Merge branch 'main'

* main:
  补齐访问控制
  优化离线下载镜像的实现
  版本注入
  更新文档
  支持禁用前端静态文件路由
  优化代码质量
  shell OOM
  update
  v1.2.1
  修复GitHub用户名通配符
  兼容Containerd的ns参数
  v1.2.0
  判断是否已经添加加速域名，避免重复添加。
  Update README with documentation links
  更新文档
  Update README.md

# Conflicts:
#	src/main.go

.gitattributes

@@ -1 +1,2 @@
-* text=auto eol=lf
+* text=auto eol=lf
+*.html linguist-vendored

.github/workflows/docker-ghcr.yml

@@ -3,9 +3,9 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Version number'
+        description: '版本号 (例如: v1.0.0)'
         required: true
-        default: 'latest'
+        default: 'v1.0.0'
 
 jobs:
   build:
@@ -15,13 +15,13 @@ jobs:
       packages: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Cache Docker layers
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -29,14 +29,19 @@ jobs:
             ${{ runner.os }}-buildx-
             
       - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           
       - name: Set version from input
-        run: echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+        run: |
+          VERSION=${{ github.event.inputs.version }}
+          if [[ $VERSION == v* ]]; then
+            VERSION=${VERSION:1}
+          fi
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: Convert repository name to lowercase
         run: |
@@ -47,10 +52,10 @@ jobs:
       - name: Build and push Docker image
         run: |
           docker buildx build --push \
-            --platform linux/amd64,linux/arm64/v8 \
+            --platform linux/amd64,linux/arm64 \
             --tag ghcr.io/${{ env.REPO_LOWER }}:${{ env.VERSION }} \
             --tag ghcr.io/${{ env.REPO_LOWER }}:latest \
             --build-arg VERSION=${{ env.VERSION }} \
             -f Dockerfile .
         env:
-          GHCR_PUBLIC: true  # 将镜像设置为公开
+          GHCR_PUBLIC: true

.github/workflows/release.yml

@@ -1,7 +1,7 @@
 name: 发布二进制文件
 
 on:
-  workflow_dispatch:  # 手动触发
+  workflow_dispatch:
     inputs:
       version:
         description: '版本号 (例如: v1.0.0)'
@@ -18,12 +18,13 @@ jobs:
       - name: 检出代码
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # 获取完整历史，用于生成变更日志
+          fetch-depth: 0
           
       - name: 设置Go环境
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version-file: "src/go.mod"
+          cache-dependency-path: "src/go.sum"
           
       - name: 获取版本号
         id: version
@@ -53,15 +54,25 @@ jobs:
         run: |
           mkdir -p build/hubproxy
           
+      - name: 安装 UPX
+        uses: crazy-max/ghaction-upx@v3
+        with:
+          install-only: true
+
       - name: 编译二进制文件
         run: |
           cd src
+          VERSION=${{ steps.version.outputs.version }}
           
           # Linux AMD64
-          GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o ../build/hubproxy/hubproxy-linux-amd64 .
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X main.Version=${VERSION}" -o ../build/hubproxy/hubproxy-linux-amd64 .
           
           # Linux ARM64
-          GOOS=linux GOARCH=arm64 go build -ldflags="-s -w" -o ../build/hubproxy/hubproxy-linux-arm64 .
+          CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="-s -w -X main.Version=${VERSION}" -o ../build/hubproxy/hubproxy-linux-arm64 .
+          
+          # 压缩二进制文件
+          upx -9 ../build/hubproxy/hubproxy-linux-amd64
+          upx -9 ../build/hubproxy/hubproxy-linux-arm64
           
       - name: 复制配置文件
         run: |
@@ -107,7 +118,7 @@ jobs:
           cat checksums.txt
           
       - name: 创建或更新Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.version.outputs.version }}
           name: "HubProxy ${{ steps.version.outputs.version }}"
@@ -125,4 +136,4 @@ jobs:
             build/checksums.txt
           draft: false
           prerelease: false
-          token: ${{ secrets.GITHUB_TOKEN }} 
+          token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,4 +1,5 @@
 .idea
 .vscode
 .DS_Store
-hubproxy*
+hubproxy*
+!hubproxy.service

Dockerfile

@@ -1,11 +1,15 @@
-FROM golang:1.24-alpine AS builder
+FROM golang:1.25-alpine AS builder
+
+ARG TARGETARCH
+ARG VERSION=dev
 
 WORKDIR /app
 COPY src/go.mod src/go.sum ./
-RUN go mod download
+RUN go mod download && apk add upx
 
 COPY src/ .
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -trimpath -o hubproxy .
+
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -ldflags="-s -w -X main.Version=${VERSION}" -trimpath -o hubproxy . && upx -9 hubproxy
 
 FROM alpine
 

README.md

@@ -1,27 +1,35 @@
 # HubProxy
 
-🚀 **Docker 和 GitHub 加速代理服务器**
+ **Docker 和 GitHub 加速代理服务器**
 
 一个轻量级、高性能的多功能代理服务，提供 Docker 镜像加速、GitHub 文件加速、下载离线镜像、在线搜索 Docker 镜像等功能。
 
+
 <p align="center">
   <img src="https://count.getloli.com/get/@sky22333.hubproxy?theme=rule34" alt="Visitors">
 </p>
 
-## ✨ 特性
+## 特性
 
-- 🐳 **Docker 镜像加速** - 单域名实现 Docker Hub、GHCR、Quay 等多个镜像仓库加速，流式传输优化拉取速度。
+- 🐳 **Docker 镜像加速** - 支持 Docker Hub、GHCR、Quay 等多个镜像仓库加速，流式传输优化拉取速度。
 - 🐳 **离线镜像包** - 支持下载离线镜像包，流式传输加防抖设计。
 - 📁 **GitHub 文件加速** - 加速 GitHub Release、Raw 文件下载，支持`api.github.com`，脚本嵌套加速等等
 - 🤖 **AI 模型库支持** - 支持 Hugging Face 模型下载加速
 - 🛡️ **智能限流** - IP 限流保护，防止滥用
 - 🚫 **仓库审计** - 强大的自定义黑名单，白名单，同时审计镜像仓库，和GitHub仓库
 - 🔍 **镜像搜索** - 在线搜索 Docker 镜像
-- ⚡ **轻量高效** - 基于 Go 语言，单二进制文件运行，资源占用低，优雅的内存清理机制。
-- 🔧 **统一配置** - 统一配置管理
+- ⚡ **轻量高效** - 基于 Go 语言，单二进制文件运行，资源占用低。
+- 🔧 **统一配置** - 统一配置管理，便于维护。
+- 🛡️ **完全自托管** - 避免依赖免费第三方服务的不稳定性，例如`cloudflare`等等。
+- 🚀 **多服务统一加速** - 单个程序即可统一加速 Docker、GitHub、Hugging Face 等多种服务，简化部署与管理。
 
+## 详细文档
 
-## 🚀 快速开始
+[中文文档](https://zread.ai/sky22333/hubproxy)
+
+[English](https://deepwiki.com/sky22333/hubproxy)
+
+## 快速开始
 
 ### Docker部署（推荐）
 ```
@@ -32,25 +40,21 @@ docker run -d \
   ghcr.io/sky22333/hubproxy
 ```
 
-
-
 ### 一键脚本安装
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/sky22333/hubproxy/main/install.sh | sudo bash
 ```
 
-也可以直接下载二进制文件执行`./hubproxy`使用，无需配置文件即可启动，内置默认配置，支持所有功能。初始内存占用约18M，二进制文件大小约12M
+支持单个二进制文件直接启动，无需其他配置，内置默认配置，支持所有功能。
 
-这个命令会：
-- 🔍 自动检测系统架构（AMD64/ARM64）
-- 📥 从 GitHub Releases 下载最新版本
-- ⚙️ 自动配置系统服务
-- 🔄 保留现有配置（升级时）
+这个脚本会：
+- 自动检测系统架构（AMD64/ARM64）
+- 从 GitHub Releases 下载最新版本
+- 自动配置系统服务
+- 保留现有配置（升级时）
 
-
-
-## 📖 使用方法
+## 使用方法
 
 ### Docker 镜像加速
 
@@ -79,8 +83,7 @@ docker pull yourdomain.com/ghcr.io/sky22333/hubproxy
 }
 ```
 
-若已设置其他加速地址，直接并列添加后保存，
-再执行 `sudo systemctl restart docker` 重启docker服务让配置生效。
+若已设置其他加速地址，直接并列添加后保存，再执行 `sudo systemctl restart docker` 重启docker服务让配置生效。
 
