CPA ALL IN ONE 部署
zyzy
2026-07-06 23:13
1
CPA ALL IN ONE
总结来说 只允许cloudflare 的ip 访问openresty的80 443 通过docker 网络访问 cpa
cf->openresty->docker netwrok (cpa)
现在 漏洞真的太多了,以及我真的没有啥安全感…
一开始居然忘记 ufw 对docker 不起作用.. btw 为啥挂上cf 就会有这么多扫描到我的网站 ??
docker 安装
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
## 如果是大陆服务
## ipv6 only 服务器
## sudo DOWNLOAD_URL=https://ipv6.mirrors.ustc.edu.cn/docker-ce sh get-docker.sh
##sudo DOWNLOAD_URL=https://mirrors.ustc.edu.cn/docker-ce sh get-docker.sh
cpa 本地安装
compose.yml
services:
cli-proxy-api:
image: eceasy/cli-proxy-api:latest
extra_hosts:
- "host.docker.internal:host-gateway"
container_name: cli-proxy-api
restart: unless-stopped
# 保持源码全端口映射,确保所有 CLI 工具劫持功能正常
ports:
- "127.0.0.1:8317:8317" # 主 API
- "127.0.0.1:8085:8085" # Antigravity OAuth 回调
- "127.0.0.1:1455:1455" # Codex OAuth 回调
- "127.0.0.1:54545:54545" # Claude OAuth 回调
- "127.0.0.1:51121:51121" # Antigravity OAuth 回调
- "127.0.0.1:11451:11451" # iFlow OAuth 回调
environment:
- TZ=Asia/Singapore
- REDIS_URL=redis://redis:6379/0
volumes:
- ./config.yaml:/CLIProxyAPI/config.yaml
- ./auths:/root/.cli-proxy-api
- ./logs:/CLIProxyAPI/logs
depends_on:
- redis
networks:
- cpa-network
- ai-net
redis:
image: redis:7-alpine
container_name: cliproxy-redis
restart: always
command: ["redis-server", "--appendonly", "yes"]
volumes:
- ./redis_data:/data
networks:
- cpa-network
### 统计 非常好用
cpa-manager:
image: seakee/cpa-manager-plus:latest
restart: unless-stopped
ports:
- "127.0.0.1:18317:18317"
volumes:
- ./cpa-manager-data:/data
networks:
- cpa-network
environment:
HTTP_ADDR: "0.0.0.0:18317"
USAGE_DB_PATH: "/data/usage.sqlite"
CPA_MANAGER_DATA_KEY_PATH: "/data/data.key"
CPA_MANAGER_ADMIN_KEY: "key11111111111111111" # !!! 修改
USAGE_COLLECTOR_MODE: "auto"
networks:
cpa-network:
driver: bridge
ai-net:
external: true
config.yml 一定要修改默认的key
wget https://raw.githubusercontent.com/router-for-me/CLIProxyAPI/refs/heads/main/config.example.yaml
参数调整
默认UA
claude-header-defaults:
user-agent: "claude-cli/2.1.174 (external, sdk-cli)"
package-version: "0.74.0"
runtime-version: "v24.16.0"
os: "Ubuntu"
arch: "x86_64"
timeout: "600"
stabilize-device-profile: true
codex-header-defaults:
user-agent: "codex_exec/0.141.0 (Ubuntu 24.4.0; x86_64) xterm-256color (codex_exec; 0.141.0)"
transient-error-cooldown-seconds
#如果账户 很少 可以设置为-1
transient-error-cooldown-seconds: 3
反向代理
openresty
.env
REDIS_PASSWORD=change1111!1231231
compose.yml
services:
openresty:
image: openresty/openresty:bookworm
restart: unless-stopped
depends_on:
- redis
ports:
- "80:80"
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d:ro
- ./lua:/etc/nginx/lua:ro
- ./logs:/var/log/openresty
- ./certs:/etc/openresty/certs:ro
networks:
default: {}
openresty-private: {}
proxy-net: {}
redis:
image: redis:7.4-bookworm
restart: unless-stopped
command:
- sh
- -c
- exec redis-server --appendonly yes --requirepass "$$REDIS_PASSWORD"
environment:
REDIS_PASSWORD: ${REDIS_PASSWORD:?please set REDIS_PASSWORD in .env}
ports:
- "127.0.0.1:6379:6379"
volumes:
- ./redis-data:/data
networks:
redis-host: {}
openresty-private: {}
healthcheck:
test: ["CMD-SHELL", "redis-cli -a \"$${REDIS_PASSWORD}\" ping | grep PONG"]
interval: 10s
timeout: 3s
retries: 5
networks:
default:
redis-host:
openresty-private:
