fix(transport): route asset URL prefetch 403 through build_feedback f…#576
Open
bigbang20061 wants to merge 1 commit into
Open
fix(transport): route asset URL prefetch 403 through build_feedback f…#576bigbang20061 wants to merge 1 commit into
bigbang20061 wants to merge 1 commit into
Conversation
…or CF detection
The upload_from_input URL prefetch branch hardcoded ProxyFeedbackKind.FORBIDDEN
on non-200 responses, so a Cloudflare 5s challenge ("Just a moment...") on the
asset CDN never invalidated the cached cf_clearance bundle. Subsequent requests
kept reusing the poisoned clearance and hit 403 again.
Switch to build_feedback() with a Just-a-moment body sniff, matching the upload
path at L147-150. The classifier already maps 403 to CHALLENGE which triggers
clearance bundle invalidation + pool cursor advance in ProxyDirectory.feedback.
Relates to chenyme#491 and chenyme#552.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
upload_from_input的 URL 预取分支在收到非 200 时硬编码ProxyFeedbackKind.FORBIDDEN,导致资源 CDN 的 Cloudflare 5s 盾(HTTP 403 +"Just a moment..."HTML body)不会被识别为 challenge,ProxyDirectory.feedback也就不会失效已污染的ClearanceBundle。下一次请求继续复用同一份过期cf_clearance,形成 403 循环。修复方式:复用同文件主上传路径 L147–L150 已有的处理,改走
build_feedback(status_code, is_cloudflare=...),并对 body 做"just a moment"嗅探。CHALLENGE,触发 bundle 失效 + 代理池游标推进CHALLENGE处理(与主上传路径一致)UNAUTHORIZED、429 →RATE_LIMITED、≥500 →UPSTREAM_5XX,均由build_feedback统一映射,行为不再依赖调用点拼装Testing
python -m py_compile app/dataplane/reverse/transport/asset_upload.py✓ast.parse验证语法树完整 ✓app/control/proxy/feedback.py:6-17的classify_status_code表,确认所有原有 status code 行为不退化(5xx 仍走 UPSTREAM_5XX;非 4xx/5xx 仍走 FORBIDDEN 兜底)Related
Relates to #491, #552