 ### GitHub 文件加速
 
@@ -95,12 +98,12 @@ https://yourdomain.com/https://github.com/user/repo/releases/download/v1.0.0/fil
 git clone https://yourdomain.com/https://github.com/sky22333/hubproxy.git
 ```
 
-## ⚙️ 配置
+## 配置
 
 <details>
   <summary>config.toml 配置说明</summary>
 
-*此配置是默认配置，已经内置在程序中了，可以不用添加。*
+*此配置是默认配置，已经内置在程序中了*
 
 ```
 [server]
@@ -111,6 +114,8 @@ port = 5000
 fileSize = 2147483648
 # HTTP/2 多路复用，提升下载速度
 enableH2C = false
+# 是否启用前端静态页面
+enableFrontend = true
 
 [rateLimit]
 # 每个IP每周期允许的请求数(注意Docker镜像会有多个层，会消耗多个次数)
@@ -201,6 +206,23 @@ defaultTTL = "20m"
 
 脚本部署配置文件位于 `/opt/hubproxy/config.toml`
 
+### 环境变量（可选）
+
+支持通过环境变量覆盖部分配置，优先级高于`config.toml`，以下是默认值：
+
+```
+SERVER_HOST=0.0.0.0             # 监听地址
+SERVER_PORT=5000                # 监听端口
+ENABLE_H2C=false                # 是否启用 H2C
+ENABLE_FRONTEND=true            # 是否启用前端静态页面
+MAX_FILE_SIZE=2147483648        # GitHub 文件大小限制（字节）
+RATE_LIMIT=500                  # 每周期请求数
+RATE_PERIOD_HOURS=3             # 限流周期（小时）
+IP_WHITELIST=127.0.0.1,192.168.1.0/24   # IP 白名单（逗号分隔）
+IP_BLACKLIST=192.168.100.1,192.168.100.0/24 # IP 黑名单（逗号分隔）
+MAX_IMAGES=10                   # 批量下载镜像数量限制
+```
+
 为了IP限流能够正常运行，反向代理需要传递IP头用来获取访客真实IP，以caddy为例：
 ```
 example.com {
@@ -224,6 +246,7 @@ example.com {
 }
 ```
 
+> 对于使用nginx反代的用户，Github加速提示`无效输入`的问题可以参见[issues/62](https://github.com/sky22333/hubproxy/issues/62#issuecomment-3219572440)
 
 
 ## ⚠️ 免责声明
@@ -240,7 +263,9 @@ example.com {
 
 </div>
 
+## 界面预览
 
+![1](./.github/demo/demo1.jpg)
 
 ## Star 趋势
 [![Star 趋势](https://starchart.cc/sky22333/hubproxy.svg?variant=adaptive)](https://starchart.cc/sky22333/hubproxy)

conf/Caddyfile

@@ -0,0 +1,10 @@
+# 代理到 hubproxy 的 5000 端i口
+#
+{
+    # 可选：关闭自动 HTTPS（用于测试）
+    # auto_https off
+    email ssl@diyla.com
+} 
+hub.diyla.com {
+    reverse_proxy hubproxy:5000
+}

docker-compose.yml

@@ -1,8 +1,37 @@
 services:
   hubproxy:
-    build: .
-    restart: always
+    build:
+      context: .  
+    container_name: hubproxy
+    restart: unless-stopped
     ports:
-      - '5000:5000'
+      - "5000:5000"
     volumes:
-      - ./src/config.toml:/root/config.toml
+      - ./src/config.toml:/root/config.toml
+    logging:
+      driver: json-file
+      options:
+        max-size: "1g"
+        max-file: "2"
+
+
+  caddy:
+    image: caddy:latest
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - $PWD/conf:/etc/caddy
+      - $PWD/site:/srv
+      - caddy_data:/data
+      - caddy_config:/config
+    depends_on:
+      - hubproxy  
+
+volumes:
+  caddy_data:
+  caddy_config:

src/config.toml

@@ -6,6 +6,7 @@ port = 5000
 fileSize = 2147483648
 # HTTP/2 多路复用
 enableH2C = false
+enableFrontend = true
 
 [rateLimit]
 # 每个IP每周期允许的请求数

src/config/config.go

@@ -22,10 +22,11 @@ type RegistryMapping struct {
 // AppConfig 应用配置结构体
 type AppConfig struct {
 	Server struct {
-		Host      string `toml:"host"`
-		Port      int    `toml:"port"`
-		FileSize  int64  `toml:"fileSize"`
-		EnableH2C bool   `toml:"enableH2C"`
+		Host           string `toml:"host"`
+		Port           int    `toml:"port"`
+		FileSize       int64  `toml:"fileSize"`
+		EnableH2C      bool   `toml:"enableH2C"`
+		EnableFrontend bool   `toml:"enableFrontend"`
 	} `toml:"server"`
 
 	RateLimit struct {
@@ -70,22 +71,24 @@ var (
 func DefaultConfig() *AppConfig {
 	return &AppConfig{
 		Server: struct {
-			Host      string `toml:"host"`
-			Port      int    `toml:"port"`
-			FileSize  int64  `toml:"fileSize"`
-			EnableH2C bool   `toml:"enableH2C"`
+			Host           string `toml:"host"`
+			Port           int    `toml:"port"`
+			FileSize       int64  `toml:"fileSize"`
+			EnableH2C      bool   `toml:"enableH2C"`
+			EnableFrontend bool   `toml:"enableFrontend"`
 		}{
-			Host:      "0.0.0.0",
-			Port:      5000,
-			FileSize:  2 * 1024 * 1024 * 1024, // 2GB
-			EnableH2C: false,                  // 默认关闭H2C
+			Host:           "0.0.0.0",
+			Port:           5000,
+			FileSize:       2 * 1024 * 1024 * 1024,
+			EnableH2C:      false,
+			EnableFrontend: true,
 		},
 		RateLimit: struct {
 			RequestLimit int     `toml:"requestLimit"`
 			PeriodHours  float64 `toml:"periodHours"`
 		}{
-			RequestLimit: 200,
-			PeriodHours:  1.0,
+			RequestLimit: 500,
+			PeriodHours:  3.0,
 		},
 		Security: struct {
 			WhiteList []string `toml:"whiteList"`
@@ -227,6 +230,11 @@ func overrideFromEnv(cfg *AppConfig) {
 			cfg.Server.EnableH2C = enable
 		}
 	}
+	if val := os.Getenv("ENABLE_FRONTEND"); val != "" {
+		if enable, err := strconv.ParseBool(val); err == nil {
+			cfg.Server.EnableFrontend = enable
+		}
+	}
 	if val := os.Getenv("MAX_FILE_SIZE"); val != "" {
 		if size, err := strconv.ParseInt(val, 10, 64); err == nil && size > 0 {
 			cfg.Server.FileSize = size

src/go.mod

@@ -1,34 +1,34 @@
 module hubproxy
 
-go 1.24.0
+go 1.25
 
 require (
-	github.com/gin-gonic/gin v1.10.0
-	github.com/google/go-containerregistry v0.20.5
-	github.com/pelletier/go-toml/v2 v2.2.3
-	golang.org/x/net v0.33.0
-	golang.org/x/time v0.11.0
+	github.com/gin-gonic/gin v1.11.0
+	github.com/google/go-containerregistry v0.20.6
+	github.com/pelletier/go-toml/v2 v2.2.4
+	golang.org/x/net v0.46.0
+	golang.org/x/time v0.14.0
 )
 
 require (
-	github.com/bytedance/sonic v1.11.6 // indirect
-	github.com/bytedance/sonic/loader v0.1.1 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
-	github.com/cloudwego/iasm v0.2.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.14.2 // indirect
+	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
-	github.com/docker/cli v28.1.1+incompatible // indirect
+	github.com/docker/cli v28.2.2+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.11 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.20.0 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/go-playground/validator/v10 v10.28.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
@@ -37,17 +37,19 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/quic-go v0.55.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.12 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/vbatts/tar-split v0.12.1 // indirect
-	golang.org/x/arch v0.8.0 // indirect
-	golang.org/x/crypto v0.32.0 // indirect
-	golang.org/x/sync v0.14.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/protobuf v1.36.3 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	go.uber.org/mock v0.6.0 // indirect
+	golang.org/x/arch v0.22.0 // indirect
+	golang.org/x/crypto v0.43.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 )

