mirror of
https://gitee.com/wanwujie/sub2api
synced 2026-04-06 00:10:21 +08:00
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
8e81e395b3 | ||
|
|
f0e89992f7 | ||
|
|
4eaa0cf14a | ||
|
|
e9ec2280ec | ||
|
|
bb7bfb6980 | ||
|
|
b66f97c100 | ||
|
|
b51ad0d893 | ||
|
|
4eb22d8ee9 | ||
|
|
2392e7cf99 |
3
.gitignore
vendored
3
.gitignore
vendored
@@ -91,4 +91,5 @@ backend/data/
|
|||||||
# ===================
|
# ===================
|
||||||
tests
|
tests
|
||||||
CLAUDE.md
|
CLAUDE.md
|
||||||
.claude
|
.claude
|
||||||
|
scripts
|
||||||
@@ -1,43 +1,39 @@
|
|||||||
package sysutil
|
package sysutil
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"log"
|
"log"
|
||||||
"os/exec"
|
"os"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
const serviceName = "sub2api"
|
// RestartService triggers a service restart by gracefully exiting.
|
||||||
|
|
||||||
// RestartService triggers a service restart via systemd.
|
|
||||||
//
|
//
|
||||||
// IMPORTANT: This function initiates the restart and returns immediately.
|
// This relies on systemd's Restart=always configuration to automatically
|
||||||
// The actual restart happens asynchronously - the current process will be killed
|
// restart the service after it exits. This is the industry-standard approach:
|
||||||
// by systemd and a new process will be started.
|
// - Simple and reliable
|
||||||
//
|
// - No sudo permissions needed
|
||||||
// We use Start() instead of Run() because:
|
// - No complex process management
|
||||||
// - systemctl restart will kill the current process first
|
// - Leverages systemd's native restart capability
|
||||||
// - Run() waits for completion, but the process dies before completion
|
|
||||||
// - Start() spawns the command independently, allowing systemd to handle the full cycle
|
|
||||||
//
|
//
|
||||||
// Prerequisites:
|
// Prerequisites:
|
||||||
// - Linux OS with systemd
|
// - Linux OS with systemd
|
||||||
// - NOPASSWD sudo access configured (install.sh creates /etc/sudoers.d/sub2api)
|
// - Service configured with Restart=always in systemd unit file
|
||||||
func RestartService() error {
|
func RestartService() error {
|
||||||
if runtime.GOOS != "linux" {
|
if runtime.GOOS != "linux" {
|
||||||
return fmt.Errorf("systemd restart only available on Linux")
|
log.Println("Service restart via exit only works on Linux with systemd")
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Println("Initiating service restart...")
|
log.Println("Initiating service restart by graceful exit...")
|
||||||
|
log.Println("systemd will automatically restart the service (Restart=always)")
|
||||||
|
|
||||||
// The sub2api user has NOPASSWD sudo access for systemctl commands
|
// Give a moment for logs to flush and response to be sent
|
||||||
// (configured by install.sh in /etc/sudoers.d/sub2api).
