workers.dev"
+        write_env(proxy_url, proxy_secret)
+        print(f"☁️ Cloudflare proxy ready: {proxy_url}")
+        return 0
+    except urllib.error.HTTPError as error:
+        detail = error.read().decode("utf-8", errors="replace")
+        if error.code == 403 and '"code":9109' in detail:
+            print(
+                "☁️ Cloudflare proxy setup failed: invalid Workers token. "
+                "Use a Cloudflare API Token in CLOUDFLARE_WORKERS_TOKEN "
+                "(not a Global API Key, tunnel token, or worker secret). "
+                "For auto-setup, it should have account-level 'Workers Scripts: Edit'. "
+                "The setup can auto-discover your account; CLOUDFLARE_ACCOUNT_ID is not required."
+            )
+        print(f"☁️ Cloudflare proxy setup failed: HTTP {error.code} {detail}")
+        return 1
+    except Exception as error:
+        print(f"☁️ Cloudflare proxy setup failed: {error}")
+        return 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

cloudflare-proxy.js

@@ -1,8 +1,8 @@
 /**
  * Cloudflare Proxy: Transparent Fix for Blocked Domains
  *
- * Patches https.request to redirect traffic for Telegram/Discord
- * through a Cloudflare Worker proxy.
+ * Patches https.request/http.request/fetch to redirect traffic for blocked
+ * hosts through a Cloudflare Worker proxy.
  */
 "use strict";
 
@@ -20,12 +20,10 @@ if (
 
 const DEBUG = process.env.CLOUDFLARE_PROXY_DEBUG === "true";
 const PROXY_SHARED_SECRET = (process.env.CLOUDFLARE_PROXY_SECRET || "").trim();
-
-// Allow user to define what to proxy. Use "*" to proxy everything except internal HF traffic.
-const PROXY_DOMAINS =
-  process.env.CLOUDFLARE_PROXY_DOMAINS ||
-  "api.telegram.org,discord.com,discordapp.com,gateway.discord.gg,status.discord.com";
-const BLOCKED_DOMAINS = PROXY_DOMAINS.split(",").map((d) => d.trim());
+const PROXY_DOMAINS = process.env.CLOUDFLARE_PROXY_DOMAINS || "*";
+const BLOCKED_DOMAINS = PROXY_DOMAINS.split(",")
+  .map((domain) => domain.trim())
+  .filter(Boolean);
 const PROXY_ALL = PROXY_DOMAINS === "*";
 
 if (PROXY_URL) {
@@ -33,18 +31,40 @@ if (PROXY_URL) {
     const proxy = new URL(PROXY_URL);
     const originalHttpsRequest = https.request;
     const originalHttpRequest = http.request;
+    const originalFetch =
+      typeof globalThis.fetch === "function" ? globalThis.fetch.bind(globalThis) : null;
+
+    const shouldProxyHost = (hostname) => {
+      const normalized = String(hostname || "").trim().toLowerCase();
+      if (!normalized) return false;
+
+      const isInternal =
+        normalized === "localhost" ||
+        normalized === "127.0.0.1" ||
+        normalized.endsWith(".hf.space") ||
+        normalized.endsWith(".huggingface.co") ||
+        normalized === "huggingface.co";
+
+      if (PROXY_ALL) {
+        return !isInternal;
+      }
+
+      return BLOCKED_DOMAINS.some(
+        (domain) =>
+          normalized === domain || normalized.endsWith(`.${domain}`),
+      );
+    };
 
-    const patch = (original, isHttps) => {
-      return function (options, callback) {
+    const patch = (original, originalModuleName) => {
+      return function patchedRequest(options, callback) {
         let hostname = "";
         let path = "";
         let headers = {};
 
-        // 1. Extract hostname and path from various possible input types
         if (typeof options === "string") {
-          const u = new URL(options);
-          hostname = u.hostname;
-          path = u.pathname + u.search;
+          const parsed = new URL(options);
+          hostname = parsed.hostname;
+          path = parsed.pathname + parsed.search;
         } else if (options instanceof URL) {
           hostname = options.hostname;
           path = options.pathname + options.search;
@@ -52,58 +72,38 @@ if (PROXY_URL) {
         } else {
           hostname =
             options.hostname ||
-            (options.host ? options.host.split(":")[0] : "");
+            (options.host ? String(options.host).split(":")[0] : "");
           path = options.path || "/";
           headers = options.headers || {};
         }
 