src/go.sum

@@ -1,59 +1,51 @@
-github.com/bytedance/sonic v1.11.6 h1:oUp34TzMlL+OY1OUWxHqsdkgC/Zfc85zGqw9siXjrc0=
-github.com/bytedance/sonic v1.11.6/go.mod h1:LysEHSvpvDySVdC2f87zGWf6CIKJcAvqab1ZaiQtds4=
-github.com/bytedance/sonic/loader v0.1.1 h1:c+e5Pt1k/cy5wMveRDyk2X4B9hF4g7an8N3zCYjJFNM=
-github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
-github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
+github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
+github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
+github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v28.1.1+incompatible h1:eyUemzeI45DY7eDPuwUcmDyDj1pM98oD5MdSpiItp8k=
-github.com/docker/cli v28.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v28.2.2+incompatible h1:qzx5BNUDFqlvyq4AHzdNB7gSyVTmU4cgsyN9SdInc1A=
+github.com/docker/cli v28.2.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
 github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
-github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
-github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
-github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
-github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/gabriel-vasile/mimetype v1.4.11 h1:AQvxbp830wPhHTqc1u7nzoLT+ZFxGY7emj5DR5DYFik=
+github.com/gabriel-vasile/mimetype v1.4.11/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBExVwjEviJTixqxL8=
-github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
+github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.20.5 h1:4RnlYcDs5hoA++CeFjlbZ/U9Yp1EuWr+UhhTyYQjOP0=
-github.com/google/go-containerregistry v0.20.5/go.mod h1:Q14vdOOzug02bwnhMkZKD4e30pDaD9W65qzXpyzF49E=
+github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU=
+github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
-github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -69,62 +61,63 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
-github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
+github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
-github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
 github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
-golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
-golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc=
-golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
+golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
-google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
-rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=

src/handlers/docker.go

@@ -8,12 +8,13 @@ import (
 	"strings"
 	"time"
 
+	"hubproxy/config"
+	"hubproxy/utils"
+
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"hubproxy/config"
-	"hubproxy/utils"
 )
 
 // DockerProxy Docker代理配置
@@ -28,9 +29,16 @@ var dockerProxy *DockerProxy
 type RegistryDetector struct{}
 
 // detectRegistryDomain 检测Registry域名并返回域名和剩余路径
-func (rd *RegistryDetector) detectRegistryDomain(path string) (string, string) {
+func (rd *RegistryDetector) detectRegistryDomain(c *gin.Context, path string) (string, string) {
 	cfg := config.GetConfig()
 
+	// 兼容Containerd的ns参数
+	if ns := c.Query("ns"); ns != "" {
+		if mapping, exists := cfg.Registries[ns]; exists && mapping.Enabled {
+			return ns, path
+		}
+	}
+
 	for domain := range cfg.Registries {
 		if strings.HasPrefix(path, domain+"/") {
 			remainingPath := strings.TrimPrefix(path, domain+"/")
@@ -99,7 +107,7 @@ func ProxyDockerRegistryGin(c *gin.Context) {
 func handleRegistryRequest(c *gin.Context, path string) {
 	pathWithoutV2 := strings.TrimPrefix(path, "/v2/")
 
-	if registryDomain, remainingPath := registryDetector.detectRegistryDomain(pathWithoutV2); registryDomain != "" {
+	if registryDomain, remainingPath := registryDetector.detectRegistryDomain(c, pathWithoutV2); registryDomain != "" {
 		if registryDetector.isRegistryEnabled(registryDomain) {
 			c.Set("target_registry_domain", registryDomain)
 			c.Set("target_path", remainingPath)
@@ -267,7 +275,9 @@ func handleBlobRequest(c *gin.Context, imageRef, digest string) {
 	c.Header("Docker-Content-Digest", digest)
 
 	c.Status(http.StatusOK)
-	io.Copy(c.Writer, reader)
+	if _, err := io.Copy(c.Writer, reader); err != nil {
+		fmt.Printf("复制layer内容失败: %v\n", err)
+	}
 }
 
 // handleTagsRequest 处理tags列表请求
@@ -409,7 +419,9 @@ func proxyDockerAuthOriginal(c *gin.Context) {
 	}
 
 	c.Status(resp.StatusCode)
-	io.Copy(c.Writer, resp.Body)
+	if _, err := io.Copy(c.Writer, resp.Body); err != nil {
+		fmt.Printf("复制认证响应失败: %v\n", err)
+	}
 }
 
 // rewriteAuthHeader 重写认证头
@@ -562,7 +574,9 @@ func handleUpstreamBlobRequest(c *gin.Context, imageRef, digest string, mapping
 	c.Header("Docker-Content-Digest", digest)
 
 	c.Status(http.StatusOK)
-	io.Copy(c.Writer, reader)
+	if _, err := io.Copy(c.Writer, reader); err != nil {
+		fmt.Printf("复制layer内容失败: %v\n", err)
+	}
 }
 
 // handleUpstreamTagsRequest 处理上游Registry的tags请求
@@ -598,6 +612,7 @@ func createUpstreamOptions(mapping config.RegistryMapping) []remote.Option {
 		remote.WithTransport(utils.GetGlobalHTTPClient().Transport),
 	}
 
+	// 预留将来不同Registry的差异化认证逻辑扩展点
 	switch mapping.AuthType {
 	case "github":
 	case "google":

src/handlers/github.go

@@ -8,9 +8,10 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/gin-gonic/gin"
 	"hubproxy/config"
 	"hubproxy/utils"
+
+	"github.com/gin-gonic/gin"
 )
 
 var (
@@ -20,7 +21,7 @@ var (
 		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:blob|raw)/.*`),
 		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:info|git-).*`),
 		regexp.MustCompile(`^(?:https?://)?raw\.github(?:usercontent|)\.com/([^/]+)/([^/]+)/.+?/.+`),
-		regexp.MustCompile(`^(?:https?://)?gist\.(?:githubusercontent|github)\.com/(.+?)/(.+?)/.+\.[a-zA-Z0-9]+$`),
+		regexp.MustCompile(`^(?:https?://)?gist\.(?:githubusercontent|github)\.com/([^/]+)/([^/]+).*`),
 		regexp.MustCompile(`^(?:https?://)?api\.github\.com/repos/([^/]+)/([^/]+)/.*`),
 		regexp.MustCompile(`^(?:https?://)?huggingface\.co(?:/spaces)?/([^/]+)/(.+)`),
 		regexp.MustCompile(`^(?:https?://)?cdn-lfs\.hf\.co(?:/spaces)?/([^/]+)/([^/]+)(?:/(.*))?`),
@@ -29,6 +30,14 @@ var (
 	}
 )
 
+// 全局变量：被阻止的内容类型
+var blockedContentTypes = map[string]bool{
+	"text/html":             true,
+	"application/xhtml+xml": true,
+	"text/xml":              true,
+	"application/xml":       true,
+}
+
 // GitHubProxyHandler GitHub代理处理器
 func GitHubProxyHandler(c *gin.Context) {
 	rawPath := strings.TrimPrefix(c.Request.URL.RequestURI(), "/")
@@ -122,6 +131,17 @@ func proxyGitHubWithRedirect(c *gin.Context, u string, redirectCount int) {
 		}
 	}()
 
+	// 检查并处理被阻止的内容类型
+	if c.Request.Method == "GET" {
+		if contentType := resp.Header.Get("Content-Type"); blockedContentTypes[strings.ToLower(strings.Split(contentType, ";")[0])] {
+			c.JSON(http.StatusForbidden, map[string]string{
+				"error":   "Content type not allowed",
+				"message": "检测到网页类型，本服务不支持加速网页，请检查您的链接是否正确。",
+			})
+			return
+		}
+	}
+
 	// 检查文件大小限制
 	cfg := config.GetConfig()
 	if contentLength := resp.Header.Get("Content-Length"); contentLength != "" {
@@ -146,15 +166,15 @@ func proxyGitHubWithRedirect(c *gin.Context, u string, redirectCount int) {
 		realHost = "https://" + realHost
 	}
 
-	// 处理.sh文件的智能处理
-	if strings.HasSuffix(strings.ToLower(u), ".sh") {
+	// 处理.sh和.ps1文件的智能处理
+	if strings.HasSuffix(strings.ToLower(u), ".sh") || strings.HasSuffix(strings.ToLower(u), ".ps1") {
 		isGzipCompressed := resp.Header.Get("Content-Encoding") == "gzip"
 
 		processedBody, processedSize, err := utils.ProcessSmart(resp.Body, isGzipCompressed, realHost)
 		if err != nil {
-			fmt.Printf("智能处理失败，回退到直接代理: %v\n", err)
-			processedBody = resp.Body
-			processedSize = 0
+			fmt.Printf("脚本处理失败: %v\n", err)
+			c.String(http.StatusBadGateway, "Script processing failed: %v", err)
+			return
 		}
 
