|
|
import re |
|
|
import logging |
|
|
import os |
|
|
from flask import Flask, request, Response |
|
|
import requests |
|
|
from urllib.parse import urlparse, unquote |
|
|
|
|
|
|
|
|
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') |
|
|
app = Flask(__name__) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SECRET_KEY = os.environ.get('PROXY_SECRET_KEY') |
|
|
if not SECRET_KEY: |
|
|
logging.critical("FATAL: Environment variable PROXY_SECRET_KEY is not set. Service cannot start.") |
|
|
exit("Error: The PROXY_SECRET_KEY environment variable must be set.") |
|
|
|
|
|
|
|
|
ALLOWED_PATTERNS = [ |
|
|
|
|
|
re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:releases|archive)/.*$', re.IGNORECASE), |
|
|
re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:blob|raw)/.*$', re.IGNORECASE), |
|
|
|
|
|
|
|
|
re.compile(r'^https://github\.com/[^/]+/[^/]+/(?:info|git-).*$', re.IGNORECASE), |
|
|
|
|
|
|
|
|
re.compile(r'^https://raw\.(?:githubusercontent|github)\.com/[^/]+/[^/]+/.*/.*$', re.IGNORECASE), |
|
|
re.compile(r'^https://gist\.(?:githubusercontent|github)\.com/[^/]+/[^/]+/.*/.*$', re.IGNORECASE), |
|
|
|
|
|
|
|
|
re.compile(r'^https://github\.com/[^/]+/[^/]+/tags.*$', re.IGNORECASE), |
|
|
re.compile(r'^https://avatars\.githubusercontent\.com/.*$', re.IGNORECASE), |
|
|
re.compile(r'^https://github\.githubassets\.com/.*$', re.IGNORECASE), |
|
|
|
|
|
|
|
|
re.compile(r'^https://github\.com/[^/]+/?$', re.IGNORECASE), |
|
|
re.compile(r'^https://github\.com/[^/]+/[^/]+/?$', re.IGNORECASE), |
|
|
] |
|
|
|
|
|
|
|
|
INDEX_PAGE_HTML = f""" |
|
|
<!DOCTYPE html> |
|
|
<html lang="en"> |
|
|
<head> |
|
|
<meta charset="UTF-8"> |
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0"> |
|
|
<title>Private GitHub Proxy</title> |
|
|
<style> |
|
|
body {{ font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; line-height: 1.6; color: #333; max-width: 800px; margin: 40px auto; padding: 20px; }} |
|
|
.container {{ border: 1px solid #ddd; border-radius: 8px; padding: 20px 40px; background-color: #f9f9f9; }} |
|
|
.warning {{ color: #856404; background-color: #fff3cd; border: 1px solid #ffeeba; padding: 15px; border-radius: 4px; margin-bottom: 20px; }} |
|
|
h1, h2 {{ border-bottom: 1px solid #eaecef; padding-bottom: 0.3em; }} |
|
|
code {{ background-color: #eef; padding: 2px 4px; border-radius: 3px; font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace; }} |
|
|
</style> |
|
|
</head> |
|
|
<body> |
|
|
<div class="container"> |
|
|
<h1>Private GitHub Reverse Proxy</h1> |
|
|
<div class="warning"> |
|
|
<strong>Authentication Required:</strong> This is a private proxy. You must include your secret key in the URL to access content. |
|
|
</div> |
|
|
<h2>How to Use</h2> |
|
|
<p>To access GitHub content, prepend your secret key to the GitHub URL.</p> |
|
|
<p>For example, to clone a repository:</p> |
|
|
<code>git clone {{YOUR_PROXY_URL}}/{SECRET_KEY}/https://github.com/owner/repo.git</code> |
|
|
<p>Or to view a repository page:</p> |
|
|
<code>{{YOUR_PROXY_URL}}/{SECRET_KEY}/https://github.com/owner/repo</code> |
|
|
</div> |
|
|
</body> |
|
|
</html> |
|
|
""" |
|
|
|
|
|
def is_url_allowed(url): |
|
|
"""Check if the given URL matches any pattern in the whitelist.""" |
|
|
for pattern in ALLOWED_PATTERNS: |
|
|
if pattern.match(url): |
|
|
return True |
|
|
return False |
|
|
|
|
|
|
|
|
@app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE']) |
|
|
@app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE']) |
|
|
def proxy(path): |
|
|
""" |
|
|
Authenticates the request via a secret key in the path, then proxies |
|
|
the request to GitHub after validating it against a whitelist. |
|
|
""" |
|
|
|
|
|
|
|
|
path_parts = path.split('/', 1) |
|
|
|
|
|
|
|
|
|
|
|
if len(path_parts) < 1 or path_parts[0] != SECRET_KEY: |
|
|
logging.warning(f"Authentication failed for request from {request.remote_addr}. Path: '{path}'") |
|
|
return "<h1>401 Unauthorized</h1><p>A valid secret key is required in the URL path.</p>", 401 |
|
|
|
|
|
|
|
|
|
|
|
if len(path_parts) == 1 or not path_parts[1]: |
|
|
return INDEX_PAGE_HTML, 200 |
|
|
|
|
|
target_path = unquote(path_parts[1]) |
|
|
|
|
|
|
|
|
if not target_path.startswith(('http://', 'https://')): |
|
|
target_url = 'https://' + target_path |
|
|
else: |
|
|
target_url = target_path |
|
|
|
|
|
|
|
|
if not is_url_allowed(target_url): |
|
|
logging.warning(f"URL Denied! Key was correct, but pattern not matched: {target_url}") |
|
|
return "<h1>403 Forbidden</h1><p>Request blocked by proxy security policy.</p>", 403 |
|
|
|
|
|
try: |
|
|
target_host = urlparse(target_url).hostname |
|
|
if not target_host: |
|
|
raise ValueError("Hostname could not be parsed from the target URL.") |
|
|
except Exception as e: |
|
|
logging.error(f"Invalid target URL provided: {target_url} | Error: {e}") |
|
|
return f"Invalid target URL in path: {e}", 400 |
|
|
|
|
|
|
|
|
headers = {key: value for (key, value) in request.headers if key.lower() != 'host'} |
|
|
headers['Host'] = target_host |
|
|
|
|
|
try: |
|
|
resp = requests.request( |
|
|
method=request.method, |
|
|
url=target_url, |
|
|
headers=headers, |
|
|
data=request.get_data(), |
|
|
cookies=request.cookies, |
|
|
allow_redirects=False, |
|
|
stream=True, |
|
|
timeout=30 |
|
|
) |
|
|
excluded_headers = ['content-encoding', 'content-length', 'transfer-encoding', 'connection'] |
|
|
response_headers = [(name, value) for (name, value) in resp.raw.headers.items() |
|
|
if name.lower() not in excluded_headers] |
|
|
return Response(resp.iter_content(chunk_size=8192), resp.status_code, response_headers) |
|
|
|
|
|
except requests.exceptions.RequestException as e: |
|
|
logging.error(f"Error while proxying to {target_url}: {e}") |
|
|
return "An error occurred while proxying the request.", 502 |
|
|
|
|
|
if __name__ == '__main__': |
|
|
app.run(host='0.0.0.0', port=7860) |