-        // 2. Check if we should intercept (and prevent recursion)
-        const isInternal =
-          hostname === "localhost" ||
-          hostname === "127.0.0.1" ||
-          hostname.endsWith(".hf.space") ||
-          hostname.endsWith(".huggingface.co") ||
-          hostname === "huggingface.co";
-
-        let shouldProxy = false;
-        if (PROXY_ALL) {
-          shouldProxy = !isInternal;
-        } else {
-          shouldProxy = BLOCKED_DOMAINS.some(
-            (domain) => hostname === domain || hostname.endsWith("." + domain),
-          );
-        }
-
+        const shouldProxy = shouldProxyHost(hostname);
         const alreadyProxied =
-          options._proxied || (headers && headers["x-target-host"]);
+          options && typeof options === "object" && options._proxied;
+        const hasTargetHeader =
+          headers &&
+          (headers["x-target-host"] || headers["X-Target-Host"]);
 
-        if (shouldProxy && !alreadyProxied) {
-          if (DEBUG)
+        if (shouldProxy && !alreadyProxied && !hasTargetHeader) {
+          if (DEBUG) {
             console.log(
-              `[cloudflare-proxy] Redirecting ${hostname}${path} -> ${proxy.hostname}`,
+              `[cloudflare-proxy] Redirecting ${originalModuleName}://${hostname}${path} -> ${proxy.hostname}`,
             );
+          }
 
-          // 3. Create fresh options for the proxied request
           const newOptions =
             typeof options === "string" || options instanceof URL
-              ? { protocol: "https:", path: path }
+              ? { protocol: "https:", path }
               : { ...options };
 
-          // Ensure it's an object we can modify
-          if (typeof newOptions !== "object")
-            return original.apply(this, arguments);
-
           newOptions._proxied = true;
           newOptions.protocol = "https:";
           newOptions.hostname = proxy.hostname;
           newOptions.port = proxy.port || 443;
-
-          // CRITICAL: Force fresh TLS handshake for the new domain
           newOptions.servername = proxy.hostname;
-          delete newOptions.host; // Prefer hostname
-          delete newOptions.agent; // Force a new agent to prevent connection reuse issues
+          delete newOptions.host;
+          delete newOptions.agent;
 
-          // Merge and update headers
           newOptions.headers = {
             ...(newOptions.headers || {}),
             host: proxy.host,
@@ -114,21 +114,72 @@ if (PROXY_URL) {
             newOptions.headers["x-proxy-key"] = PROXY_SHARED_SECRET;
           }
 
-          // Always use HTTPS for the proxy connection
           return originalHttpsRequest.call(https, newOptions, callback);
         }
 
-        return original.apply(this, arguments);
+        return original.call(this, options, callback);
       };
     };
 
-    https.request = patch(originalHttpsRequest, true);
-    http.request = patch(originalHttpRequest, false);
+    https.request = patch(originalHttpsRequest, "https");
+    http.request = patch(originalHttpRequest, "http");
+
+    if (originalFetch) {
+      globalThis.fetch = async function patchedFetch(input, init) {
+        const request = input instanceof Request ? input : null;
+        const url =
+          request
+            ? new URL(request.url)
+            : input instanceof URL
+              ? input
+              : new URL(String(input));
+
+        const hostname = url.hostname;
+        const shouldProxy = shouldProxyHost(hostname);
+        const headers = new Headers(request ? request.headers : init?.headers || {});
+        const alreadyProxied =
+          headers.has("x-target-host") || headers.has("X-Target-Host");
+
+        if (!shouldProxy || alreadyProxied) {
+          return originalFetch(input, init);
+        }
+
+        if (DEBUG) {
+          console.log(
+            `[cloudflare-proxy] Redirecting fetch://${hostname}${url.pathname}${url.search} -> ${proxy.hostname}`,
+          );
+        }
+
+        headers.set("x-target-host", hostname);
+        if (PROXY_SHARED_SECRET) {
+          headers.set("x-proxy-key", PROXY_SHARED_SECRET);
+        }
+
+        const proxiedUrl = new URL(url.pathname + url.search, proxy);
+
+        if (request) {
+          return originalFetch(
+            new Request(proxiedUrl, {
+              method: request.method,
+              headers,
+              body: request.body,
+              redirect: request.redirect,
+              duplex: "half",
+            }),
+          );
+        }
+
+        return originalFetch(proxiedUrl, {
+          ...init,
+          headers,
+        });
+      };
+    }
 
