aheh/MasterHttpRelayVPN-RUST
1
0
Fork 0
mirror of https://github.com/therealaleph/MasterHttpRelayVPN-RUST.git synced 2026-05-18 05:44:35 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
90433998cfc700e508e5cf7ab2589692f9d8306c
MasterHttpRelayVPN-RUST/assets/apps_script/Code.gs
T

657 lines
22 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
/**
* DomainFront Relay — Google Apps Script
*
* TWO modes:
* 1. Single: POST { k, m, u, h, b, ct, r } → { s, h, b }
* 2. Batch: POST { k, q: [{m,u,h,b,ct,r}, ...] } → { q: [{s,h,b}, ...] }
* Uses UrlFetchApp.fetchAll() — all URLs fetched IN PARALLEL.
*
* OPTIONAL SPREADSHEET-BACKED RESPONSE CACHE:
* Set CACHE_SPREADSHEET_ID to a valid Google Sheet ID (must be owned by
* the same account). When enabled, public GET requests are stored in the
* sheet and served from there on repeat visits, reducing UrlFetchApp
* quota consumption. The cache is Vary-aware (Accept-Encoding and
* Accept-Language are hashed into the compound cache key). Leave
* CACHE_SPREADSHEET_ID as-is to disable caching entirely — zero overhead.
*
* DEPLOYMENT:
* 1. Go to https://script.google.com → New project
* 2. Delete the default code, paste THIS entire file
* 3. Change AUTH_KEY below to your own secret
* 4. (Optional) Set CACHE_SPREADSHEET_ID to enable caching
* 5. Click Deploy → New deployment
* 6. Type: Web app | Execute as: Me | Who has access: Anyone
* 7. Copy the Deployment ID into config.json as "script_id"
*
* CHANGE THE AUTH KEY BELOW TO YOUR OWN SECRET!
*/
const AUTH_KEY = "CHANGE_ME_TO_A_STRONG_SECRET";
// Active-probing defense. When false (production default), bad AUTH_KEY
// requests get a decoy HTML page that looks like a placeholder Apps
// Script web app instead of the JSON `{"e":"unauthorized"}` body. This
// makes the deployment indistinguishable from a forgotten-but-public
// Apps Script project to active scanners that POST malformed payloads
// looking for proxy endpoints.
//
// Set to `true` during initial setup if a misconfigured client is
// hitting "unauthorized" and you want the explicit JSON error to debug
// — then flip back to false before the deployment is widely shared.
// (Inspired by #365 Section 3, mhrv-rs v1.8.0+.)
const DIAGNOSTIC_MODE = false;
// ── Optional Spreadsheet Cache ──────────────────────────────
// Set to a valid Spreadsheet ID to enable response caching.
// Leave as-is to disable caching entirely (zero overhead).
const CACHE_SPREADSHEET_ID = "CHANGE_ME_TO_CACHE_SPREADSHEET_ID";
const CACHE_SHEET_NAME = "RelayCache";
const CACHE_META_SHEET_NAME = "RelayMeta";
const CACHE_META_CURSOR_CELL = "A1";
// ── Cache Tuning ────────────────────────────────────────────
const CACHE_MAX_ROWS = 5000; // circular buffer capacity
const CACHE_MAX_BODY_BYTES = 35000; // skip responses larger than ~35 KB
const CACHE_DEFAULT_TTL_SECONDS = 86400; // 24-hour fallback when no Cache-Control
// ── Vary-Aware Cache Key ────────────────────────────────────
// These request headers are hashed into the compound cache key
// alongside the URL so that responses with different encodings
// or languages never collide in the cache. Covers ~95 % of
// real-world Vary usage without inspecting the response.
const VARY_KEY_HEADERS = ["accept-encoding", "accept-language"];
// Keep browser capability headers (sec-ch-ua*, sec-fetch-*) intact.
// Some modern apps, notably Google Meet, use them for browser gating.
const SKIP_HEADERS = {
host: 1, connection: 1, "content-length": 1,
"transfer-encoding": 1, "proxy-connection": 1, "proxy-authorization": 1,
"priority": 1, te: 1,
};
// Headers that disqualify a request from the cache path.
const CACHE_BUSTING_HEADERS = {
authorization: 1, cookie: 1, "x-api-key": 1,
"proxy-authorization": 1, "set-cookie": 1,
};
// HTML body for the bad-auth decoy. Mimics a minimal Apps Script-style
// placeholder page — no proxy-shaped JSON, nothing distinctive enough
// for a probe to fingerprint as a tunnel endpoint.
