diff --git a/README.md b/README.md index 59df19b..f0fdcc7 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,23 @@ Browse `https://httpbin.org/ip` through the proxy — you should see the **VPS's > The forwarder must require auth. Without `AUTH_KEY` it refuses to start. Anyone with the URL and key can use it as a relay, so keep both secret. +### 4. Scope the forwarder to specific hosts (optional) + +By default every request the Worker handles routes through the forwarder, so unrelated traffic also burns VPS bandwidth. To send only the sites that need a stable exit IP through the VPS, list them in `forwarder_hosts` in `config.json` — same syntax as `bypass_hosts` (exact hostname or `.suffix`). Anything not matched falls back to direct `fetch()` on the Worker. + +```json +{ + ... + "forwarder_hosts": [ + "example.com", + ".cf-protected-suffix" + ] + ... +} +``` + +Leave the list empty (or remove the key) to keep the historical "forward everything" behavior. + --- ## Disclaimer diff --git a/README_FA.md b/README_FA.md index f98f5ef..1caeeb9 100644 --- a/README_FA.md +++ b/README_FA.md @@ -945,6 +945,24 @@ mhr-cfw/ > **هرگز** فایل `ca/ca.key` را به کسی ندهید یا در اینترنت آپلود نکنید. +### ۴. محدود کردن forwarder به میزبان‌های خاص (اختیاری) + +به‌صورت پیش‌فرض همهٔ درخواست‌هایی که Worker پردازش می‌کند از طریق forwarder عبور می‌کنند، در نتیجه ترافیک غیرمرتبط هم پهنای باند VPS را مصرف می‌کند. اگر فقط می‌خواهید سایت‌هایی که به IP خروجی پایدار نیاز دارند از مسیر VPS رد شوند، آن‌ها را در `forwarder_hosts` در `config.json` فهرست کنید — همان نحو `bypass_hosts` (نام دقیق دامنه یا الگوی `.suffix`). هر چه با این لیست تطبیق نخورد، روی Worker با `fetch()` مستقیم ارسال می‌شود. + +```json +{ + ... + "forwarder_hosts": [ + "example.com", + ".cf-protected-suffix" + ], + ... +} +``` + +اگر این لیست خالی باشد (یا کلید را حذف کنید)، رفتار قبلی یعنی «forward همه» حفظ می‌شود. + + --- ## سلب مسئولیت diff --git a/config.example.json b/config.example.json index 3714eca..0b2b1c4 100644 --- a/config.example.json +++ b/config.example.json @@ -60,6 +60,7 @@ ".lan", ".home.arpa" ], + "forwarder_hosts": [], "direct_google_exclude": [ "gemini.google.com", "aistudio.google.com", diff --git a/deploy/cloudflare-worker/worker.js b/deploy/cloudflare-worker/worker.js index 85449c8..7b30e9c 100644 --- a/deploy/cloudflare-worker/worker.js +++ b/deploy/cloudflare-worker/worker.js @@ -38,7 +38,11 @@ export default { } const upstreamUrl = (env && env.UPSTREAM_FORWARDER_URL) || ""; - if (upstreamUrl) { + + // f === 1: forward; f === 0: skip; missing: legacy client → forward (compat). + const wantForward = (req.f === 1) || (req.f === undefined); + + if (upstreamUrl && wantForward) { const upstreamResp = await forwardViaUpstream(req, env, upstreamUrl); if (upstreamResp) return upstreamResp; // fall through to direct fetch only when fail-mode is open diff --git a/deploy/gas/Code.gs b/deploy/gas/Code.gs index 96edc3c..970ace0 100644 --- a/deploy/gas/Code.gs +++ b/deploy/gas/Code.gs @@ -105,7 +105,7 @@ function _buildWorkerPayload(req) { } } - return { + var out = { u: req.u, m: (req.m || "GET").toUpperCase(), h: headers, @@ -113,6 +113,9 @@ function _buildWorkerPayload(req) { ct: req.ct || null, r: req.r !== false }; + + if (typeof req.f === "number") out.f = req.f; + return out; } function doGet(e) { diff --git a/src/domain_fronter.py b/src/domain_fronter.py index 19c5071..601c8b9 100644 --- a/src/domain_fronter.py +++ b/src/domain_fronter.py @@ -154,6 +154,10 @@ class DomainFronter: minimum=1024, ) + self._forwarder_hosts = self._load_host_rules( + config.get("forwarder_hosts", []) + ) + # Connection pool — TTL-based, pre-warmed, with concurrency control self._pool: list[tuple[asyncio.StreamReader, asyncio.StreamWriter, float]] = [] self._pool_lock = asyncio.Lock() @@ -228,6 +232,33 @@ class DomainFronter: value = default return max(minimum, value) + @staticmethod + def _load_host_rules(raw) -> tuple[set[str], tuple[str, ...]]: + """Parse host strings into (exact_set, suffix_tuple). Mirrors ProxyServer._load_host_rules.""" + exact: set[str] = set() + suffixes: list[str] = [] + for item in raw or []: + h = str(item).strip().lower().rstrip(".") + if not h: + continue + if h.startswith("."): + suffixes.append(h) + else: + exact.add(h) + return exact, tuple(suffixes) + + @staticmethod + def _host_matches_rules(host: str, + rules: tuple[set[str], tuple[str, ...]]) -> bool: + exact, suffixes = rules + h = host.lower().rstrip(".") + if h in exact: + return True + for s in suffixes: + if h.endswith(s): + return True + return False + def _ssl_ctx(self) -> ssl.SSLContext: ctx = ssl.create_default_context() if certifi is not None: @@ -1548,6 +1579,13 @@ class DomainFronter: ct = headers.get("Content-Type") or headers.get("content-type") if ct: payload["ct"] = ct + # Only emit 'f' when scoped; Worker treats missing 'f' as forward (legacy compat). + exact, suffixes = self._forwarder_hosts + if exact or suffixes: + host = urlparse(url).hostname or "" + payload["f"] = 1 if self._host_matches_rules( + host, self._forwarder_hosts + ) else 0 return payload @classmethod