 		// 智能设置响应头
@@ -208,6 +228,8 @@ func proxyGitHubWithRedirect(c *gin.Context, u string, redirectCount int) {
 		c.Status(resp.StatusCode)
 
 		// 直接流式转发
-		io.Copy(c.Writer, resp.Body)
+		if _, err := io.Copy(c.Writer, resp.Body); err != nil {
+			fmt.Printf("转发响应体失败: %v\n", err)
+		}
 	}
 }

src/handlers/imagetar.go

@@ -5,17 +5,23 @@ import (
 	"compress/gzip"
 	"context"
 	"crypto/md5"
+	"crypto/rand"
+	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"net/http"
+	"net/url"
 	"sort"
 	"strings"
 	"sync"
 	"time"
 
+	"hubproxy/config"
+	"hubproxy/utils"
+
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -23,8 +29,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/partial"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/types"
-	"hubproxy/config"
-	"hubproxy/utils"
 )
 
 // DebounceEntry 防抖条目
@@ -115,6 +119,15 @@ func getUserID(c *gin.Context) string {
 	return "ip:" + hex.EncodeToString(hash[:8])
 }
 
+func getClientIdentity(c *gin.Context) (string, string) {
+	ip := c.ClientIP()
+	userAgent := c.GetHeader("User-Agent")
+	if userAgent == "" {
+		userAgent = "unknown"
+	}
+	return ip, userAgent
+}
+
 var (
 	singleImageDebouncer *DownloadDebouncer
 	batchImageDebouncer  *DownloadDebouncer
@@ -126,6 +139,98 @@ func InitDebouncer() {
 	batchImageDebouncer = NewDownloadDebouncer(60 * time.Second)
 }
 
+type BatchDownloadRequest struct {
+	Images              []string
+	Platform            string
+	UseCompressedLayers bool
+}
+
+type SingleDownloadRequest struct {
+	Image               string
+	Platform            string
+	UseCompressedLayers bool
+}
+
+type tokenEntry[T any] struct {
+	Request   T
+	ExpiresAt time.Time
+	IP        string
+	UserAgent string
+}
+
+type tokenStore[T any] struct {
+	mu      sync.RWMutex
+	entries map[string]tokenEntry[T]
+}
+
+const downloadTokenTTL = 2 * time.Minute
+const downloadTokenMaxEntries = 2000
+
+func newTokenStore[T any]() *tokenStore[T] {
+	return &tokenStore[T]{
+		entries: make(map[string]tokenEntry[T]),
+	}
+}
+
+func (s *tokenStore[T]) create(req T, ip, userAgent string) (string, error) {
+	tokenBytes := make([]byte, 32)
+	if _, err := rand.Read(tokenBytes); err != nil {
+		return "", err
+	}
+	token := base64.RawURLEncoding.EncodeToString(tokenBytes)
+	now := time.Now()
+	entry := tokenEntry[T]{
+		Request:   req,
+		ExpiresAt: now.Add(downloadTokenTTL),
+		IP:        ip,
+		UserAgent: userAgent,
+	}
+
+	s.mu.Lock()
+	s.cleanup(now)
+	if len(s.entries) >= downloadTokenMaxEntries {
+		s.mu.Unlock()
+		return "", fmt.Errorf("令牌过多，请稍后再试")
+	}
+	s.entries[token] = entry
+	s.mu.Unlock()
+
+	return token, nil
+}
+
+func (s *tokenStore[T]) consume(token, ip, userAgent string) (T, bool) {
+	var empty T
+	now := time.Now()
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	entry, exists := s.entries[token]
+	if !exists {
+		return empty, false
+	}
+	if now.After(entry.ExpiresAt) {
+		delete(s.entries, token)
+		return empty, false
+	}
+	if entry.IP != ip || entry.UserAgent != userAgent {
+		delete(s.entries, token)
+		return empty, false
+	}
+	delete(s.entries, token)
+	return entry.Request, true
+}
+
+func (s *tokenStore[T]) cleanup(now time.Time) {
+	for token, entry := range s.entries {
+		if now.After(entry.ExpiresAt) {
+			delete(s.entries, token)
+		}
+	}
+}
+
+var batchDownloadTokens = newTokenStore[BatchDownloadRequest]()
+var singleDownloadTokens = newTokenStore[SingleDownloadRequest]()
+
 // ImageStreamer 镜像流式下载器
 type ImageStreamer struct {
 	concurrency   int
@@ -209,6 +314,17 @@ func (is *ImageStreamer) getImageDescriptorWithPlatform(ref name.Reference, opti
 	return remote.Get(ref, options...)
 }
 
+func setDownloadHeaders(c *gin.Context, filename string, compressed bool) {
+	c.Header("Content-Type", "application/octet-stream")
+	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filename))
+	c.Header("Cache-Control", "no-store")
+	c.Header("Pragma", "no-cache")
+	c.Header("Expires", "0")
+	if compressed {
+		c.Header("Content-Encoding", "gzip")
+	}
+}
+
 // StreamImageToGin 流式响应到Gin
 func (is *ImageStreamer) StreamImageToGin(ctx context.Context, imageRef string, c *gin.Context, options *StreamOptions) error {
 	if options == nil {
@@ -216,12 +332,7 @@ func (is *ImageStreamer) StreamImageToGin(ctx context.Context, imageRef string,
 	}
 
 	filename := strings.ReplaceAll(imageRef, "/", "_") + ".tar"
-	c.Header("Content-Type", "application/octet-stream")
-	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filename))
-
-	if options.Compression {
-		c.Header("Content-Encoding", "gzip")
-	}
+	setDownloadHeaders(c, filename, options.Compression)
 
 	return is.StreamImageToWriter(ctx, imageRef, c.Writer, options)
 }
@@ -579,6 +690,7 @@ func InitImageTarRoutes(router *gin.Engine) {
 	{
 		imageAPI.GET("/download/:image", handleDirectImageDownload)
 		imageAPI.GET("/info/:image", handleImageInfo)
+		imageAPI.GET("/batch", handleSimpleBatchDownload)
 		imageAPI.POST("/batch", handleSimpleBatchDownload)
 	}
 }
@@ -606,28 +718,73 @@ func handleDirectImageDownload(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "镜像引用格式错误: " + err.Error()})
 		return
 	}
+	if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed {
+		c.JSON(http.StatusForbidden, gin.H{"error": reason})
+		return
+	}
 
-	userID := getUserID(c)
-	contentKey := generateContentFingerprint([]string{imageRef}, platform)
+	if c.Query("mode") == "prepare" {
+		userID := getUserID(c)
+		contentKey := generateContentFingerprint([]string{imageRef}, platform)
 
-	if !singleImageDebouncer.ShouldAllow(userID, contentKey) {
-		c.JSON(http.StatusTooManyRequests, gin.H{
-			"error":       "请求过于频繁，请稍后再试",
-			"retry_after": 5,
-		})
+		if !singleImageDebouncer.ShouldAllow(userID, contentKey) {
+			c.JSON(http.StatusTooManyRequests, gin.H{
+				"error":       "请求过于频繁，请稍后再试",
+				"retry_after": 5,
+			})
+			return
+		}
+
+		ip, userAgent := getClientIdentity(c)
+		token, err := singleDownloadTokens.create(SingleDownloadRequest{
+			Image:               imageRef,
+			Platform:            platform,
+			UseCompressedLayers: useCompressed,
+		}, ip, userAgent)
+		if err != nil {
+			c.JSON(http.StatusTooManyRequests, gin.H{"error": err.Error()})
+			return
+		}
+
+		downloadURL := fmt.Sprintf("/api/image/download/%s?token=%s", imageParam, token)
+		if tag != "" {
+			downloadURL = downloadURL + "&tag=" + url.QueryEscape(tag)
+		}
+		c.JSON(http.StatusOK, gin.H{"download_url": downloadURL})
+		return
+	}
+
+	token := c.Query("token")
+	if token == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "缺少下载令牌"})
+		return
+	}
+
+	ip, userAgent := getClientIdentity(c)
+	req, ok := singleDownloadTokens.consume(token, ip, userAgent)
+	if !ok {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "无效或过期的下载令牌"})
+		return
+	}
+	if req.Image != imageRef {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "下载令牌与镜像不匹配"})
+		return
+	}
+	if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(req.Image); !allowed {
+		c.JSON(http.StatusForbidden, gin.H{"error": reason})
 		return
 	}
 
 	options := &StreamOptions{
-		Platform:            platform,
+		Platform:            req.Platform,
 		Compression:         false,
-		UseCompressedLayers: useCompressed,
+		UseCompressedLayers: req.UseCompressedLayers,
 	}
 
 	ctx := c.Request.Context()
-	log.Printf("下载镜像: %s (平台: %s)", imageRef, formatPlatformText(platform))
+	log.Printf("下载镜像: %s (平台: %s)", req.Image, formatPlatformText(req.Platform))
 
