From 35d0eb354aab287c8abd2fb5c8b23b46d39ffe9f Mon Sep 17 00:00:00 2001 From: SenkjM Date: Sun, 20 Jul 2025 11:15:34 +0800 Subject: [PATCH 1/5] feat: add disable sign for bin, ues `--disable-sign` flag to disable sign check. for cf-worker, ues`DISABLE_SIGN` to disable sign check. --- openlist-proxy.go | 17 ++++++++++++----- openlist-proxy.js | 45 +++++++++++++++++++++++++++++---------------- 2 files changed, 41 insertions(+), 21 deletions(-) diff --git a/openlist-proxy.go b/openlist-proxy.go index 675800b..ef3573b 100644 --- a/openlist-proxy.go +++ b/openlist-proxy.go @@ -29,6 +29,7 @@ var ( https bool help bool showVersion bool + disableSign bool certFile, keyFile string address, token string s sign.Sign @@ -40,6 +41,7 @@ func init() { flag.BoolVar(&https, "https", false, "use https protocol.") flag.BoolVar(&help, "help", false, "show help") flag.BoolVar(&showVersion, "version", false, "show version and exit") + flag.BoolVar(&disableSign, "disable-sign", false, "disable signature verification") flag.StringVar(&certFile, "cert", "server.crt", "cert file") flag.StringVar(&keyFile, "key", "server.key", "key file") flag.StringVar(&address, "address", "", "openlist address") @@ -66,13 +68,18 @@ func errorResponse(w http.ResponseWriter, code int, msg string) { } func downHandle(w http.ResponseWriter, r *http.Request) { - sign := r.URL.Query().Get("sign") filePath := r.URL.Path - err := s.Verify(filePath, sign) - if err != nil { - errorResponse(w, 401, err.Error()) - return + + // If signature verification is not disabled, perform signature verification + if !disableSign { + sign := r.URL.Query().Get("sign") + err := s.Verify(filePath, sign) + if err != nil { + errorResponse(w, 401, err.Error()) + return + } } + data := Json{ "path": filePath, } diff --git a/openlist-proxy.js b/openlist-proxy.js index 320e7f7..0cc6dba 100644 --- a/openlist-proxy.js +++ b/openlist-proxy.js @@ -2,6 +2,9 @@ const ADDRESS = "YOUR_ADDRESS"; const TOKEN = "YOUR_TOKEN"; const WORKER_ADDRESS = "YOUR_WORKER_ADDRESS"; +const DISABLE_SIGN = false; // Disable signature verification, default is off +// Privacy Warning: Disabling signature allows files to be accessed by anyone who knows the path. +// 隐私警告:关闭签名会造成文件可被任何知晓路径的人获取 // src/verify.js /** @@ -11,6 +14,11 @@ const WORKER_ADDRESS = "YOUR_WORKER_ADDRESS"; * @returns {Promise} Error message if invalid, empty string if valid. */ var verify = async (data, _sign) => { + // If signature verification is disabled, return pass directly + if (DISABLE_SIGN) { + return ""; + } + const signSlice = _sign.split(":"); if (!signSlice[signSlice.length - 1]) { return "expire missing"; @@ -70,23 +78,28 @@ async function handleDownload(request) { const origin = request.headers.get("origin") ?? "*"; const url = new URL(request.url); const path = decodeURIComponent(url.pathname); - const sign = url.searchParams.get("sign") ?? ""; - const verifyResult = await verify(path, sign); - if (verifyResult !== "") { - const resp2 = new Response( - JSON.stringify({ - code: 401, - message: verifyResult, - }), - { - headers: { - "content-type": "application/json;charset=UTF-8", - }, - } - ); - resp2.headers.set("Access-Control-Allow-Origin", origin); - return resp2; + + // If signature verification is not disabled, perform signature verification + if (!DISABLE_SIGN) { + const sign = url.searchParams.get("sign") ?? ""; + const verifyResult = await verify(path, sign); + if (verifyResult !