|
go func() {
|
||||||
cmd := exec.Command("sudo", "systemctl", "restart", serviceName)
|
time.Sleep(100 * time.Millisecond)
|
||||||
if err := cmd.Start(); err != nil {
|
os.Exit(0)
|
||||||
return fmt.Errorf("failed to initiate service restart: %w", err)
|
}()
|
||||||
}
|
|
||||||
|
|
||||||
log.Println("Service restart initiated successfully")
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -35,25 +35,25 @@ const (
|
|||||||
|
|
||||||
// allowedHeaders 白名单headers(参考CRS项目)
|
// allowedHeaders 白名单headers(参考CRS项目)
|
||||||
var allowedHeaders = map[string]bool{
|
var allowedHeaders = map[string]bool{
|
||||||
"accept": true,
|
"accept": true,
|
||||||
"x-stainless-retry-count": true,
|
"x-stainless-retry-count": true,
|
||||||
"x-stainless-timeout": true,
|
"x-stainless-timeout": true,
|
||||||
"x-stainless-lang": true,
|
"x-stainless-lang": true,
|
||||||
"x-stainless-package-version": true,
|
"x-stainless-package-version": true,
|
||||||
"x-stainless-os": true,
|
"x-stainless-os": true,
|
||||||
"x-stainless-arch": true,
|
"x-stainless-arch": true,
|
||||||
"x-stainless-runtime": true,
|
"x-stainless-runtime": true,
|
||||||
"x-stainless-runtime-version": true,
|
"x-stainless-runtime-version": true,
|
||||||
"x-stainless-helper-method": true,
|
"x-stainless-helper-method": true,
|
||||||
"anthropic-dangerous-direct-browser-access": true,
|
"anthropic-dangerous-direct-browser-access": true,
|
||||||
"anthropic-version": true,
|
"anthropic-version": true,
|
||||||
"x-app": true,
|
"x-app": true,
|
||||||
"anthropic-beta": true,
|
"anthropic-beta": true,
|
||||||
"accept-language": true,
|
"accept-language": true,
|
||||||
"sec-fetch-mode": true,
|
"sec-fetch-mode": true,
|
||||||
"accept-encoding": true,
|
"accept-encoding": true,
|
||||||
"user-agent": true,
|
"user-agent": true,
|
||||||
"content-type": true,
|
"content-type": true,
|
||||||
}
|
}
|
||||||
|
|
||||||
// ClaudeUsage 表示Claude API返回的usage信息
|
// ClaudeUsage 表示Claude API返回的usage信息
|
||||||
@@ -418,13 +418,19 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
|
|||||||
}
|
}
|
||||||
|
|
||||||
// 构建上游请求
|
// 构建上游请求
|
||||||
upstreamReq, err := s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
|
upstreamResult, err := s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// 选择使用的client:如果有代理则使用独立的client,否则使用共享的httpClient
|
||||||
|
httpClient := s.httpClient
|
||||||
|
if upstreamResult.Client != nil {
|
||||||
|
httpClient = upstreamResult.Client
|
||||||
|
}
|
||||||
|
|
||||||
// 发送请求
|
// 发送请求
|
||||||
resp, err := s.httpClient.Do(upstreamReq)
|
resp, err := httpClient.Do(upstreamResult.Request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("upstream request failed: %w", err)
|
return nil, fmt.Errorf("upstream request failed: %w", err)
|
||||||
}
|
}
|
||||||
@@ -437,11 +443,16 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("token refresh failed: %w", err)
|
return nil, fmt.Errorf("token refresh failed: %w", err)
|
||||||
}
|
}
|
||||||
upstreamReq, err = s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
|
upstreamResult, err = s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
resp, err = s.httpClient.Do(upstreamReq)
|
// 重试时也需要使用正确的client
|
||||||
|
httpClient = s.httpClient
|
||||||
|
if upstreamResult.Client != nil {
|
||||||
|
httpClient = upstreamResult.Client
|
||||||
|
}
|
||||||
|
resp, err = httpClient.Do(upstreamResult.Request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("retry request failed: %w", err)
|
return nil, fmt.Errorf("retry request failed: %w", err)
|
||||||
}
|
}
|
||||||
@@ -480,7 +491,13 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Context, account *model.Account, body []byte, token, tokenType string) (*http.Request, error) {
|
// buildUpstreamRequestResult contains the request and optional custom client for proxy
|
||||||
|
type buildUpstreamRequestResult struct {
|
||||||
|
Request *http.Request
|
||||||
|
Client *http.Client // nil means use default s.httpClient
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Context, account *model.Account, body []byte, token, tokenType string) (*buildUpstreamRequestResult, error) {
