Spaces:

somratpro
/

Hugging8N

Running

App Files Files Community

somratpro commited on 28 days ago

Commit

bff801f

1 Parent(s): 8315203

feat: enhance Cloudflare worker with query parameter support for proxy targeting and improved authentication logic.

Browse files

Files changed (3) hide show

cloudflare-proxy-setup.py +18 -7
cloudflare-worker.js +51 -53
start.sh +5 -2

cloudflare-proxy-setup.py CHANGED Viewed

@@ -86,35 +86,46 @@ function isAllowedHost(hostname) {{
 async function handleRequest(request) {{
   const url = new URL(request.url);
-  const targetHost = request.headers.get("x-target-host");
   if (PROXY_SHARED_SECRET) {{
-    const providedSecret = request.headers.get("x-proxy-key") || "";
     if (providedSecret !== PROXY_SHARED_SECRET) {{
-      return new Response("Unauthorized", {{ status: 401 }});
     }}
   }}
   let targetBase = "";
   if (targetHost) {{
     if (!isAllowedHost(targetHost)) {{
-      return new Response("Target host is not allowed.", {{ status: 403 }});
     }}
     targetBase = `https://${{targetHost}}`;
   }} else if (url.pathname.startsWith("/bot")) {{
     targetBase = "https://api.telegram.org";
   }} else {{
-    return new Response("Invalid request.", {{ status: 400 }});
   }}
-  const targetUrl = targetBase + url.pathname + url.search;
   const headers = new Headers(request.headers);
-  headers.delete("host");
   headers.delete("cf-connecting-ip");
   headers.delete("cf-ray");
   headers.delete("cf-visitor");
   headers.delete("x-real-ip");
   headers.delete("x-target-host");
   const proxiedRequest = new Request(targetUrl, {{
     method: request.method,

 async function handleRequest(request) {{
   const url = new URL(request.url);
+  const queryTarget = url.searchParams.get("proxy_target");
+  const targetHost = request.headers.get("x-target-host") || queryTarget;
   if (PROXY_SHARED_SECRET) {{
+    const providedSecret = request.headers.get("x-proxy-key") || url.searchParams.get("proxy_key") || "";
     if (providedSecret !== PROXY_SHARED_SECRET) {{
+      if (url.pathname.startsWith("/bot") && !targetHost) {{
+        // Allowed fallback
+      }} else {{
+        return new Response("Unauthorized: Invalid proxy key", {{ status: 401 }});
+      }}
     }}
   }}
   let targetBase = "";
   if (targetHost) {{
     if (!isAllowedHost(targetHost)) {{
+      return new Response(`Forbidden: Host ${{targetHost}} is not allowed.`, {{ status: 403 }});
     }}
     targetBase = `https://${{targetHost}}`;
   }} else if (url.pathname.startsWith("/bot")) {{
     targetBase = "https://api.telegram.org";
   }} else {{
+    return new Response("Invalid request: No target host provided.", {{ status: 400 }});
   }}
+  const cleanSearch = new URLSearchParams(url.search);
+  cleanSearch.delete("proxy_target");
+  cleanSearch.delete("proxy_key");
+  const searchStr = cleanSearch.toString();
+  const targetUrl = targetBase + url.pathname + (searchStr ? `?${{searchStr}}` : "");
   const headers = new Headers(request.headers);
   headers.delete("cf-connecting-ip");
   headers.delete("cf-ray");
   headers.delete("cf-visitor");
+  headers.delete("host");
   headers.delete("x-real-ip");
   headers.delete("x-target-host");
+  headers.delete("x-proxy-key");
   const proxiedRequest = new Request(targetUrl, {{
     method: request.method,