== "") { + const resp2 = new Response( + JSON.stringify({ + code: 401, + message: verifyResult, + }), + { + headers: { + "content-type": "application/json;charset=UTF-8", + }, + } + ); + resp2.headers.set("Access-Control-Allow-Origin", origin); + return resp2; + } } + let resp = await fetch(`${ADDRESS}/api/fs/link`, { method: "POST", headers: { From dbed84e1503cf56ac17c706cd0337d6aeb839413 Mon Sep 17 00:00:00 2001 From: SenkjM Date: Sun, 20 Jul 2025 11:55:53 +0800 Subject: [PATCH 2/5] feat(cf-worker): add env variables and secrets --- openlist-proxy.env | 91 ++++++++++++++++++++++++++++++++++++++++++++++ openlist-proxy.js | 18 +++++++-- 2 files changed, 105 insertions(+), 4 deletions(-) create mode 100644 openlist-proxy.env diff --git a/openlist-proxy.env b/openlist-proxy.env new file mode 100644 index 0000000..b56020e --- /dev/null +++ b/openlist-proxy.env @@ -0,0 +1,91 @@ +# OpenList Proxy Environment Variables Configuration +# OpenList 代理环境变量配置文件 +# +# 使用说明 / Usage Instructions: +# 1. 复制此文件并重命名为 .env (用于本地开发) +# 2. 在 Cloudflare Worker 控制台中设置这些环境变量 (用于生产环境) +# 3. 填入您的实际配置值 + +# ============================================================================= +# 必需配置 / Required Configuration +# ============================================================================= + +# OpenList 后端服务器地址 (不要包含尾随斜杠) +# OpenList backend server address (do not include trailing slash) +# 示例: https://your-openlist-server.com +ADDRESS=https://your-openlist-server.com + +# OpenList 服务器的 API 访问令牌 (密钥) +# API access token (secret key) for OpenList server +# 从您的 OpenList 服务器设置中获取此令牌 +# Get this token from your OpenList server settings +# +# 🔐 Cloudflare Worker 密钥配置: +# 在 CF Worker 中,此变量应设置为 "Secret" 类型而非 "Text" 类型 +# In CF Worker, this variable should be set as "Secret" type, not "Text" type +TOKEN=your-api-token-here + +# Cloudflare Worker 的完整地址 +# Full address of your Cloudflare Worker +# 示例: https://your-worker.your-subdomain.workers.dev +WORKER_ADDRESS=https://your-worker.your-subdomain.workers.dev + +# ============================================================================= +# 安全配置 / Security Configuration +# ============================================================================= + +# 是否禁用签名验证 (推荐设置为 false) +# Whether to disable signature verification (recommended to set as false) +# +# 可选值 / Valid values: +# - false 或 "false": 启用签名验证 (默认,推荐用于生产环境) +# - true 或 "true": 禁用签名验证 (仅建议用于开发测试) +# +# ⚠️ 安全警告 / Security Warning: +# 设置为 true 会禁用文件访问的签名验证,这意味着任何知道文件路径的人 +# 都可以直接访问文件,存在安全风险。生产环境强烈建议设置为 false。 +# Setting to true disables signature verification for file access, meaning +# anyone who knows the file path can access files directly, posing security risks. +# Strongly recommended to set as false in production environments. +DISABLE_SIGN=false + +# ============================================================================= +# 部署指南 / Deployment Guide +# ============================================================================= +# +# Cloudflare Worker 部署步骤: +# 1. 登录 Cloudflare Dashboard +# 2. 进入 Workers & Pages +# 3. 选择您的 Worker +# 4. 进入 设置 > 变量与机密 +# 5. 