const DECOY_HTML =
'<!DOCTYPE html><html><head><title>Web App</title></head>' +
'<body><p>The script completed but did not return anything.</p>' +
'</body></html>';
// ── Request Handlers ────────────────────────────────────────
function _decoyOrError(jsonBody) {
if (DIAGNOSTIC_MODE) return _json(jsonBody);
return ContentService
.createTextOutput(DECOY_HTML)
.setMimeType(ContentService.MimeType.HTML);
}
function doPost(e) {
try {
var req = JSON.parse(e.postData.contents);
if (req.k !== AUTH_KEY) return _decoyOrError({ e: "unauthorized" });
// Batch mode: { k, q: [...] }
if (Array.isArray(req.q)) return _doBatch(req.q);
// Single mode
return _doSingle(req);
} catch (err) {
// Parse failures of the request body are also probe-shaped — a real
// mhrv-rs client never sends invalid JSON. Decoy for the same reason.
return _decoyOrError({ e: String(err) });
}
}
// `doGet` is what active scanners hit first (HTTP GET probes are cheaper
// than POSTs). Apps Script defaults to a "Script function not found" page
// here which is a fine-enough decoy on its own, but explicitly returning
// the same harmless placeholder makes the response identical to the
// bad-auth POST decoy — one less fingerprint vector.
function doGet(e) {
return ContentService
.createTextOutput(DECOY_HTML)
.setMimeType(ContentService.MimeType.HTML);
}
// ── Single Request ─────────────────────────────────────────
function _doSingle(req) {
if (!req.u || typeof req.u !== "string" || !req.u.match(/^https?:\/\//i)) {
return _json({ e: "bad url" });
}
// ── Optional cache path ────────────────────────────────
// Only entered when CACHE_SPREADSHEET_ID is configured and
// the request qualifies as a public, cachable GET.
if (_canUseCache(req)) {
var cached = _getFromCache(req.u, req.h);
if (cached) {
return _json({
s: cached.status,
h: JSON.parse(cached.headers),
b: cached.body,
cached: true,
});
}
var fetchResult = _fetchAndCache(req.u, req.h);
if (fetchResult) {
return _json({
s: fetchResult.status,
h: JSON.parse(fetchResult.headers),
b: fetchResult.body,
cached: false,
});
}
// If _fetchAndCache returns null (spreadsheet unavailable),
// fall through to the normal relay path below.
}
// ── Normal relay (cache disabled or unavailable) ────────
var opts = _buildOpts(req);
var resp = UrlFetchApp.fetch(req.u, opts);
return _json({
s: resp.getResponseCode(),
h: _respHeaders(resp),
b: Utilities.base64Encode(resp.getContent()),
});
}
// ── Batch Request ──────────────────────────────────────────
function _doBatch(items) {
var fetchArgs = [];
var errorMap = {};
for (var i = 0; i < items.length; i++) {
var item = items[i];
if (!item.u || typeof item.u !== "string" || !item.u.match(/^https?:\/\//i)) {
errorMap[i] = "bad url";
continue;
}
var opts = _buildOpts(item);
opts.url = item.u;
fetchArgs.push({ _i: i, _o: opts });
}
// fetchAll() processes all requests in parallel inside Google
var responses = [];
if (fetchArgs.length > 0) {
responses = UrlFetchApp.fetchAll(fetchArgs.map(function(x) { return x._o; }));
}
var results = [];
var rIdx = 0;
for (var i = 0; i < items.length; i++) {
if (errorMap.hasOwnProperty(i)) {
results.push({ e: errorMap[i] });
} else {
var resp = responses[rIdx++];
results.push({
s: resp.getResponseCode(),
h: _respHeaders(resp),
b: Utilities.base64Encode(resp.getContent()),
});
}
}
return _json({ q: results });
}
// ── Request Building ───────────────────────────────────────
function _buildOpts(req) {
var opts = {
method: (req.m || "GET").toLowerCase(),
muteHttpExceptions: true,
followRedirects: req.r !== false,
validateHttpsCertificates: true,
escaping: false,
};
if (req.h && typeof req.h === "object") {
var headers = {};
for (var k in req.h) {