-	if err := globalImageStreamer.StreamImageToGin(ctx, imageRef, c, options); err != nil {
+	if err := globalImageStreamer.StreamImageToGin(ctx, req.Image, c, options); err != nil {
 		log.Printf("镜像下载失败: %v", err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "镜像下载失败: " + err.Error()})
 		return
@@ -636,6 +793,51 @@ func handleDirectImageDownload(c *gin.Context) {
 
 // handleSimpleBatchDownload 处理批量下载
 func handleSimpleBatchDownload(c *gin.Context) {
+	if c.Request.Method == http.MethodGet {
+		token := c.Query("token")
+		if token == "" {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "缺少下载令牌"})
+			return
+		}
+
+		ip, userAgent := getClientIdentity(c)
+		req, ok := batchDownloadTokens.consume(token, ip, userAgent)
+		if !ok {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "无效或过期的下载令牌"})
+			return
+		}
+
+		if len(req.Images) == 0 {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "镜像列表不能为空"})
+			return
+		}
+
+		options := &StreamOptions{
+			Platform:            req.Platform,
+			Compression:         false,
+			UseCompressedLayers: req.UseCompressedLayers,
+		}
+
+		ctx := c.Request.Context()
+		log.Printf("批量下载 %d 个镜像 (平台: %s)", len(req.Images), formatPlatformText(req.Platform))
+
+		filename := fmt.Sprintf("batch_%d_images.tar", len(req.Images))
+
+		setDownloadHeaders(c, filename, options.Compression)
+
+		if err := globalImageStreamer.StreamMultipleImages(ctx, req.Images, c.Writer, options); err != nil {
+			log.Printf("批量镜像下载失败: %v", err)
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "批量镜像下载失败: " + err.Error()})
+			return
+		}
+		return
+	}
+
+	if c.Query("mode") != "prepare" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "只支持prepare模式"})
+		return
+	}
+
 	var req struct {
 		Images              []string `json:"images" binding:"required"`
 		Platform            string   `json:"platform"`
@@ -651,12 +853,24 @@ func handleSimpleBatchDownload(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "镜像列表不能为空"})
 		return
 	}
+	for _, imageRef := range req.Images {
+		if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed {
+			c.JSON(http.StatusForbidden, gin.H{"error": reason})
+			return
+		}
+	}
 
 	for i, imageRef := range req.Images {
 		if !strings.Contains(imageRef, ":") && !strings.Contains(imageRef, "@") {
 			req.Images[i] = imageRef + ":latest"
 		}
 	}
+	for _, imageRef := range req.Images {
+		if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed {
+			c.JSON(http.StatusForbidden, gin.H{"error": reason})
+			return
+		}
+	}
 
 	cfg := config.GetConfig()
 	if len(req.Images) > cfg.Download.MaxImages {
@@ -682,25 +896,19 @@ func handleSimpleBatchDownload(c *gin.Context) {
 		useCompressed = *req.UseCompressedLayers
 	}
 
-	options := &StreamOptions{
+	batchReq := BatchDownloadRequest{
+		Images:              req.Images,
 		Platform:            req.Platform,
-		Compression:         false,
 		UseCompressedLayers: useCompressed,
 	}
 
-	ctx := c.Request.Context()
-	log.Printf("批量下载 %d 个镜像 (平台: %s)", len(req.Images), formatPlatformText(req.Platform))
-
-	filename := fmt.Sprintf("batch_%d_images.tar", len(req.Images))
-
-	c.Header("Content-Type", "application/octet-stream")
-	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filename))
-
-	if err := globalImageStreamer.StreamMultipleImages(ctx, req.Images, c.Writer, options); err != nil {
-		log.Printf("批量镜像下载失败: %v", err)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "批量镜像下载失败: " + err.Error()})
+	ip, userAgent := getClientIdentity(c)
+	token, err := batchDownloadTokens.create(batchReq, ip, userAgent)
+	if err != nil {
+		c.JSON(http.StatusTooManyRequests, gin.H{"error": err.Error()})
 		return
 	}
+	c.JSON(http.StatusOK, gin.H{"download_url": fmt.Sprintf("/api/image/batch?token=%s", token)})
 }
 
 // handleImageInfo 处理镜像信息查询
@@ -723,6 +931,10 @@ func handleImageInfo(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "镜像引用格式错误: " + err.Error()})
 		return
 	}
+	if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed {
+		c.JSON(http.StatusForbidden, gin.H{"error": reason})
+		return
+	}
 
 	ctx := c.Request.Context()
 	contextOptions := append(globalImageStreamer.remoteOptions, remote.WithContext(ctx))

src/handlers/search.go

@@ -7,13 +7,13 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"sort"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/gin-gonic/gin"
 	"hubproxy/utils"
+
+	"github.com/gin-gonic/gin"
 )
 
 // SearchResult Docker Hub搜索结果
@@ -160,51 +160,6 @@ func init() {
 	}()
 }
 
-func filterSearchResults(results []Repository, query string) []Repository {
-	searchTerm := strings.ToLower(strings.TrimPrefix(query, "library/"))
-	filtered := make([]Repository, 0)
-
-	for _, repo := range results {
-		repoName := strings.ToLower(repo.Name)
-		repoDesc := strings.ToLower(repo.Description)
-
-		score := 0
-
-		if repoName == searchTerm {
-			score += 100
-		}
-
-		if strings.HasPrefix(repoName, searchTerm) {
-			score += 50
-		}
-
-		if strings.Contains(repoName, searchTerm) {
-			score += 30
-		}
-
-		if strings.Contains(repoDesc, searchTerm) {
-			score += 10
-		}
-
-		if repo.IsOfficial {
-			score += 20
-		}
-
-		if score > 0 {
-			filtered = append(filtered, repo)
-		}
-	}
-
-	sort.Slice(filtered, func(i, j int) bool {
-		if filtered[i].IsOfficial != filtered[j].IsOfficial {
-			return filtered[i].IsOfficial
-		}
-		return filtered[i].PullCount > filtered[j].PullCount
-	})
-
-	return filtered
-}
-
 // normalizeRepository 统一规范化仓库信息
 func normalizeRepository(repo *Repository) {
 	if repo.IsOfficial {
@@ -297,7 +252,7 @@ func searchDockerHubWithDepth(ctx context.Context, query string, page, pageSize
 			}
 			return nil, fmt.Errorf("未找到相关镜像")
 		case http.StatusBadGateway, http.StatusServiceUnavailable:
-			return nil, fmt.Errorf("Docker Hub服务暂时不可用，请稍后重试")
+			return nil, fmt.Errorf("docker hub 服务暂时不可用，请稍后重试")
 		default:
 			return nil, fmt.Errorf("请求失败: 状态码=%d, 响应=%s", resp.StatusCode, string(body))
 		}
@@ -487,10 +442,14 @@ func parsePaginationParams(c *gin.Context, defaultPageSize int) (page, pageSize
 	pageSize = defaultPageSize
 
 	if p := c.Query("page"); p != "" {
-		fmt.Sscanf(p, "%d", &page)
+		if _, err := fmt.Sscanf(p, "%d", &page); err != nil {
+			fmt.Printf("解析page参数失败: %v\n", err)
+		}
 	}
 	if ps := c.Query("page_size"); ps != "" {
-		fmt.Sscanf(ps, "%d", &pageSize)
+		if _, err := fmt.Sscanf(ps, "%d", &pageSize); err != nil {
+			fmt.Printf("解析page_size参数失败: %v\n", err)
+		}
 	}
 
 	return page, pageSize

src/main.go

@@ -40,6 +40,82 @@ var (
 	serviceStartTime = time.Now()
 )
 