|
||||||
// 确定目标URL
|
// 确定目标URL
|
||||||
targetURL := claudeAPIURL
|
targetURL := claudeAPIURL
|
||||||
if account.Type == model.AccountTypeApiKey {
|
if account.Type == model.AccountTypeApiKey {
|
||||||
@@ -549,7 +566,8 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
|
|||||||
req.Header.Set("anthropic-beta", s.getBetaHeader(body, c.GetHeader("anthropic-beta")))
|
req.Header.Set("anthropic-beta", s.getBetaHeader(body, c.GetHeader("anthropic-beta")))
|
||||||
}
|
}
|
||||||
|
|
||||||
// 配置代理
|
// 配置代理 - 创建独立的client避免并发修改共享httpClient
|
||||||
|
var customClient *http.Client
|
||||||
if account.ProxyID != nil && account.Proxy != nil {
|
if account.ProxyID != nil && account.Proxy != nil {
|
||||||
proxyURL := account.Proxy.URL()
|
proxyURL := account.Proxy.URL()
|
||||||
if proxyURL != "" {
|
if proxyURL != "" {
|
||||||
@@ -566,12 +584,18 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
|
|||||||
IdleConnTimeout: 90 * time.Second,
|
IdleConnTimeout: 90 * time.Second,
|
||||||
ResponseHeaderTimeout: responseHeaderTimeout,
|
ResponseHeaderTimeout: responseHeaderTimeout,
|
||||||
}
|
}
|
||||||
s.httpClient.Transport = transport
|
// 创建独立的client,避免并发时修改共享的s.httpClient.Transport
|
||||||
|
customClient = &http.Client{
|
||||||
|
Transport: transport,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return req, nil
|
return &buildUpstreamRequestResult{
|
||||||
|
Request: req,
|
||||||
|
Client: customClient,
|
||||||
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// getBetaHeader 处理anthropic-beta header
|
// getBetaHeader 处理anthropic-beta header
|
||||||
|
|||||||
@@ -73,9 +73,6 @@ declare -A MSG_ZH=(
|
|||||||
["dirs_configured"]="目录配置完成"
|
["dirs_configured"]="目录配置完成"
|
||||||
["installing_service"]="正在安装 systemd 服务..."
|
["installing_service"]="正在安装 systemd 服务..."
|
||||||
["service_installed"]="systemd 服务已安装"
|
["service_installed"]="systemd 服务已安装"
|
||||||
["setting_up_sudoers"]="正在配置 sudoers..."
|
|
||||||
["sudoers_configured"]="sudoers 配置完成"
|
|
||||||
["sudoers_failed"]="sudoers 验证失败,已移除文件"
|
|
||||||
["ready_for_setup"]="准备就绪,可以启动设置向导"
|
["ready_for_setup"]="准备就绪,可以启动设置向导"
|
||||||
|
|
||||||
# Completion
|
# Completion
|
||||||
@@ -173,9 +170,6 @@ declare -A MSG_EN=(
|
|||||||
["dirs_configured"]="Directories configured"
|
["dirs_configured"]="Directories configured"
|
||||||
["installing_service"]="Installing systemd service..."
|
["installing_service"]="Installing systemd service..."
|
||||||
["service_installed"]="Systemd service installed"
|
["service_installed"]="Systemd service installed"
|
||||||
["setting_up_sudoers"]="Setting up sudoers..."
|
|
||||||
["sudoers_configured"]="Sudoers configured"
|
|
||||||
["sudoers_failed"]="Sudoers validation failed, removing file"
|
|
||||||
["ready_for_setup"]="Ready for Setup Wizard"
|
["ready_for_setup"]="Ready for Setup Wizard"
|
||||||
|
|
||||||
# Completion
|
# Completion
|
||||||
@@ -483,9 +477,24 @@ download_and_extract() {
|
|||||||
create_user() {
|
create_user() {
|
||||||
if id "$SERVICE_USER" &>/dev/null; then
|
if id "$SERVICE_USER" &>/dev/null; then
|
||||||
print_info "$(msg 'user_exists'): $SERVICE_USER"
|
print_info "$(msg 'user_exists'): $SERVICE_USER"
|
||||||
|
# Fix: Ensure existing user has /bin/sh shell for sudo to work
|
||||||
|
# Previous versions used /bin/false which prevents sudo execution
|
||||||
|
local current_shell
|
||||||
|
current_shell=$(getent passwd "$SERVICE_USER" 2>/dev/null | cut -d: -f7)
|
||||||
|
if [ "$current_shell" = "/bin/false" ] || [ "$current_shell" = "/sbin/nologin" ]; then
|
||||||
|
print_info "Fixing user shell for sudo compatibility..."
|
||||||
|
if usermod -s /bin/sh "$SERVICE_USER" 2>/dev/null; then
|
||||||
|
print_success "User shell updated to /bin/sh"
|
||||||
|
else
|
||||||
|
print_warning "Failed to update user shell. Service restart may not work automatically."
|
||||||
|
print_warning "Manual fix: sudo usermod -s /bin/sh $SERVICE_USER"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
print_info "$(msg 'creating_user') $SERVICE_USER..."