if (req.h.hasOwnProperty(k) && !SKIP_HEADERS[k.toLowerCase()]) {
headers[k] = req.h[k];
}
}
opts.headers = headers;
}
if (req.b) {
opts.payload = Utilities.base64Decode(req.b);
if (req.ct) opts.contentType = req.ct;
}
return opts;
}
function _respHeaders(resp) {
try {
if (typeof resp.getAllHeaders === "function") {
return resp.getAllHeaders();
}
} catch (err) {}
return resp.getHeaders();
}
function doGet(e) {
return HtmlService.createHtmlOutput(
"<!DOCTYPE html><html><head><title>My App</title></head>" +
'<body style="font-family:sans-serif;max-width:600px;margin:40px auto">' +
"<h1>Welcome</h1><p>This application is running normally.</p>" +
"</body></html>"
);
}
function _json(obj) {
return ContentService.createTextOutput(JSON.stringify(obj)).setMimeType(
ContentService.MimeType.JSON
);
}
// ═══════════════════════════════════════════════════════════
// SPREADSHEET CACHE — SHEET MANAGEMENT
// ═══════════════════════════════════════════════════════════
function _initCacheSheet() {
if (CACHE_SPREADSHEET_ID === "CHANGE_ME_TO_CACHE_SPREADSHEET_ID") {
return null;
}
try {
var ss = SpreadsheetApp.openById(CACHE_SPREADSHEET_ID);
var sheet = ss.getSheetByName(CACHE_SHEET_NAME);
if (!sheet) {
sheet = ss.insertSheet(CACHE_SHEET_NAME);
// Schema: URL_Hash | URL | Status | Headers | Body | Timestamp | Expires_At
sheet.getRange(1, 1, 1, 7).setValues([[
"URL_Hash", "URL", "Status", "Headers", "Body", "Timestamp", "Expires_At"
]]);
}
return sheet;
} catch (e) {
return null;
}
}
function _getMetaSheet() {
if (CACHE_SPREADSHEET_ID === "CHANGE_ME_TO_CACHE_SPREADSHEET_ID") {
return null;
}
try {
var ss = SpreadsheetApp.openById(CACHE_SPREADSHEET_ID);
var sheet = ss.getSheetByName(CACHE_META_SHEET_NAME);
if (!sheet) {
sheet = ss.insertSheet(CACHE_META_SHEET_NAME);
sheet.getRange(CACHE_META_CURSOR_CELL).setValue(2);
sheet.hideSheet();
}
return sheet;
} catch (e) {
return null;
}
}
function _getNextCursor(sheet, metaSheet) {
var cursorRange = metaSheet.getRange(CACHE_META_CURSOR_CELL);
var cursor = cursorRange.getValue();
if (typeof cursor !== "number" || cursor < 2) cursor = 2;
var totalRows = sheet.getDataRange().getNumRows();
if (totalRows < CACHE_MAX_ROWS + 1) {
return totalRows + 1;
}
return cursor;
}
function _advanceCursor(metaSheet, currentRow) {
var nextRow = currentRow + 1;
if (nextRow > CACHE_MAX_ROWS + 1) nextRow = 2;
metaSheet.getRange(CACHE_META_CURSOR_CELL).setValue(nextRow);
}
function _ensureRowsAllocated(sheet) {
var totalRows = sheet.getDataRange().getNumRows();
if (totalRows < CACHE_MAX_ROWS + 1) {
var needed = CACHE_MAX_ROWS + 1 - totalRows;
sheet.insertRowsAfter(totalRows, needed);
}
}
// ═══════════════════════════════════════════════════════════
// SPREADSHEET CACHE — VARY-AWARE COMPOUND KEY
// ═══════════════════════════════════════════════════════════
/**
* Case-insensitive header lookup.
* HTTP header names are case-insensitive per RFC 7230 § 3.2.
*/
function _getHeaderCaseInsensitive(headers, targetKey) {
var target = targetKey.toLowerCase();
for (var k in headers) {
if (headers.hasOwnProperty(k) && k.toLowerCase() === target) {
return headers[k];
}
}
return null;
}
/**
* Compute a compound cache key:
* MD5(URL | header1:value1 | header2:value2 | ...)
*
* Instead of reading the response Vary header (which would require
* fetching first — circular), we preemptively include the request
* headers that are known to cause response variation. This handles
* Vary: Accept-Encoding and Vary: Accept-Language without ever
* inspecting the response.
*
* Values are lowercased and whitespace-stripped so semantically
* identical requests from different clients produce the same hash.
* Missing and empty headers both map to "<none>" (same semantic).