     if (DEBUG) {
       if (PROXY_ALL) {
         console.log(
-          `[cloudflare-proxy] Transparent proxy active in WILDCARD mode (Proxying ALL except HF internal)`,
+          "[cloudflare-proxy] Transparent proxy active in wildcard mode",
         );
       } else {
         console.log(
@@ -137,8 +188,11 @@ if (PROXY_URL) {
       }
       console.log(`[cloudflare-proxy] Target proxy: ${proxy.hostname}`);
     }
-  } catch (e) {
-    if (DEBUG)
-      console.error(`[cloudflare-proxy] Failed to initialize: ${e.message}`);
+  } catch (error) {
+    if (DEBUG) {
+      console.error(
+        `[cloudflare-proxy] Failed to initialize: ${error.message}`,
+      );
+    }
   }
 }

cloudflare-worker.js

@@ -29,10 +29,10 @@ export default {
 
     const allowedTargetsRaw = (
       env.ALLOWED_TARGETS ||
-      "api.telegram.org,discord.com,discordapp.com,gateway.discord.gg,status.discord.com"
+      "api.telegram.org,discord.com,discordapp.com,gateway.discord.gg,status.discord.com,web.whatsapp.com,graph.facebook.com,googleapis.com,google.com,googleusercontent.com,gstatic.com"
     ).trim();
     const allowProxyAll =
-      String(env.ALLOW_PROXY_ALL || "false").toLowerCase() === "true";
+      String(env.ALLOW_PROXY_ALL || "true").toLowerCase() === "true";
     const allowedTargets = allowedTargetsRaw
       .split(",")
       .map((value) => value.trim().toLowerCase())
@@ -77,6 +77,7 @@ export default {
 
     // Copy headers and remove internal/Cloudflare-specific ones
     const headers = new Headers(request.headers);
+    headers.delete("host");
     headers.delete("cf-connecting-ip");
     headers.delete("cf-ray");
     headers.delete("cf-visitor");
@@ -93,7 +94,7 @@ export default {
     try {
       const response = await fetch(modifiedRequest);
 
-      // Special handling for Discord/Telegram which might return 403 on some CF IPs
+      // Special handling for some providers which might return 403 on some CF IPs.
       // If needed, you can add retry logic here.
 
       return response;