|
print_info "$(msg 'creating_user') $SERVICE_USER..."
|
||||||
useradd -r -s /bin/false -d "$INSTALL_DIR" "$SERVICE_USER"
|
# Use /bin/sh instead of /bin/false to allow sudo execution
|
||||||
|
# The user still cannot login interactively (no password set)
|
||||||
|
useradd -r -s /bin/sh -d "$INSTALL_DIR" "$SERVICE_USER"
|
||||||
print_success "$(msg 'user_created')"
|
print_success "$(msg 'user_created')"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@@ -506,35 +515,6 @@ setup_directories() {
|
|||||||
print_success "$(msg 'dirs_configured')"
|
print_success "$(msg 'dirs_configured')"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Setup sudoers for service restart
|
|
||||||
setup_sudoers() {
|
|
||||||
print_info "$(msg 'setting_up_sudoers')"
|
|
||||||
|
|
||||||
# Check if sudoers file exists in install dir
|
|
||||||
if [ -f "$INSTALL_DIR/sub2api-sudoers" ]; then
|
|
||||||
cp "$INSTALL_DIR/sub2api-sudoers" /etc/sudoers.d/sub2api
|
|
||||||
else
|
|
||||||
# Create sudoers file
|
|
||||||
cat > /etc/sudoers.d/sub2api << 'EOF'
|
|
||||||
# Sudoers configuration for Sub2API
|
|
||||||
sub2api ALL=(ALL) NOPASSWD: /bin/systemctl restart sub2api
|
|
||||||
sub2api ALL=(ALL) NOPASSWD: /bin/systemctl stop sub2api
|
|
||||||
sub2api ALL=(ALL) NOPASSWD: /bin/systemctl start sub2api
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Set correct permissions (required for sudoers files)
|
|
||||||
chmod 440 /etc/sudoers.d/sub2api
|
|
||||||
|
|
||||||
# Validate sudoers file
|
|
||||||
if visudo -c -f /etc/sudoers.d/sub2api &>/dev/null; then
|
|
||||||
print_success "$(msg 'sudoers_configured')"
|
|
||||||
else
|
|
||||||
print_warning "$(msg 'sudoers_failed')"
|
|
||||||
rm -f /etc/sudoers.d/sub2api
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Install systemd service
|
# Install systemd service
|
||||||
install_service() {
|
install_service() {
|
||||||
print_info "$(msg 'installing_service')"
|
print_info "$(msg 'installing_service')"
|
||||||
@@ -701,7 +681,6 @@ uninstall() {
|
|||||||
|
|
||||||
print_info "$(msg 'removing_files')"
|
print_info "$(msg 'removing_files')"
|
||||||
rm -f /etc/systemd/system/sub2api.service
|
rm -f /etc/systemd/system/sub2api.service
|
||||||
rm -f /etc/sudoers.d/sub2api
|
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
|
|
||||||
print_info "$(msg 'removing_install_dir')"
|
print_info "$(msg 'removing_install_dir')"
|
||||||
@@ -772,7 +751,6 @@ main() {
|
|||||||
create_user
|
create_user
|
||||||
setup_directories
|
setup_directories
|
||||||
install_service
|
install_service
|
||||||
setup_sudoers
|
|
||||||
prepare_for_setup
|
prepare_for_setup
|
||||||
print_completion
|
print_completion
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,13 +0,0 @@
|
|||||||
# Sudoers configuration for Sub2API
|
|
||||||
# This file allows the sub2api service user to restart the service without password
|
|
||||||
#
|
|
||||||
# Installation:
|
|
||||||
# sudo cp sub2api-sudoers /etc/sudoers.d/sub2api
|
|
||||||
# sudo chmod 440 /etc/sudoers.d/sub2api
|
|
||||||
#
|
|
||||||
# SECURITY NOTE: This grants limited sudo access only for service management
|
|
||||||
|
|
||||||
# Allow sub2api user to restart the service without password
|
|
||||||
sub2api ALL=(ALL) NOPASSWD: /bin/systemctl restart sub2api
|
|
||||||
sub2api ALL=(ALL) NOPASSWD: /bin/systemctl stop sub2api
|
|
||||||
sub2api ALL=(ALL) NOPASSWD: /bin/systemctl start sub2api
|
|
||||||
Reference in New Issue
Block a user