+var Version = "dev"
+
+func buildRouter(cfg *config.AppConfig) *gin.Engine {
+	gin.SetMode(gin.ReleaseMode)
+	router := gin.Default()
+
+	// 全局Panic恢复保护
+	router.Use(gin.CustomRecovery(func(c *gin.Context, recovered interface{}) {
+		log.Printf("🚨 Panic recovered: %v", recovered)
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Internal server error",
+			"code":  "INTERNAL_ERROR",
+		})
+	}))
+
+	// 全局限流中间件
+	router.Use(utils.RateLimitMiddleware(globalLimiter))
+
+	// 初始化监控端点
+	initHealthRoutes(router)
+
+	// 初始化镜像tar下载路由
+	handlers.InitImageTarRoutes(router)
+
+	if cfg.Server.EnableFrontend {
+		router.GET("/", func(c *gin.Context) {
+			serveEmbedFile(c, "public/index.html")
+		})
+		router.GET("/public/*filepath", func(c *gin.Context) {
+			filepath := strings.TrimPrefix(c.Param("filepath"), "/")
+			serveEmbedFile(c, "public/"+filepath)
+		})
+
+		router.GET("/images.html", func(c *gin.Context) {
+			serveEmbedFile(c, "public/images.html")
+		})
+		router.GET("/search.html", func(c *gin.Context) {
+			serveEmbedFile(c, "public/search.html")
+		})
+		router.GET("/favicon.ico", func(c *gin.Context) {
+			serveEmbedFile(c, "public/favicon.ico")
+		})
+	} else {
+		router.GET("/", func(c *gin.Context) {
+			c.Status(http.StatusNotFound)
+		})
+		router.GET("/public/*filepath", func(c *gin.Context) {
+			c.Status(http.StatusNotFound)
+		})
+		router.GET("/images.html", func(c *gin.Context) {
+			c.Status(http.StatusNotFound)
+		})
+		router.GET("/search.html", func(c *gin.Context) {
+			c.Status(http.StatusNotFound)
+		})
+		router.GET("/favicon.ico", func(c *gin.Context) {
+			c.Status(http.StatusNotFound)
+		})
+	}
+
+	// 注册dockerhub搜索路由
+	handlers.RegisterSearchRoute(router)
+
+	// 注册Docker认证路由
+	router.Any("/token", handlers.ProxyDockerAuthGin)
+	router.Any("/token/*path", handlers.ProxyDockerAuthGin)
+
+	// 注册Docker Registry代理路由
+	router.Any("/v2/*path", handlers.ProxyDockerRegistryGin)
+
+	// 注册GitHub代理路由（NoRoute处理器）
+	router.NoRoute(handlers.GitHubProxyHandler)
+
+	return router
+}
+
 func main() {
 	// 加载配置
 	if err := config.LoadConfig(); err != nil {
@@ -62,76 +138,26 @@ func main() {
 	// 初始化防抖器
 	handlers.InitDebouncer()
 
-	gin.SetMode(gin.ReleaseMode)
-	router := gin.Default()
-
-	// 全局Panic恢复保护
-	router.Use(gin.CustomRecovery(func(c *gin.Context, recovered interface{}) {
-		log.Printf("🚨 Panic recovered: %v", recovered)
-		c.JSON(http.StatusInternalServerError, gin.H{
-			"error": "Internal server error",
-			"code":  "INTERNAL_ERROR",
-		})
-	}))
-
-	// 全局限流中间件
-	router.Use(utils.RateLimitMiddleware(globalLimiter))
-
-	// 初始化监控端点
-	initHealthRoutes(router)
-
-	// 初始化镜像tar下载路由
-	handlers.InitImageTarRoutes(router)
-
-	// 静态文件路由
-	router.GET("/", func(c *gin.Context) {
-		serveEmbedFile(c, "public/index.html")
-	})
-	router.GET("/public/*filepath", func(c *gin.Context) {
-		filepath := strings.TrimPrefix(c.Param("filepath"), "/")
-		serveEmbedFile(c, "public/"+filepath)
-	})
-
-	router.GET("/images.html", func(c *gin.Context) {
-		serveEmbedFile(c, "public/images.html")
-	})
-	router.GET("/search.html", func(c *gin.Context) {
-		serveEmbedFile(c, "public/search.html")
-	})
-	router.GET("/favicon.ico", func(c *gin.Context) {
-		serveEmbedFile(c, "public/favicon.ico")
-	})
-
-	// 注册dockerhub搜索路由
-	handlers.RegisterSearchRoute(router)
-
-	// 注册Docker认证路由
-	router.Any("/token", handlers.ProxyDockerAuthGin)
-	router.Any("/token/*path", handlers.ProxyDockerAuthGin)
-
-	// 注册Docker Registry代理路由
-	router.Any("/v2/*path", handlers.ProxyDockerRegistryGin)
-
-	// 注册GitHub代理路由（NoRoute处理器）
-	router.NoRoute(handlers.GitHubProxyHandler)
-
 	cfg := config.GetConfig()
-	fmt.Printf("🚀 HubProxy 启动成功\n")
-	fmt.Printf("📡 监听地址: %s:%d\n", cfg.Server.Host, cfg.Server.Port)
-	fmt.Printf("⚡ 限流配置: %d请求/%g小时\n", cfg.RateLimit.RequestLimit, cfg.RateLimit.PeriodHours)
+	router := buildRouter(cfg)
+
+	fmt.Printf("HubProxy 启动成功\n")
+	fmt.Printf("监听地址: %s:%d\n", cfg.Server.Host, cfg.Server.Port)
+	fmt.Printf("限流配置: %d请求/%g小时\n", cfg.RateLimit.RequestLimit, cfg.RateLimit.PeriodHours)
 
 	// 显示HTTP/2支持状态
 	if cfg.Server.EnableH2C {
 		fmt.Printf("H2c: 已启用\n")
 	}
 
-	fmt.Printf("🔗 项目地址: https://github.com/sky22333/hubproxy\n")
+	fmt.Printf("版本号: %s\n", Version)
+	fmt.Printf("项目地址: https://github.com/sky22333/hubproxy\n")
 
 	// 创建HTTP2服务器
 	server := &http.Server{
 		Addr:         fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port),
 		ReadTimeout:  60 * time.Second,
-		WriteTimeout: 300 * time.Second,
+		WriteTimeout: 30 * time.Minute,
 		IdleTimeout:  120 * time.Second,
 	}
 
@@ -181,6 +207,7 @@ func initHealthRoutes(router *gin.Engine) {
 		c.JSON(http.StatusOK, gin.H{
 			"ready":           true,
 			"service":         "hubproxy",
+			"version":         Version,
 			"start_time_unix": serviceStartTime.Unix(),
 			"uptime_sec":      uptimeSec,
 			"uptime_human":    uptimeHuman,

src/public/images.html

@@ -1,13 +1,13 @@
 <!DOCTYPE html>
-<html lang="zh">
+<html lang="zh-CN">
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <meta name="description" content="Docker镜像流式下载工具,即点即下,无需等待">
-    <meta name="keywords" content="Docker,镜像下载,流式下载,即时下载">
+    <meta name="description" content="Docker镜像流式下载工具、即点即下无需等待">
+    <meta name="keywords" content="Docker镜像下载、流式下载、即时下载">
     <meta name="color-scheme" content="dark light">
     <title>Docker离线镜像下载</title>
-    <link rel="icon" href="./favicon.ico">
+    <link rel="icon" href="/favicon.ico">
     <style>
         :root {
             --background: #ffffff;
@@ -728,7 +728,7 @@
             }
         }
 
-        function buildDownloadUrl(imageName, platform = '', useCompressed = true) {
+        function buildDownloadUrl(imageName, platform = '', useCompressed = true, mode = '') {
             const encodedImage = imageName.replace(/\//g, '_');
             let url = `/api/image/download/${encodedImage}`;
             
@@ -737,6 +737,9 @@
                 params.append('platform', platform.trim());
             }
             params.append('compressed', useCompressed.toString());
+            if (mode) {
+                params.append('mode', mode);
+            }
             
             if (params.toString()) {
                 url += '?' + params.toString();
@@ -745,7 +748,65 @@
             return url;
         }
 