添加环境变量时注意类型选择: +# - ADDRESS: 选择 "Text" 类型 +# - TOKEN: 选择 "Secret" 类型 (重要!保护敏感信息) +# - WORKER_ADDRESS: 选择 "Text" 类型 +# - DISABLE_SIGN: 选择 "Text" 类型 +# +# 🔐 密钥设置重要提醒: +# TOKEN 必须设置为 "Secret" 类型,这样可以: +# - 在 Dashboard 中隐藏令牌值 +# - 提供额外的安全保护 +# - 防止意外泄露敏感信息 +# +# 本地开发步骤: +# 1. 将此文件复制为 .dev.vars (Wrangler 专用) +# 2. 填入实际的配置值 +# 3. 运行 wrangler dev 进行本地测试 +# +# 安全提醒: +# - 不要将包含真实令牌的配置文件提交到版本控制系统 +# - 定期轮换 API 令牌以确保安全性 +# - 在生产环境中始终启用签名验证 (DISABLE_SIGN=false) +# - 在 Cloudflare Worker 中,TOKEN 必须设置为 "Secret" 类型 +# - Secret 类型的环境变量在 Dashboard 中会被隐藏显示 +# - 只有 Worker 运行时才能访问 Secret 类型的变量值 +# +# Cloudflare Worker Security Tips: +# - Set TOKEN as "Secret" type in CF Worker environment variables +# - Secret variables are hidden in the Dashboard for security +# - Only the Worker runtime can access Secret variable values +# +# ============================================================================= diff --git a/openlist-proxy.js b/openlist-proxy.js index 0cc6dba..7b8ef8c 100644 --- a/openlist-proxy.js +++ b/openlist-proxy.js @@ -1,8 +1,16 @@ // src/const.js -const ADDRESS = "YOUR_ADDRESS"; -const TOKEN = "YOUR_TOKEN"; -const WORKER_ADDRESS = "YOUR_WORKER_ADDRESS"; -const DISABLE_SIGN = false; // Disable signature verification, default is off +// Environment variables will be injected by Cloudflare Worker runtime +// These will be set during the fetch function execution +let ADDRESS, TOKEN, WORKER_ADDRESS, DISABLE_SIGN; + +// Function to initialize constants from environment variables +function initConstants(env) { + ADDRESS = env.ADDRESS || "YOUR_ADDRESS"; + TOKEN = env.TOKEN || "YOUR_TOKEN"; + WORKER_ADDRESS = env.WORKER_ADDRESS || "YOUR_WORKER_ADDRESS"; + DISABLE_SIGN = env.DISABLE_SIGN === 'true' || env.DISABLE_SIGN === true || false; +} + // Privacy Warning: Disabling signature allows files to be accessed by anyone who knows the path. // 隐私警告:关闭签名会造成文件可被任何知晓路径的人获取 @@ -201,6 +209,8 @@ async function handleRequest(request) { */ var src_default = { async fetch(request, env, ctx) { + // Initialize constants from environment variables + initConstants(env); return await handleRequest(request); }, }; From 742c3868ac1a2d564c1a1afc82a907b5745fc19c Mon Sep 17 00:00:00 2001 From: MadDogOwner Date: Sun, 20 Jul 2025 15:00:07 +0800 Subject: [PATCH 3/5] chore(all): format and improve comments --- openlist-proxy.env | 91 ---------------------------------------------- openlist-proxy.go | 4 +- openlist-proxy.js | 19 ++++++++-- 3 files changed, 17 insertions(+), 97 deletions(-) delete mode 100644 openlist-proxy.env diff --git a/openlist-proxy.env b/openlist-proxy.env deleted file mode 100644 index b56020e..0000000 --- a/openlist-proxy.env +++ /dev/null @@ -1,91 +0,0 @@ -# OpenList Proxy Environment Variables Configuration -# OpenList 代理环境变量配置文件 -# -# 使用说明 / Usage Instructions: -# 1. 复制此文件并重命名为 .env (用于本地开发) -# 2. 在 Cloudflare Worker 控制台中设置这些环境变量 (用于生产环境) -# 3. 