cloudflare-worker.js CHANGED Viewed

@@ -1,46 +1,58 @@
 /**
  * Cloudflare Worker: Universal Outbound Proxy
  *
- * Deployment:
- * 1. Go to dash.cloudflare.com -> Workers & Pages -> Create Worker.
- * 2. Paste this code and deploy.
- * 3. Use your worker URL (e.g., https://my-proxy.workers.dev) as CLOUDFLARE_PROXY_URL.
  *
- * This worker reads the 'x-target-host' header to determine where to forward the request.
  */
 export default {
-  async fetch(request, env, ctx) {
     const url = new URL(request.url);
-    const targetHost = request.headers.get("x-target-host");
     const proxySecret = (
-      env.CLOUDFLARE_PROXY_SECRET ||
       env.PROXY_SHARED_SECRET ||
       ""
     ).trim();
-    // Secret check is optional: when unset, requests are allowed without x-proxy-key.
     if (proxySecret) {
-      const providedSecret = request.headers.get("x-proxy-key") || "";
       if (providedSecret !== proxySecret) {
-        return new Response("Unauthorized", { status: 401 });
       }
     }
-    const allowedTargetsRaw = (
-      env.ALLOWED_TARGETS ||
-      "api.telegram.org,discord.com,discordapp.com,gateway.discord.gg,status.discord.com,web.whatsapp.com,graph.facebook.com,googleapis.com,google.com,googleusercontent.com,gstatic.com"
-    ).trim();
     const allowProxyAll =
       String(env.ALLOW_PROXY_ALL || "true").toLowerCase() === "true";
-    const allowedTargets = allowedTargetsRaw
-      .split(",")
-      .map((value) => value.trim().toLowerCase())
-      .filter(Boolean);
     const isAllowedHost = (hostname) => {
-      if (!hostname) return false;
-      const normalized = String(hostname).trim().toLowerCase();
       if (!normalized) return false;
       if (allowProxyAll) return true;
       return allowedTargets.some(
@@ -49,57 +61,43 @@ export default {
     };
     let targetBase = "";
     if (targetHost) {
-      // Use the host provided in the header (preferred)
       if (!isAllowedHost(targetHost)) {
-        return new Response("Target host is not allowed.", { status: 403 });
       }
       targetBase = `https://${targetHost}`;
     } else {
-      // Fallback: Guess based on path (legacy support)
-      if (url.pathname.startsWith("/bot")) {
-        targetBase = "https://api.telegram.org";
-      } else if (
-        url.pathname.startsWith("/api/webhooks") ||
-        url.pathname.startsWith("/api/v")
-      ) {
-        targetBase = "https://discord.com";
-      } else {
-        return new Response(
-          "Invalid request. 'x-target-host' header missing and target not recognized via path.",
-          { status: 400 },
-        );
-      }
     }
-    const targetUrl = targetBase + url.pathname + url.search;
-    // Copy headers and remove internal/Cloudflare-specific ones
     const headers = new Headers(request.headers);
-    headers.delete("host");
     headers.delete("cf-connecting-ip");
     headers.delete("cf-ray");
     headers.delete("cf-visitor");
     headers.delete("x-real-ip");
-    headers.delete("x-target-host"); // Don't leak this to the target
-    const modifiedRequest = new Request(targetUrl, {
       method: request.method,
-      headers: headers,
       body: request.body,
       redirect: "follow",
     });
     try {
-      const response = await fetch(modifiedRequest);
-      // Special handling for some providers which might return 403 on some CF IPs.
-      // If needed, you can add retry logic here.
-      return response;
-    } catch (e) {
-      return new Response(`Proxy Error: ${e.message}`, { status: 502 });
     }
   },
 };