dns-fix.js

@@ -1,124 +0,0 @@
-/**
- * DNS fix preload script for HF Spaces.
- *
- * Patches Node.js dns.lookup to:
- * 1. Try system DNS first
- * 2. Fall back to DNS-over-HTTPS (Cloudflare) if system DNS fails
- *    (This is needed because HF Spaces intercepts/blocks some domains like
- *    WhatsApp web or Telegram API via standard UDP DNS).
- *
- * Loaded via: NODE_OPTIONS="--require /opt/dns-fix.js"
- */
-"use strict";
-
-const dns = require("dns");
-const https = require("https");
-
-// In-memory cache for runtime DoH resolutions
-const runtimeCache = new Map(); // hostname -> { ip, expiry }
-
-// DNS-over-HTTPS resolver
-function dohResolve(hostname, callback) {
-  // Check runtime cache
-  const cached = runtimeCache.get(hostname);
-  if (cached && cached.expiry > Date.now()) {
-    return callback(null, cached.ip);
-  }
-
-  // Use Cloudflare DNS-over-HTTPS via direct IP to avoid DNS lookup for the resolver itself
-  const options = {
-    hostname: "1.1.1.1",
-    port: 443,
-    path: `/dns-query?name=${encodeURIComponent(hostname)}&type=A`,
-    method: "GET",
-    headers: { Accept: "application/dns-json" },
-    timeout: 10000,
-    servername: "cloudflare-dns.com", // Set SNI
-  };
-
-  const req = https.get(options, (res) => {
-    let body = "";
-    res.on("data", (c) => (body += c));
-    res.on("end", () => {
-      try {
-        if (res.statusCode !== 200) {
-          return callback(
-            new Error(`DoH: server returned status ${res.statusCode}`),
-          );
-        }
-        const data = JSON.parse(body);
-        const aRecords = (data.Answer || []).filter((a) => a.type === 1);
-        if (aRecords.length === 0) {
-          return callback(new Error(`DoH: no A record for ${hostname}`));
-        }
-        const ip = aRecords[0].data;
-        const ttl = Math.max((aRecords[0].TTL || 300) * 1000, 60000);
-        runtimeCache.set(hostname, { ip, expiry: Date.now() + ttl });
-        callback(null, ip);
-      } catch (e) {
-        callback(new Error(`DoH parse error: ${e.message}`));
-      }
-    });
-  });
-  req.on("error", (e) =>
-    callback(new Error(`DoH request failed: ${e.message}`)),
-  );
-  req.on("timeout", () => {
-    req.destroy();
-    callback(new Error("DoH request timed out"));
-  });
-}
-
-// Monkey-patch dns.lookup
-const origLookup = dns.lookup;
-let isResolving = false;
-
-dns.lookup = function patchedLookup(hostname, options, callback) {
-  // Normalize arguments
-  if (typeof options === "function") {
-    callback = options;
-    options = {};
-  }
-  if (typeof options === "number") {
-    options = { family: options };
-  }
-  options = options || {};
-
-  // Skip patching for localhost, IPs, and internal domains
-  if (
-    !hostname ||
-    hostname === "localhost" ||
-    hostname === "0.0.0.0" ||
-    hostname === "127.0.0.1" ||
-    hostname === "::1" ||
-    /^\d+\.\d+\.\d+\.\d+$/.test(hostname) ||
-    /^::/.test(hostname) ||
-    isResolving // RECURSION GUARD
-  ) {
-    return origLookup.call(dns, hostname, options, callback);
-  }
-
-  // 1) Try system DNS first
-  origLookup.call(dns, hostname, options, (err, address, family) => {
-    if (!err && address) {
-      return callback(null, address, family);
-    }
-
-    // 2) System DNS failed — fall back to DoH
-    if (err && (err.code === "ENOTFOUND" || err.code === "EAI_AGAIN")) {
-      isResolving = true; // Enter guard
-      dohResolve(hostname, (dohErr, ip) => {
-        isResolving = false; // Exit guard
-        if (dohErr || !ip) {
-          return callback(err); // Return original error
-        }
-        if (options.all) {
-          return callback(null, [{ address: ip, family: 4 }]);
-        }
-        callback(null, ip, 4);
-      });
-    } else {
-      callback(err, address, family);
-    }
-  });
-};

start.sh

@@ -73,6 +73,17 @@ else
   echo "HF_TOKEN is not set. Running without dataset persistence."
 fi
 
+CF_PROXY_ENV_FILE="/tmp/hugging8n-cloudflare-proxy.env"
+CLOUDFLARE_WORKERS_TOKEN="${CLOUDFLARE_WORKERS_TOKEN:-${CLOUDFLARE_API_TOKEN:-}}"
+export CLOUDFLARE_WORKERS_TOKEN
+if [ -n "${CLOUDFLARE_WORKERS_TOKEN:-}" ] || [ -n "${CLOUDFLARE_PROXY_URL:-}" ]; then
+  echo "Preparing Cloudflare outbound proxy..."
+  python3 "$APP_DIR/cloudflare-proxy-setup.py" || true
+  if [ -f "$CF_PROXY_ENV_FILE" ]; then
+    . "$CF_PROXY_ENV_FILE"
+  fi
+fi
+
 cleanup() {
   echo "Stopping Hugging8n..."
   [ -n "${PROXY_PID:-}" ] && kill "$PROXY_PID" 2>/dev/null || true