-        document.getElementById('singleForm').addEventListener('submit', function(e) {
+        function buildInfoUrl(imageName) {
+            const encodedImage = imageName.replace(/\//g, '_');
+            return `/api/image/info/${encodedImage}`;
+        }
+
+        async function preflightImageDownload(imageName) {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), 8000);
+            try {
+                const response = await fetch(buildInfoUrl(imageName), {
+                    method: 'GET',
+                    headers: {
+                        'Accept': 'application/json'
+                    },
+                    cache: 'no-store',
+                    signal: controller.signal
+                });
+
+                const contentType = response.headers.get('Content-Type') || '';
+                let payload = null;
+                if (contentType.includes('application/json')) {
+                    payload = await response.json();
+                }
+
+                if (!response.ok) {
+                    return { ok: false, error: (payload && payload.error) ? payload.error : '镜像预检失败' };
+                }
+
+                if (payload && payload.success === false) {
+                    return { ok: false, error: payload.error || '镜像预检失败' };
+                }
+
+                return { ok: true };
+            } catch (error) {
+                if (error.name === 'AbortError') {
+                    return { ok: false, error: '预检超时，请稍后重试' };
+                }
+                return { ok: false, error: '网络错误: ' + error.message };
+            } finally {
+                clearTimeout(timeoutId);
+            }
+        }
+
+        async function preflightImages(images) {
+            const uniqueImages = Array.from(new Set(images));
+            const results = await Promise.allSettled(uniqueImages.map((imageName) => preflightImageDownload(imageName)));
+            for (let i = 0; i < results.length; i++) {
+                const result = results[i];
+                if (result.status === 'rejected') {
+                    return { ok: false, error: '预检失败，请稍后重试' };
+                }
+                if (!result.value.ok) {
+                    return { ok: false, error: result.value.error || '预检失败' };
+                }
+            }
+            return { ok: true };
+        }
+
+        document.getElementById('singleForm').addEventListener('submit', async function(e) {
             e.preventDefault();
             
             const imageName = document.getElementById('imageInput').value.trim();
@@ -760,20 +821,50 @@
             hideStatus('singleStatus');
             setButtonLoading('downloadBtn', 'downloadText', 'downloadLoading', true);
             
-            const downloadUrl = buildDownloadUrl(imageName, platform, useCompressed);
-            
-            const link = document.createElement('a');
-            link.href = downloadUrl;
-            link.download = '';
-            link.style.display = 'none';
-            document.body.appendChild(link);
-            
-            link.click();
-            document.body.removeChild(link);
-            
-            const platformText = platform ? ` (${platform})` : '';
-            showStatus('singleStatus', `开始下载 ${imageName}${platformText}`, 'success');
-            setButtonLoading('downloadBtn', 'downloadText', 'downloadLoading', false);
+            showStatus('singleStatus', '正在准备下载...', 'success');
+            const preflightResult = await preflightImages([imageName]);
+            if (!preflightResult.ok) {
+                showStatus('singleStatus', preflightResult.error, 'error');
+                setButtonLoading('downloadBtn', 'downloadText', 'downloadLoading', false);
+                return;
+            }
+
+            const prepareUrl = buildDownloadUrl(imageName, platform, useCompressed, 'prepare');
+            try {
+                const response = await fetch(prepareUrl, {
+                    method: 'GET',
+                    headers: {
+                        'Accept': 'application/json'
+                    },
+                    cache: 'no-store'
+                });
+
+                if (response.ok) {
+                    const data = await response.json();
+                    if (!data || !data.download_url) {
+                        showStatus('singleStatus', '下载地址生成失败', 'error');
+                        return;
+                    }
+
+                    const link = document.createElement('a');
+                    link.href = data.download_url;
+                    link.download = '';
+                    link.style.display = 'none';
+                    document.body.appendChild(link);
+                    link.click();
+                    document.body.removeChild(link);
+
+                    const platformText = platform ? ` (${platform})` : '';
+                    showStatus('singleStatus', `开始下载 ${imageName}${platformText}`, 'success');
+                } else {
+                    const error = await response.json();
+                    showStatus('singleStatus', error.error || '下载失败', 'error');
+                }
+            } catch (error) {
+                showStatus('singleStatus', '网络错误: ' + error.message, 'error');
+            } finally {
+                setButtonLoading('downloadBtn', 'downloadText', 'downloadLoading', false);
+            }
         });
 
         document.getElementById('batchForm').addEventListener('submit', async function(e) {
@@ -808,9 +899,16 @@
             
             hideStatus('batchStatus');
             setButtonLoading('batchDownloadBtn', 'batchDownloadText', 'batchDownloadLoading', true);
+            showStatus('batchStatus', '正在准备下载...', 'success');
+            const preflightResult = await preflightImages(images);
+            if (!preflightResult.ok) {
+                showStatus('batchStatus', preflightResult.error, 'error');
+                setButtonLoading('batchDownloadBtn', 'batchDownloadText', 'batchDownloadLoading', false);
+                return;
+            }
             
             try {
-                const response = await fetch('/api/image/batch', {
+                const response = await fetch('/api/image/batch?mode=prepare', {
                     method: 'POST',
                     headers: {
                         'Content-Type': 'application/json',
@@ -819,24 +917,19 @@
                 });
                 
                 if (response.ok) {
-                    const contentDisposition = response.headers.get('Content-Disposition');
-                    let filename = `batch_${images.length}_images.tar`;
-                    
-                    if (contentDisposition) {
-                        const matches = contentDisposition.match(/filename="(.+)"/);
-                        if (matches) filename = matches[1];
+                    const data = await response.json();
+                    if (!data || !data.download_url) {
+                        showStatus('batchStatus', '下载地址生成失败', 'error');
+                        return;
                     }
-                    
-                    const blob = await response.blob();
-                    const url = window.URL.createObjectURL(blob);
+
+                    const url = data.download_url;
                     const link = document.createElement('a');
                     link.href = url;
-                    link.download = filename;
                     link.style.display = 'none';
                     document.body.appendChild(link);
                     link.click();
                     document.body.removeChild(link);
-                    window.URL.revokeObjectURL(url);
                     
                     const platformText = platform ? ` (${platform})` : '';
                     showStatus('batchStatus', `开始下载 ${images.length} 个镜像${platformText}`, 'success');
@@ -872,4 +965,4 @@
         initMobileMenu();
     </script>
 </body>
-</html> 
+</html> 

src/public/index.html

@@ -1,14 +1,13 @@
 <!DOCTYPE html>
-<html lang="zh">
-
+<html lang="zh-CN">
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <meta name="description" content="Github文件加速,docker镜像加速">
-    <meta name="keywords" content="Github,文件加速,ghproxy,docker镜像加速">
+    <meta name="description" content="Github文件加速、docker镜像加速">
+    <meta name="keywords" content="Github、文件加速、ghproxy、docker镜像加速">
     <meta name="color-scheme" content="dark light">
-    <title>Github文件加速</title>
-    <link rel="icon" href="./favicon.ico">
+    <title>Github、Docker加速</title>
+    <link rel="icon" href="/favicon.ico">
     <style>
         :root {
             --background: #ffffff;
@@ -602,7 +601,7 @@
             <div class="hero">
                 <h1 class="hero-title">GitHub 文件加速</h1>
                 <p class="hero-subtitle">
-                    快速下载GitHub上的文件和仓库，解决国内访问GitHub速度慢的问题，支持AI模型库Hugging Face
+                    快速下载GitHub上的文件和仓库，解决国内访问GitHub速度慢的问题，支持Docker镜像加速和Hugging Face仓库。
                 </p>
             </div>
 
@@ -685,7 +684,7 @@
                 <strong>Quay.io 镜像：</strong>
                 docker pull <span class="domain-base"></span>/quay.io/org/image
 
-                <strong>K8s 镜像：</strong>
+                <strong>Kubernetes 镜像：</strong>
                 docker pull <span class="domain-base"></span>/registry.k8s.io/pause:3.8
             </div>
         </div>
@@ -696,7 +695,7 @@
     </div>
 
     <footer class="footer">
-        <a href="https://github.com/sky22333/hubproxy" target="_blank" class="github-link">
+        <a href="//" target="_blank" class="github-link">
             <svg width="20" height="20" viewBox="0 0 16 16" fill="currentColor">
                 <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"/>
             </svg>

src/public/search.html

@@ -1,13 +1,13 @@
 <!DOCTYPE html>
-<html lang="zh">
+<html lang="zh-CN">
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="description" content="Docker镜像搜索">
-    <meta name="keywords" content="Docker,镜像搜索,docker search">
+    <meta name="keywords" content="Docker、镜像搜索、docker search">
     <meta name="color-scheme" content="dark light">
     <title>Docker镜像搜索</title>
-    <link rel="icon" href="./favicon.ico">
+    <link rel="icon" href="/favicon.ico">
     <style>
         :root {
             --background: #ffffff;
@@ -778,16 +778,10 @@
             </div>
         </div>
 
-        <div class="tag-list" id="tagList">
-            <div class="pagination" id="tagPagination" style="display: none;">
-                <button id="tagPrevPage" disabled>上一页</button>
-                <button id="tagNextPage" disabled>下一页</button>
-            </div>
-        </div>
+        <div class="tag-list" id="tagList"></div>
     </div>
 
