# ============================================================================= # Node.js TLS Proxy Overlay # ============================================================================= # 在现有 docker-compose.yml 基础上增加 Node.js TLS 代理。 # # 用法: # docker compose -f docker-compose.yml -f docker-compose.tls-proxy.yml up -d # # 架构: # sub2api (Go) → HTTP 明文 → node-tls-proxy → HTTPS (原生 TLS) → api.anthropic.com # # 网络隔离: # - sub2api 仅连接 internal + sub2api-network(访问 pg/redis,但无外网) # - node-tls-proxy 双栈网络(internal + external),唯一的出站通道 # - IPv6 内核级禁用 # ============================================================================= services: # =========================================================================== # 覆盖 sub2api:加入 internal 网络 + 启用 Node.js TLS 代理 # =========================================================================== sub2api: networks: - sub2api-internal - sub2api-network # 保留:访问 postgres/redis environment: # 启用 Node.js TLS 代理 - GATEWAY_NODE_TLS_PROXY_ENABLED=true - GATEWAY_NODE_TLS_PROXY_LISTEN_PORT=3456 - GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=node-tls-proxy - GATEWAY_NODE_TLS_PROXY_UPSTREAM_HOST=api.anthropic.com depends_on: node-tls-proxy: condition: service_healthy # =========================================================================== # Node.js TLS Forward Proxy # 直接拉取预构建镜像,支持 amd64/arm64 # =========================================================================== node-tls-proxy: image: zfc931912343/sub2api-tls-proxy:latest container_name: sub2api-node-tls-proxy restart: unless-stopped user: "1000:1000" read_only: true tmpfs: - /tmp:size=10M environment: - PROXY_PORT=3456 - PROXY_HOST=0.0.0.0 - UPSTREAM_HOST=api.anthropic.com # 可选:经过外部代理出站(HTTP CONNECT 隧道) - UPSTREAM_PROXY=${TLS_PROXY_UPSTREAM_PROXY:-} - TZ=${TZ:-Asia/Shanghai} networks: - sub2api-internal # sub2api 可以访问 - sub2api-external # 可以访问外网 sysctls: # 内核级禁用 IPv6(防 IPv6 泄露) - net.ipv6.conf.all.disable_ipv6=1 - net.ipv6.conf.default.disable_ipv6=1 healthcheck: test: ["CMD", "node", "-e", "const h=require('http');h.get('http://127.0.0.1:3456/__health',r=>{process.exit(r.statusCode===200?0:1)}).on('error',()=>process.exit(1))"] interval: 15s timeout: 5s retries: 3 start_period: 5s deploy: resources: limits: memory: 256M cpus: "1.0" # ============================================================================= # Networks # ============================================================================= networks: sub2api-internal: internal: true # 关键:无外网访问 driver: bridge sub2api-external: driver: bridge