Merge pull request #159 from AkkiaS7/master

feat: 通过传递客户端Cookie的方式使web终端功能兼容被Cloudflare Access保护的面板

Co-authored-by: AkkiaS7 <68485070+AkkiaS7@users.noreply.github.com>

README.md

@@ -4,7 +4,7 @@
   <br>
   <small><i>LOGO designed by <a href="https://xio.ng" target="_blank">熊大</a> .</i></small>
   <br><br>
-<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Dashboard%20image?label=Dash%20v0.12.18&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/github/v/release/naiba/nezha?color=brightgreen&label=Agent&style=for-the-badge&logo=github">&nbsp;<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Agent%20release?label=Agent%20CI&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/badge/Installer-v0.8.2-brightgreen?style=for-the-badge&logo=linux">
+<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Dashboard%20image?label=Dash%20v0.12.19&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/github/v/release/naiba/nezha?color=brightgreen&label=Agent&style=for-the-badge&logo=github">&nbsp;<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Agent%20release?label=Agent%20CI&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/badge/Installer-v0.8.2-brightgreen?style=for-the-badge&logo=linux">
   <br>
   <br>
   <p>:trollface: <b>哪吒监控</b> 一站式轻监控轻运维系统。支持系统状态、HTTP(SSL 证书变更、即将到期、到期)、TCP、Ping 监控报警，计划任务和在线终端。</p>

cmd/agent/main.go

@@ -433,6 +433,12 @@ func handleTerminalTask(task *pb.Task) {
 	}
 	header := http.Header{}
 	header.Add("Secret", agentCliParam.ClientSecret)
+	// 目前只兼容Cloudflare验证
+	// 后续可能需要兼容更多的Cookie验证情况
+	if terminal.Cookie != "" {
+		cfCookie := fmt.Sprintf("CF_Authorization=%s", terminal.Cookie)
+		header.Add("Cookie", cfCookie)
+	}
 	conn, _, err := websocket.DefaultDialer.Dial(fmt.Sprintf("%s://%s/terminal/%s", protocol, terminal.Host, terminal.Session), header)
 	if err != nil {
 		println("Terminal 连接失败：", err)

cmd/dashboard/controller/common_page.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"regexp"
+	"strings"
 	"sync"
 	"time"
 
@@ -275,13 +277,28 @@ func (cp *commonPage) terminal(c *gin.Context) {
 			}, true)
 			return
 		}
-
+		cloudflareCookies, _ := c.Cookie("CF_Authorization")
+		// CloudflareCookies合法性验证
+		// 其应该包含.分隔的三组BASE64-URL编码
+		if cloudflareCookies != "" {
+			encodedCookies := strings.Split(cloudflareCookies, ".")
+			if len(encodedCookies) == 3 {
+				for i := 0; i < 3; i++ {
+					if valid, _ := regexp.MatchString("^[A-Za-z0-9-_]+$", encodedCookies[i]); !valid {
+						cloudflareCookies = ""
+						break
+					}
+				}
+			} else {
+				cloudflareCookies = ""
+			}
+		}
 		terminalData, _ := utils.Json.Marshal(&model.TerminalTask{
 			Host:    terminal.host,
 			UseSSL:  terminal.useSSL,
 			Session: terminalID,
+			Cookie:  cloudflareCookies,
 		})
-
 		if err := server.TaskStream.Send(&proto.Task{
 			Type: model.TaskTypeTerminal,
 			Data: string(terminalData),

model/monitor.go

@@ -27,6 +27,8 @@ type TerminalTask struct {
 	UseSSL bool `json:"use_ssl,omitempty"`
 	// 会话标识
 	Session string `json:"session,omitempty"`
+	// Agent在连接Server时需要的额外Cookie信息
+	Cookie string `json:"cookie,omitempty"`
 }
 
 const (

service/singleton/singleton.go

@@ -10,7 +10,7 @@ import (
 	"github.com/naiba/nezha/model"
 )
 
-var Version = "v0.12.18" // ！！记得修改 README 中的 badge 版本！！
+var Version = "v0.12.19" // ！！记得修改 README 中的 badge 版本！！
 
 var (
 	Conf  *model.Config