add tracker filter by lua

2026-04-25 20:57:35 +08:00 · 2025-05-01 21:42:31 +07:00
parent 3c3d395887
commit e5937d8ab3
6 changed files with 218 additions and 12 deletions
@@ -0,0 +1,108 @@
 -- tracker_filter.lua
 -- 简易 BEncode 编码器，只编码 {"failure reason": msg}
 local function bencode_error(msg)
    local key = "failure reason"
    return "d14:" .. key .. string.format("%d:%s", #msg, msg) .. "e"
 end
 local function reject(msg)
    ngx.status = 400
    ngx.header.content_type = "text/plain"
    ngx.say(bencode_error(msg or "Forbidden"))
    ngx.exit(ngx.status)
 end
 -- 常见浏览器 User-Agent 拒绝
 local common_browsers = {
    "Mozilla", "Chrome", "Safari", "Edge", "Firefox", "Opera", "Trident"
 }
 local function is_browser(ua)
    if not ua then return false end
    for _, keyword in ipairs(common_browsers) do
        if ua:find(keyword) then
            return true
        end
    end
    return false
 end
 local function is_valid_passkey(passkey)
    return type(passkey) == "string" and #passkey == 32
 end
 local function is_positive_integer(val)
    local num = tonumber(val)
    return num and num >= 0 and math.floor(num) == num
 end
 local function is_valid_port(val)
    local port = tonumber(val)
    return port and port >= 1 and port <= 65535 and math.floor(port) == port
 end
 local function main()
    -- 拒绝浏览器 User-Agent
    local ua = ngx.var.http_user_agent
    if is_browser(ua) then
        return reject("Browser access blocked !")
    end
    -- 拒绝 URL path 含 api/announce
    if ngx.var.uri and ngx.var.uri:find("api/announce") then
        return reject("Not support, please use announce.php")
    end
    -- 获取 query 参数
    local args = ngx.req.get_uri_args()
    if args["auth_key"] then
        return reject("auth_key is not allowed")
    end
    if not is_valid_passkey(args["passkey"]) then
        return reject("Invalid or missing passkey")
    end
    local required_fields = {
        "info_hash",
        "peer_id",
        "port",
        "downloaded",
        "uploaded",
        "left"
    }
    for _, field in ipairs(required_fields) do
        if not args[field] then
            return reject("Missing parameter: " .. field)
        end
    end
    if not is_valid_port(args["port"]) then
        return reject("Invalid port")
    end
    for _, field in ipairs({"downloaded", "uploaded", "left"}) do
        if not is_positive_integer(args[field]) then
            return reject("Invalid value for " .. field)
        end
    end
    if args["event"] then
        local valid_events = {
            started = true,
            completed = true,
            stopped = true,
            paused = true
        }
        if not valid_events[args["event"]] then
            return reject("Invalid event")
        end
    end
    -- 一切 OK，放行
 end
 return main
@@ -0,0 +1,95 @@
 # nginx.conf  --  docker-openresty
 #
 # This file is installed to:
 #   `/usr/local/openresty/nginx/conf/nginx.conf`
 # and is the file loaded by nginx at startup,
 # unless the user specifies otherwise.
 #
 # It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
 # section and adds this directive:
 #     `include /etc/nginx/conf.d/*.conf;`
 #
 # The `docker-openresty` file `nginx.vh.default.conf` is copied to
 # `/etc/nginx/conf.d/default.conf`.  It contains the `server section
 # of the upstream `nginx.conf`.
 #
 # See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
 #
 #user  nobody;
 #worker_processes 1;
 # Enables the use of JIT for regular expressions to speed-up their processing.
 pcre_jit on;
 #error_log  logs/error.log;
 #error_log  logs/error.log  notice;
 #error_log  logs/error.log  info;
 #pid        logs/nginx.pid;
 events {
    worker_connections  1024;
 }
 http {
    include       mime.types;
    default_type  application/octet-stream;
    lua_package_path "/usr/local/openresty/lua/?.lua;;";
    # Enables or disables the use of underscores in client request header fields.
    # When the use of underscores is disabled, request header fields whose names contain underscores are marked as invalid and become subject to the ignore_invalid_headers directive.
    # underscores_in_headers off;
    log_format  main  '$remote_addr - $remote_user [$time_iso8601] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for" "$request_body" "$http_cookie" "$request_id" $request_time';
    error_log /dev/stderr debug;
    access_log /dev/stdout main;
        # Log in JSON Format
        # log_format nginxlog_json escape=json '{ "timestamp": "$time_iso8601", '
        # '"remote_addr": "$remote_addr", '
        #  '"body_bytes_sent": $body_bytes_sent, '
        #  '"request_time": $request_time, '
        #  '"response_status": $status, '
        #  '"request": "$request", '
        #  '"request_method": "$request_method", '
        #  '"host": "$host",'
        #  '"upstream_addr": "$upstream_addr",'
        #  '"http_x_forwarded_for": "$http_x_forwarded_for",'
        #  '"http_referrer": "$http_referer", '
        #  '"http_user_agent": "$http_user_agent", '
        #  '"http_version": "$server_protocol", '
        #  '"nginx_access": true }';
        # access_log /dev/stdout nginxlog_json;
    # See Move default writable paths to a dedicated directory (#119)
    # https://github.com/openresty/docker-openresty/issues/119
    client_body_temp_path /var/run/openresty/nginx-client-body;
    proxy_temp_path       /var/run/openresty/nginx-proxy;
    fastcgi_temp_path     /var/run/openresty/nginx-fastcgi;
    uwsgi_temp_path       /var/run/openresty/nginx-uwsgi;
    scgi_temp_path        /var/run/openresty/nginx-scgi;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
    # Don't reveal OpenResty version to clients.
    # server_tokens off;
 }
 include /etc/nginx/conf.d/*.main;
@@ -14,12 +14,6 @@ server {
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
        try_files $uri $uri/ /nexus.php?$query_string;
    }
@@ -29,6 +23,18 @@ server {
        try_files $uri $uri/ /nexus.php$is_args$args;
    }
    location = /announce.php {
        access_by_lua_block {
            local filter = require("tracker_filter")
            filter()
        }
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param REQUEST_ID $request_id;
    }
    location ~ \.php$ {
        fastcgi_pass php:9000;
        fastcgi_index index.php;
@@ -37,6 +43,4 @@ server {
        fastcgi_param REQUEST_ID $request_id;
    }
    error_log /dev/stderr;
    access_log /dev/stdout;
 }
@@ -11,7 +11,4 @@ server {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    error_log /dev/stderr;
    access_log /dev/stdout;
 }
@@ -58,7 +58,7 @@ class Handler extends ExceptionHandler
        });
        //Other Only handle in json request
-        if (!$request->expectsJson()) {
+        if (!$request->expectsJson() && !$request->ajax()) {
            $this->renderable(function (NexusException $e) use ($request) {
                return redirect(url('/error?error=' . urlencode($e->getMessage())));
            });
@@ -67,6 +67,8 @@ services:
      - ./.docker/openresty/sites:/etc/nginx/conf.d/sites
      - ./.docker/openresty/certs:/certs
      - ./.docker/openresty/entrypoint.sh:/usr/local/bin/entrypoint.sh
      - ./.docker/openresty/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf
      - ./.docker/openresty/lua:/usr/local/openresty/lua
      - .:/var/www/html
    depends_on:
      - php