 /**
  * Cloudflare Worker: Universal Outbound Proxy
  *
+ * Manual setup:
+ * 1. Create a Cloudflare Worker.
+ * 2. Paste this file and deploy it.
+ * 3. Use the worker URL as CLOUDFLARE_PROXY_URL.
  *
+ * Optional worker vars:
+ * - PROXY_SHARED_SECRET
+ * - ALLOWED_TARGETS
+ * - ALLOW_PROXY_ALL
  */
+function normalizeList(raw) {
+  return String(raw || "")
+    .split(",")
+    .map((value) => value.trim().toLowerCase())
+    .filter(Boolean);
+}
 export default {
+  async fetch(request, env) {
     const url = new URL(request.url);
+    const queryTarget = url.searchParams.get("proxy_target");
+    const targetHost = request.headers.get("x-target-host") || queryTarget;
     const proxySecret = (
       env.PROXY_SHARED_SECRET ||
+      env.CLOUDFLARE_PROXY_SECRET ||
       ""
     ).trim();
     if (proxySecret) {
+      const providedSecret = request.headers.get("x-proxy-key") || url.searchParams.get("proxy_key") || "";
       if (providedSecret !== proxySecret) {
+        // Fallback: allow Telegram requests via path without secret if it looks like a bot API call.
+        // This is safe because it only proxies to api.telegram.org.
+        if (url.pathname.startsWith("/bot") && !targetHost) {
+          // Allowed
+        } else {
+          return new Response("Unauthorized: Invalid proxy key", { status: 401 });
+        }
       }
     }
     const allowProxyAll =
       String(env.ALLOW_PROXY_ALL || "true").toLowerCase() === "true";
+    const allowedTargets = normalizeList(
+      env.ALLOWED_TARGETS || "api.telegram.org,discord.com,discordapp.com,gateway.discord.gg,status.discord.com,web.whatsapp.com,graph.facebook.com,googleapis.com,google.com,googleusercontent.com,gstatic.com",
+    );
     const isAllowedHost = (hostname) => {
+      const normalized = String(hostname || "")
+        .trim()
+        .toLowerCase();
       if (!normalized) return false;
       if (allowProxyAll) return true;
       return allowedTargets.some(
     };
     let targetBase = "";
     if (targetHost) {
       if (!isAllowedHost(targetHost)) {
+        return new Response(`Forbidden: Host ${targetHost} is not allowed.`, { status: 403 });
       }
       targetBase = `https://${targetHost}`;
+    } else if (url.pathname.startsWith("/bot")) {
+      targetBase = "https://api.telegram.org";
     } else {
+      return new Response("Invalid request: No target host provided.", { status: 400 });
     }
+    const cleanSearch = new URLSearchParams(url.search);
+    cleanSearch.delete("proxy_target");
+    cleanSearch.delete("proxy_key");
+    const searchStr = cleanSearch.toString();
+    const targetUrl = targetBase + url.pathname + (searchStr ? `?${searchStr}` : "");
     const headers = new Headers(request.headers);
     headers.delete("cf-connecting-ip");
     headers.delete("cf-ray");
     headers.delete("cf-visitor");
+    headers.delete("host");
     headers.delete("x-real-ip");
+    headers.delete("x-target-host");
+    headers.delete("x-proxy-key");
+    const proxiedRequest = new Request(targetUrl, {
       method: request.method,
+      headers,
       body: request.body,
       redirect: "follow",
     });
     try {
+      return await fetch(proxiedRequest);
+    } catch (error) {
+      return new Response(`Proxy Error: ${error.message}`, { status: 502 });
     }
   },
 };

start.sh CHANGED Viewed

@@ -73,14 +73,17 @@ else
   echo "HF_TOKEN is not set. Running without dataset persistence."
 fi
-CF_PROXY_ENV_FILE="/tmp/hugging8n-cloudflare-proxy.env"
 CLOUDFLARE_WORKERS_TOKEN="${CLOUDFLARE_WORKERS_TOKEN:-${CLOUDFLARE_API_TOKEN:-}}"
 export CLOUDFLARE_WORKERS_TOKEN
 if [ -n "${CLOUDFLARE_WORKERS_TOKEN:-}" ] || [ -n "${CLOUDFLARE_PROXY_URL:-}" ]; then
-  echo "Preparing Cloudflare outbound proxy..."
   python3 "$APP_DIR/cloudflare-proxy-setup.py" || true
   if [ -f "$CF_PROXY_ENV_FILE" ]; then
     . "$CF_PROXY_ENV_FILE"
   fi
 fi

   echo "HF_TOKEN is not set. Running without dataset persistence."
 fi
 CLOUDFLARE_WORKERS_TOKEN="${CLOUDFLARE_WORKERS_TOKEN:-${CLOUDFLARE_API_TOKEN:-}}"
 export CLOUDFLARE_WORKERS_TOKEN
+CF_PROXY_ENV_FILE="/tmp/hugging8n-cloudflare-proxy.env"
 if [ -n "${CLOUDFLARE_WORKERS_TOKEN:-}" ] || [ -n "${CLOUDFLARE_PROXY_URL:-}" ]; then
+  export CLOUDFLARE_PROXY_DOMAINS="${CLOUDFLARE_PROXY_DOMAINS:-*}"
+  export CLOUDFLARE_PROXY_DEBUG="${CLOUDFLARE_PROXY_DEBUG:-true}"
+  echo "☁️ Preparing Cloudflare outbound proxy..."
   python3 "$APP_DIR/cloudflare-proxy-setup.py" || true
   if [ -f "$CF_PROXY_ENV_FILE" ]; then
     . "$CF_PROXY_ENV_FILE"
+    echo "  ✅ Proxy environment loaded: ${CLOUDFLARE_PROXY_URL:-none}"
   fi
 fi