填入您的实际配置值 - -# ============================================================================= -# 必需配置 / Required Configuration -# ============================================================================= - -# OpenList 后端服务器地址 (不要包含尾随斜杠) -# OpenList backend server address (do not include trailing slash) -# 示例: https://your-openlist-server.com -ADDRESS=https://your-openlist-server.com - -# OpenList 服务器的 API 访问令牌 (密钥) -# API access token (secret key) for OpenList server -# 从您的 OpenList 服务器设置中获取此令牌 -# Get this token from your OpenList server settings -# -# 🔐 Cloudflare Worker 密钥配置: -# 在 CF Worker 中,此变量应设置为 "Secret" 类型而非 "Text" 类型 -# In CF Worker, this variable should be set as "Secret" type, not "Text" type -TOKEN=your-api-token-here - -# Cloudflare Worker 的完整地址 -# Full address of your Cloudflare Worker -# 示例: https://your-worker.your-subdomain.workers.dev -WORKER_ADDRESS=https://your-worker.your-subdomain.workers.dev - -# ============================================================================= -# 安全配置 / Security Configuration -# ============================================================================= - -# 是否禁用签名验证 (推荐设置为 false) -# Whether to disable signature verification (recommended to set as false) -# -# 可选值 / Valid values: -# - false 或 "false": 启用签名验证 (默认,推荐用于生产环境) -# - true 或 "true": 禁用签名验证 (仅建议用于开发测试) -# -# ⚠️ 安全警告 / Security Warning: -# 设置为 true 会禁用文件访问的签名验证,这意味着任何知道文件路径的人 -# 都可以直接访问文件,存在安全风险。生产环境强烈建议设置为 false。 -# Setting to true disables signature verification for file access, meaning -# anyone who knows the file path can access files directly, posing security risks. -# Strongly recommended to set as false in production environments. -DISABLE_SIGN=false - -# ============================================================================= -# 部署指南 / Deployment Guide -# ============================================================================= -# -# Cloudflare Worker 部署步骤: -# 1. 登录 Cloudflare Dashboard -# 2. 进入 Workers & Pages -# 3. 选择您的 Worker -# 4. 进入 设置 > 变量与机密 -# 5. 添加环境变量时注意类型选择: -# - ADDRESS: 选择 "Text" 类型 -# - TOKEN: 选择 "Secret" 类型 (重要!保护敏感信息) -# - WORKER_ADDRESS: 选择 "Text" 类型 -# - DISABLE_SIGN: 选择 "Text" 类型 -# -# 🔐 密钥设置重要提醒: -# TOKEN 必须设置为 "Secret" 类型,这样可以: -# - 在 Dashboard 中隐藏令牌值 -# - 提供额外的安全保护 -# - 防止意外泄露敏感信息 -# -# 本地开发步骤: -# 1. 将此文件复制为 .dev.vars (Wrangler 专用) -# 2. 填入实际的配置值 -# 3. 运行 wrangler dev 进行本地测试 -# -# 安全提醒: -# - 不要将包含真实令牌的配置文件提交到版本控制系统 -# - 定期轮换 API 令牌以确保安全性 -# - 在生产环境中始终启用签名验证 (DISABLE_SIGN=false) -# - 在 Cloudflare Worker 中,TOKEN 必须设置为 "Secret" 类型 -# - Secret 类型的环境变量在 Dashboard 中会被隐藏显示 -# - 只有 Worker 运行时才能访问 Secret 类型的变量值 -# -# Cloudflare Worker Security Tips: -# - Set TOKEN as "Secret" type in CF Worker environment variables -# - Secret variables are hidden in the Dashboard for security -# - Only the Worker runtime can access Secret variable values -# -# ============================================================================= diff --git a/openlist-proxy.go b/openlist-proxy.go index ef3573b..95edac8 100644 --- a/openlist-proxy.go +++ b/openlist-proxy.go @@ -69,7 +69,7 @@ func errorResponse(w http.ResponseWriter, code int, msg string) { func downHandle(w http.ResponseWriter, r *http.Request) { filePath := r.URL.Path - + // If signature verification is not disabled, perform signature verification if !disableSign { sign := r.URL.Query().Get("sign") @@ -79,7 +79,7 @@ func downHandle(w http.ResponseWriter, r *http.Request) { return } } - + data := Json{ "path": filePath, } diff --git a/openlist-proxy.js b/openlist-proxy.js index 7b8ef8c..15bcfbb 100644 --- a/openlist-proxy.js +++ b/openlist-proxy.js @@ -5,10 +5,21 @@ let ADDRESS, TOKEN, WORKER_ADDRESS, DISABLE_SIGN; // Function to initialize constants from environment