*/
function _getCacheKey(url, reqHeaders) {
var parts = [url];
if (reqHeaders && typeof reqHeaders === "object") {
for (var i = 0; i < VARY_KEY_HEADERS.length; i++) {
var headerName = VARY_KEY_HEADERS[i];
var rawValue = _getHeaderCaseInsensitive(reqHeaders, headerName);
if (rawValue && String(rawValue).trim() !== "") {
parts.push(headerName + ":" + rawValue.toLowerCase().replace(/\s/g, ""));
} else {
parts.push(headerName + ":<none>");
}
}
} else {
for (var j = 0; j < VARY_KEY_HEADERS.length; j++) {
parts.push(VARY_KEY_HEADERS[j] + ":<none>");
}
}
var compoundKey = parts.join("|");
return _md5Hex(compoundKey);
}
function _md5Hex(input) {
var rawHash = Utilities.computeDigest(Utilities.DigestAlgorithm.MD5, input);
return rawHash
.map(function (byte) {
var v = (byte < 0) ? 256 + byte : byte;
return ("0" + v.toString(16)).slice(-2);
})
.join("");
}
// ═══════════════════════════════════════════════════════════
// SPREADSHEET CACHE — CORE LOGIC
// ═══════════════════════════════════════════════════════════
/**
* Returns true if the request is eligible for the cache path:
* public GET, no body, no auth/cookie headers, cache configured.
*/
function _canUseCache(req) {
if ((req.m || "GET") !== "GET") return false;
if (req.b) return false;
if (!req.u || !req.u.match(/^https?:\/\//i)) return false;
if (CACHE_SPREADSHEET_ID === "CHANGE_ME_TO_CACHE_SPREADSHEET_ID") return false;
if (req.h && typeof req.h === "object") {
for (var k in req.h) {
if (req.h.hasOwnProperty(k) && CACHE_BUSTING_HEADERS[k.toLowerCase()]) {
return false;
}
}
}
return true;
}
/**
* Extract max-age (seconds) from a Cache-Control header value.
* Returns 0 if the directive forbids caching (no-cache / no-store /
* private). Falls back to CACHE_DEFAULT_TTL_SECONDS when no header
* is present. Clamped to [60, 2592000] (1 min 30 days).
*/
function _parseMaxAge(cacheControlHeader) {
if (!cacheControlHeader) return CACHE_DEFAULT_TTL_SECONDS;
var lower = cacheControlHeader.toLowerCase();
if (
lower.indexOf("no-cache") !== -1 ||
lower.indexOf("no-store") !== -1 ||
lower.indexOf("private") !== -1
) {
return 0;
}
var match = lower.match(/max-age=(\d+)/);
if (match) {
var ttl = parseInt(match[1], 10);
return Math.max(60, Math.min(ttl, 2592000));
}
return CACHE_DEFAULT_TTL_SECONDS;
}
/**
* Rewrite time-sensitive headers so the client sees accurate
* Date, Age, and Cache-Control values reflecting cache age.
*/
function _refreshCachedHeaders(headersJson, timestamp) {
var headers = JSON.parse(headersJson);
var cachedAt = new Date(timestamp);
var now = new Date();
var ageSeconds = Math.floor((now.getTime() - cachedAt.getTime()) / 1000);
if (ageSeconds < 0) ageSeconds = 0;
headers["Date"] = now.toUTCString();
headers["Age"] = String(ageSeconds);
var originalCc = headers["Cache-Control"] || headers["cache-control"];
if (originalCc) {
headers["X-Original-Cache-Control"] = originalCc;
}
var remainingMaxAge = Math.max(0, _parseMaxAge(originalCc) - ageSeconds);
headers["Cache-Control"] = "public, max-age=" + remainingMaxAge;
headers["X-Cache"] = "HIT from relay-spreadsheet";
headers["X-Cached-At"] = cachedAt.toUTCString();
return JSON.stringify(headers);
}
/**
* Retrieve a cached response by compound cache key.
* Uses TextFinder for O(log n) lookup. Skips expired entries.
* Returns null on miss, expired entry, or unavailable sheet.
*/
function _getFromCache(url, reqHeaders) {
var sheet = _initCacheSheet();
if (!sheet) return null;
var hash = _getCacheKey(url, reqHeaders);
var finder = sheet.createTextFinder(hash).matchEntireCell(true);
var found = finder.findNext();
if (found) {
var row = sheet.getRange(found.getRow(), 1, 1, 7).getValues()[0];
var expiresAt = row[6];
if (expiresAt && expiresAt instanceof Date && expiresAt < new Date()) {
return null;
}
return {
status: row[2],
headers: _refreshCachedHeaders(row[3], row[5]),
body: row[4],
};
}
return null;
}
/**
* Fetch a URL and store the response in the spreadsheet cache
* using a circular buffer (O(1) writes). Skips storage when the
* encoded body exceeds CACHE_MAX_BODY_BYTES or when Cache-Control
* forbids caching. Returns the fetch result regardless.