     <div id="toast"></div>
-
     <script>
         const formatUtils = {
             formatNumber(num) {
@@ -1047,7 +1041,6 @@
         }
 
         // 分页更新函数
-        const updateSearchPagination = () => updatePagination();
         const updateTagPagination = () => updatePagination({
             currentPage: currentTagPage,
             totalPages: totalTagPages,
@@ -1217,9 +1210,6 @@
                 const currentNamespace = namespace || repoInfo.namespace;
                 const currentName = name || repoInfo.name;
                 
-                // 调试日志
-                console.log(`loadTagPage: namespace=${currentNamespace}, name=${currentName}, page=${currentTagPage}`);
-                
                 if (!currentNamespace || !currentName) {
                     showToast('命名空间和镜像名称不能为空');
                     return;
@@ -1488,4 +1478,4 @@
     </script>
     </main>
 </body>
-</html> 
+</html> 

src/utils/access_control.go

@@ -2,7 +2,6 @@ package utils
 
 import (
 	"strings"
-	"sync"
 
 	"hubproxy/config"
 )
@@ -17,7 +16,6 @@ const (
 
 // AccessController 统一访问控制器
 type AccessController struct {
-	mu sync.RWMutex
 }
 
 // DockerImageInfo Docker镜像信息
@@ -200,6 +198,13 @@ func (ac *AccessController) checkList(matches, list []string) bool {
 		if strings.HasPrefix(fullRepo, item+"/") {
 			return true
 		}
+
+		if strings.HasPrefix(item, "*/") {
+			p := item[2:]
+			if p == repoName || (strings.HasSuffix(p, "*") && strings.HasPrefix(repoName, p[:len(p)-1])) {
+				return true
+			}
+		}
 	}
 	return false
 }

src/utils/cache.go

@@ -8,8 +8,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/gin-gonic/gin"
 	"hubproxy/config"
+
+	"github.com/gin-gonic/gin"
 )
 
 // CachedItem 通用缓存项

src/utils/proxy_shell.go

@@ -10,49 +10,46 @@ import (
 )
 
 // GitHub URL正则表达式
-var githubRegex = regexp.MustCompile(`https?://(?:github\.com|raw\.githubusercontent\.com|raw\.github\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.github\.com)[^\s'"]+`)
+var githubRegex = regexp.MustCompile(`(?:^|[\s'"(=,\[{;|&<>])https?://(?:github\.com|raw\.githubusercontent\.com|raw\.github\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.github\.com)[^\s'")]*`)
+
+// MaxShellSize 限制最大处理大小为 10MB
+const MaxShellSize = 10 * 1024 * 1024
 
 // ProcessSmart Shell脚本智能处理函数
-func ProcessSmart(input io.ReadCloser, isCompressed bool, host string) (io.Reader, int64, error) {
-	defer input.Close()
-
+func ProcessSmart(input io.Reader, isCompressed bool, host string) (io.Reader, int64, error) {
 	content, err := readShellContent(input, isCompressed)
 	if err != nil {
-		return nil, 0, fmt.Errorf("内容读取失败: %v", err)
+		return nil, 0, err
 	}
 
 	if len(content) == 0 {
 		return strings.NewReader(""), 0, nil
 	}
 
-	if len(content) > 10*1024*1024 {
-		return strings.NewReader(content), int64(len(content)), nil
+	if !bytes.Contains(content, []byte("github.com")) && !bytes.Contains(content, []byte("githubusercontent.com")) {
+		return bytes.NewReader(content), int64(len(content)), nil
 	}
 
-	if !strings.Contains(content, "github.com") && !strings.Contains(content, "githubusercontent.com") {
-		return strings.NewReader(content), int64(len(content)), nil
-	}
-
-	processed := processGitHubURLs(content, host)
+	processed := processGitHubURLs(string(content), host)
 
 	return strings.NewReader(processed), int64(len(processed)), nil
 }
 
-func readShellContent(input io.ReadCloser, isCompressed bool) (string, error) {
+func readShellContent(input io.Reader, isCompressed bool) ([]byte, error) {
 	var reader io.Reader = input
 
 	if isCompressed {
 		peek := make([]byte, 2)
 		n, err := input.Read(peek)
 		if err != nil && err != io.EOF {
-			return "", fmt.Errorf("读取数据失败: %v", err)
+			return nil, fmt.Errorf("读取数据失败: %v", err)
 		}
 
 		if n >= 2 && peek[0] == 0x1f && peek[1] == 0x8b {
 			combinedReader := io.MultiReader(bytes.NewReader(peek[:n]), input)
 			gzReader, err := gzip.NewReader(combinedReader)
 			if err != nil {
-				return "", fmt.Errorf("gzip解压失败: %v", err)
+				return nil, fmt.Errorf("gzip解压失败: %v", err)
 			}
 			defer gzReader.Close()
 			reader = gzReader
@@ -61,17 +58,30 @@ func readShellContent(input io.ReadCloser, isCompressed bool) (string, error) {
 		}
 	}
 
-	data, err := io.ReadAll(reader)
+	limit := int64(MaxShellSize + 1)
+	limitedReader := io.LimitReader(reader, limit)
+
+	data, err := io.ReadAll(limitedReader)
 	if err != nil {
-		return "", fmt.Errorf("读取内容失败: %v", err)
+		return nil, fmt.Errorf("读取内容失败: %v", err)
 	}
 
-	return string(data), nil
+	if int64(len(data)) > MaxShellSize {
+		return nil, fmt.Errorf("脚本文件过大，超过 %d MB 限制", MaxShellSize/1024/1024)
+	}
+
+	return data, nil
 }
 
 func processGitHubURLs(content, host string) string {
-	return githubRegex.ReplaceAllStringFunc(content, func(url string) string {
-		return transformURL(url, host)
+	return githubRegex.ReplaceAllStringFunc(content, func(match string) string {
+		// 如果匹配包含前缀分隔符，保留它，防止出现重复转换
+		if len(match) > 0 && match[0] != 'h' {
+			prefix := match[0:1]
+			url := match[1:]
+			return prefix + transformURL(url, host)
+		}
+		return transformURL(match, host)
 	})
 }
 
@@ -86,9 +96,12 @@ func transformURL(url, host string) string {
 	} else if !strings.HasPrefix(url, "https://") && !strings.HasPrefix(url, "//") {
 		url = "https://" + url
 	}
-	cleanHost := strings.TrimPrefix(host, "https://")
-	cleanHost = strings.TrimPrefix(cleanHost, "http://")
-	cleanHost = strings.TrimSuffix(cleanHost, "/")
 
-	return cleanHost + "/" + url
+	// 确保 host 有协议头
+	if !strings.HasPrefix(host, "http://") && !strings.HasPrefix(host, "https://") {
+		host = "https://" + host
+	}
+	host = strings.TrimSuffix(host, "/")
+
+	return host + "/" + url
 }

src/utils/ratelimiter.go

@@ -7,13 +7,14 @@ import (
 	"sync"
 	"time"
 
+	"hubproxy/config"
+
 	"github.com/gin-gonic/gin"
 	"golang.org/x/time/rate"
-	"hubproxy/config"
 )
 
 const (
-	CleanupInterval = 10 * time.Minute
+	CleanupInterval = 20 * time.Minute
 	MaxIPCacheSize  = 10000
 )
 
@@ -71,9 +72,6 @@ func InitGlobalLimiter() *IPRateLimiter {
 	ratePerSecond := rate.Limit(float64(cfg.RateLimit.RequestLimit) / (cfg.RateLimit.PeriodHours * 3600))
 
 	burstSize := cfg.RateLimit.RequestLimit
-	if burstSize < 1 {
-		burstSize = 1
-	}
 
 	limiter := &IPRateLimiter{
 		ips:              make(map[string]*rateLimiterEntry),
@@ -101,7 +99,7 @@ func (i *IPRateLimiter) cleanupRoutine() {
 
 		i.mu.RLock()
 		for ip, entry := range i.ips {
-			if now.Sub(entry.lastAccess) > 1*time.Hour {
+			if now.Sub(entry.lastAccess) > 2*time.Hour {
 				expired = append(expired, ip)
 			}
 		}
@@ -179,8 +177,9 @@ func (i *IPRateLimiter) GetLimiter(ip string) (*rate.Limiter, bool) {
 
 	now := time.Now()
 
+	var entry *rateLimiterEntry
 	i.mu.RLock()
-	entry, exists := i.ips[normalizedIP]
+	_, exists := i.ips[normalizedIP]
 	i.mu.RUnlock()
 
 	if exists {