diff --git a/Server/conf/nginx.conf b/Server/conf/nginx.conf index 895a751..968a9a4 100644 --- a/Server/conf/nginx.conf +++ b/Server/conf/nginx.conf @@ -85,6 +85,7 @@ http { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://frp_http_proxy; + access_by_lua_file lua/authentication.lua; } } @@ -143,6 +144,34 @@ http { } } + server { + listen 443 ssl; + server_name docker.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + + ssl_certificate cert/docker.amass.fun.pem; + ssl_certificate_key cert/docker.amass.fun.key; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + access_by_lua_file lua/basic_authentication_proxy.lua; + proxy_pass http://frp_http_proxy; + } + } + server { listen 443 ssl; server_name money.amass.fun; diff --git a/Server/lua/accounts.lua b/Server/lua/accounts.lua new file mode 100644 index 0000000..1ad195b --- /dev/null +++ b/Server/lua/accounts.lua @@ -0,0 +1,23 @@ +local M = {} + +local password_path = "password.txt" + +function M.credentials() + local file = io.open(password_path, "r") + if not file then + ngx.log(ngx.INFO, "无法打开文件: ", password_path) + return + end + + local credentials = {} + for line in file:lines() do + local account, password = line:match("([^=]+)=([^=]+)") + if account and password then + credentials[account] = password + end + end + file:close() + return credentials +end + +return M diff --git a/Server/lua/basic_authentication.lua b/Server/lua/basic_authentication.lua new file mode 100644 index 0000000..82969a5 --- /dev/null +++ b/Server/lua/basic_authentication.lua @@ -0,0 +1,33 @@ +local auth_header = ngx.var.http_authorization + +local function authenticate() + ngx.header.content_type = 'text/plain' + ngx.header.www_authenticate = 'Basic realm="Restricted Area"' + ngx.status = ngx.HTTP_UNAUTHORIZED + ngx.say('Unauthorized') + ngx.exit(ngx.HTTP_UNAUTHORIZED) +end + +if not auth_header then + return authenticate() +end + +local _, _, encoded = string.find(auth_header, "Basic%s+(.+)") +if not encoded then + return authenticate() +end + + +local decoded = ngx.decode_base64(encoded) +local user_account, user_password = decoded:match("([^:]+):(.+)") + +ngx.log(ngx.INFO, encoded, " ", user_account, " ", user_password) + +local accounts = require("lua/accounts") +local credentials = accounts.credentials() + +if credentials and credentials[user_account] == user_password then + return +else + return authenticate() +end diff --git a/Server/lua/basic_authentication_proxy.lua b/Server/lua/basic_authentication_proxy.lua new file mode 100644 index 0000000..668fdc1 --- /dev/null +++ b/Server/lua/basic_authentication_proxy.lua @@ -0,0 +1,22 @@ +local session, err, exists = require "resty.session".open() +if exists and session:get("authenticated") then + local account = session:get("account") + ngx.log(ngx.INFO, session:get("account"), " 访问") + local accounts = require("lua/accounts") + local credentials = accounts.credentials() + local password = "" + if credentials then + password = credentials[account] + end + local auth_value = ngx.encode_base64(account .. ':' .. password) + ngx.req.set_header("Authorization", "Basic " .. auth_value) +else + local server = "" + if ngx.var.server_port == "80" then + server = ngx.var.host + else + server = ngx.var.host .. ":" .. ngx.var.server_port + end + local target_url = ngx.var.scheme .. "://" .. server .. ngx.var.request_uri + ngx.redirect('https://amass.fun/LoginPage?next=' .. ngx.escape_uri(target_url)) +end diff --git a/Server/lua/login.lua b/Server/lua/login.lua index afde1fd..cedd556 100644 --- a/Server/lua/login.lua +++ b/Server/lua/login.lua @@ -1,7 +1,5 @@ local cjson = require "cjson" -local password_path = "password.txt" - local function add_domain(cookies, key, domain) if type(cookies) == "string" then -- 确保 set_cookies 是一个表 cookies = { cookies } @@ -11,7 +9,7 @@ local function add_domain(cookies, key, domain) for _, cookie in ipairs(cookies) do local cookie_key, value = string.match(cookie, "^%s*(.-)%s*=%s*(.-)%s*;") if cookie_key == key then - local new_cookie = value .. "; Domain=" .. domain .. "; Path=/; HttpOnly" + local new_cookie = value .. "; Domain=" .. domain .. "; Path=/; HttpOnly; SameSite=Lax" table.insert(new_cookies, key.."=" .. new_cookie) else table.insert(new_cookies, cookie) @@ -42,27 +40,11 @@ local user_password = json_data.password local reply = {} -local file = io.open(password_path, "r") -if not file then - ngx.log(ngx.INFO, "无法打开文件: ", password_path) - reply.status = -1000 - reply.message = "服务器错误,找不到 " .. password_path; - ngx.say(cjson.encode(reply)) - return -end - -local credentials = {} -for line in file:lines() do - local account, password = line:match("([^=]+)=([^=]+)") - if account and password then - credentials[account] = password - end -end -file:close() - local session = require "resty.session".start() -if credentials[user_account] == user_password then +local accounts = require("lua/accounts") +local credentials = accounts.credentials() +if credentials and credentials[user_account] == user_password then reply.status = 0 reply.message = "登录成功" session:set("account", user_account)