*/
function _fetchAndCache(url, reqHeaders) {
var sheet = _initCacheSheet();
if (!sheet) return null;
try {
var response = UrlFetchApp.fetch(url, { muteHttpExceptions: true });
var status = response.getResponseCode();
var headers = _respHeaders(response);
var body = Utilities.base64Encode(response.getContent());
// Cell-size safety gate
if (body.length > CACHE_MAX_BODY_BYTES) {
return { status: status, headers: JSON.stringify(headers), body: body };
}
// TTL extraction
var cacheControl =
headers["Cache-Control"] || headers["cache-control"] || null;
var ttlSeconds = _parseMaxAge(cacheControl);
if (ttlSeconds === 0) {
return { status: status, headers: JSON.stringify(headers), body: body };
}
var hash = _getCacheKey(url, reqHeaders);
var timestamp = new Date();
var expiresAt = new Date(timestamp.getTime() + ttlSeconds * 1000);
// Safety: fallback if Date math produces invalid result
if (isNaN(expiresAt.getTime())) {
expiresAt = new Date(timestamp.getTime() + CACHE_DEFAULT_TTL_SECONDS * 1000);
}
var rowData = [
hash,
url,
status,
JSON.stringify(headers),
body,
timestamp.toISOString(),
expiresAt,
];
// Circular buffer write (O(1))
var metaSheet = _getMetaSheet();
if (metaSheet) {
_ensureRowsAllocated(sheet);
var writeRow = _getNextCursor(sheet, metaSheet);
sheet.getRange(writeRow, 1, 1, 7).setValues([rowData]);
_advanceCursor(metaSheet, writeRow);
} else {
// Fallback: simple append if meta sheet is unavailable
sheet.appendRow(rowData);
}
return { status: status, headers: JSON.stringify(headers), body: body };
} catch (e) {
return null;
}
}
// ═══════════════════════════════════════════════════════════
// SPREADSHEET CACHE — DIAGNOSTICS
// ═══════════════════════════════════════════════════════════
function getCacheStats() {
var sheet = _initCacheSheet();
if (!sheet) {
console.log("Cache is not enabled or spreadsheet unavailable.");
return;
}
var data = sheet.getDataRange().getValues();
var totalEntries = data.length - 1;
var now = new Date();
var expiredCount = 0;
for (var i = 1; i < data.length; i++) {
var expiresAt = data[i][6];
if (expiresAt && expiresAt instanceof Date && expiresAt < now) {
expiredCount++;
}
}
var metaSheet = _getMetaSheet();
var cursorInfo = "N/A";
if (metaSheet) {
cursorInfo = String(metaSheet.getRange(CACHE_META_CURSOR_CELL).getValue());
}
console.log("=== CACHE STATS ===");
console.log("Total rows used: " + totalEntries + " / " + CACHE_MAX_ROWS);
console.log("Active entries: " + (totalEntries - expiredCount));
console.log("Expired entries: " + expiredCount);
console.log("Cursor position: " + cursorInfo);
console.log("Max body size: " + CACHE_MAX_BODY_BYTES + " chars");
console.log("Default TTL: " + CACHE_DEFAULT_TTL_SECONDS + " sec");
console.log("Vary key headers: " + VARY_KEY_HEADERS.join(", "));
if (totalEntries > 0) {
console.log("Oldest entry: " + data[1][5]);
console.log("Newest entry: " + data[data.length - 1][5]);
}
}
function clearExpiredCache() {
var sheet = _initCacheSheet();
if (!sheet) {
console.log("Cache is not enabled.");
return;
}
var data = sheet.getDataRange().getValues();
var now = new Date();
var rowsToClear = [];
for (var i = 1; i < data.length; i++) {
var expiresAt = data[i][6];
if (expiresAt && expiresAt instanceof Date && expiresAt < now) {
rowsToClear.push(i + 1);
}
}
for (var j = 0; j < rowsToClear.length; j++) {
sheet.getRange(rowsToClear[j], 1, 1, 7).clearContent();
}
console.log("Cleared " + rowsToClear.length + " expired entries (" +
(data.length - 1 - rowsToClear.length) + " remaining).");
}
function clearEntireCache() {
var sheet = _initCacheSheet();
if (sheet) {
var totalRows = sheet.getDataRange().getNumRows();
if (totalRows > 1) {
sheet.getRange(2, 1, totalRows - 1, 7).clearContent();
}
}
var metaSheet = _getMetaSheet();
if (metaSheet) {
metaSheet.getRange(CACHE_META_CURSOR_CELL).setValue(2);
}
console.log("Cache wiped. Cursor reset to row 2.");
}
Reference in New Issue View Git Blame Copy Permalink