variables function initConstants(env) { + // OpenList 后端服务器地址 (不要包含尾随斜杠) + // OpenList backend server address (do not include trailing slash) ADDRESS = env.ADDRESS || "YOUR_ADDRESS"; + // OpenList 服务器的 API 访问令牌 (密钥) + // API access token (secret key) for OpenList server TOKEN = env.TOKEN || "YOUR_TOKEN"; + // Cloudflare Worker 的完整地址 + // Full address of your Cloudflare Worker WORKER_ADDRESS = env.WORKER_ADDRESS || "YOUR_WORKER_ADDRESS"; - DISABLE_SIGN = env.DISABLE_SIGN === 'true' || env.DISABLE_SIGN === true || false; + // 是否禁用签名验证 (推荐设置为 false) + // Whether to disable signature verification (recommended to set as false) + // 隐私警告:关闭签名会造成文件可被任何知晓路径的人获取 + // Privacy Warning: Disabling signature allows files to be accessed by anyone who knows the path. + DISABLE_SIGN = + env.DISABLE_SIGN === "true" || env.DISABLE_SIGN === true || false; } // Privacy Warning: Disabling signature allows files to be accessed by anyone who knows the path. @@ -26,7 +37,7 @@ var verify = async (data, _sign) => { if (DISABLE_SIGN) { return ""; } - + const signSlice = _sign.split(":"); if (!signSlice[signSlice.length - 1]) { return "expire missing"; @@ -86,7 +97,7 @@ async function handleDownload(request) { const origin = request.headers.get("origin") ?? "*"; const url = new URL(request.url); const path = decodeURIComponent(url.pathname); - + // If signature verification is not disabled, perform signature verification if (!DISABLE_SIGN) { const sign = url.searchParams.get("sign") ?? ""; @@ -107,7 +118,7 @@ async function handleDownload(request) { return resp2; } } - + let resp = await fetch(`${ADDRESS}/api/fs/link`, { method: "POST", headers: { From fb007d991782b5a2e6bb560c9a1f0022f1a280ec Mon Sep 17 00:00:00 2001 From: MadDogOwner Date: Sun, 20 Jul 2025 15:00:18 +0800 Subject: [PATCH 4/5] feat(README): add description for new -disable-sign flag --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 0f4581a..b2fa337 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,8 @@ Usage of OpenList-Proxy: openlist address -cert string cert file (default "server.crt") + -disable-sign + disable signature verification -help show help -https From 0823c1868fac5db4b825813edb0fecc7be54d668 Mon Sep 17 00:00:00 2001 From: MadDogOwner Date: Sun, 20 Jul 2025 15:11:10 +0800 Subject: [PATCH 5/5] chore(cf-worker): update CORS headers --- openlist-proxy.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openlist-proxy.js b/openlist-proxy.js index 15bcfbb..b953ef0 100644 --- a/openlist-proxy.js +++ b/openlist-proxy.js @@ -111,10 +111,10 @@ async function handleDownload(request) { { headers: { "content-type": "application/json;charset=UTF-8", + "Access-Control-Allow-Origin": origin, }, } ); - resp2.headers.set("Access-Control-Allow-Origin", origin); return resp2; } } @@ -172,7 +172,7 @@ async function handleDownload(request) { function handleOptions(request) { const corsHeaders = { "Access-Control-Allow-Origin": "*", - "Access-Control-Allow-Methods": "GET,HEAD,POST,OPTIONS", + "Access-Control-Allow-Methods": "GET, HEAD, OPTIONS", "Access-Control-Max-Age": "86400", }; let headers = request.headers; @@ -191,7 +191,7 @@ function handleOptions(request) { } else { return new Response(null, { headers: { - Allow: "GET, HEAD, POST, OPTIONS", + Allow: "GET, HEAD, OPTIONS", }, }); }