internal: true
proxy-net:
external: true
反向代理配置 以newapi.x.xyz 举例
# ============================================================
# New API Reverse Proxy
# 域名:newapi.x.xyz
# 场景:OpenResty 与 new-api 不在同一个 Docker 网络
# ============================================================
# ------------------------------------------------------------
# WebSocket / SSE / 流式响应兼容
#
# New API 主要是 HTTP API + 流式输出。
# 这里主要是为了兼容可能存在的 Upgrade 请求。
# 普通 HTTP 请求时,Connection 为空,避免影响 upstream keepalive。
# ------------------------------------------------------------
map $http_upgrade $connection_upgrade {
default upgrade;
'' '';
}
# ------------------------------------------------------------
# Host 白名单
#
# 作用:
# 即使 TLS SNI 是 newapi.x.xyz,
# 也防止客户端在 HTTP Host 里伪造其他域名。
#
# 例如:
# curl --resolve newapi.x.xyz:443:服务器IP https://newapi.x.xyz \
# -H "Host: evil.com"
#
# 这种请求会被后面的 if 直接 444 断开。
# ------------------------------------------------------------
map $http_host $valid_newapi_host {
default 0;
newapi.x.xyz 1;
newapi.x.xyz:443 1;
}
# ------------------------------------------------------------
# New API 后端地址
# ------------------------------------------------------------
upstream newapi_backend {
server new-api:3000;
keepalive 64;
}
# ============================================================
# HTTP 入口
#
# 只处理 newapi.x.xyz 的 80 请求。
# 访问 http://newapi.x.xyz 会跳转到 HTTPS。
#
# 你的 default 80 server 可以继续保持 return 444。
# ============================================================
server {
listen 80;
server_name newapi.x.xyz;
if ($from_cloudflare = 0) {
return 444;
}
return 301 https://newapi.x.xyz$request_uri;
}
# ============================================================
# HTTPS 反向代理入口
# ============================================================
server {
listen 443 ssl;
server_name newapi.x.xyz;
if ($from_cloudflare = 0) {
return 444;
}
# --------------------------------------------------------
# TLS 证书 可以使用 cloudflare 长期证书
# --------------------------------------------------------
ssl_certificate /etc/openresty/certs/xyz.pem;
ssl_certificate_key /etc/openresty/certs/xyz.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# --------------------------------------------------------
# 请求体大小限制
# --------------------------------------------------------
client_max_body_size 100m;
# --------------------------------------------------------
# Host 防伪造
#
# --------------------------------------------------------
if ($valid_newapi_host = 0) {
return 444;
}
# --------------------------------------------------------
# New API 主反向代理
# --------------------------------------------------------
location / {
proxy_pass http://newapi_backend;
# 使用 HTTP/1.1,支持 keepalive / streaming / upgrade
proxy_http_version 1.1;
# ----------------------------------------------------
# 转发真实请求信息
# ----------------------------------------------------
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# ----------------------------------------------------
# WebSocket / Upgrade 兼容
# ----------------------------------------------------
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# ----------------------------------------------------
# 流式响应关键配置
#
# New API 转发 OpenAI / Claude / Gemini 等模型时,
# 经常会使用 stream=true。
#
# proxy_buffering off:
# 不让 OpenResty 缓冲上游响应,
# 后端返回一点,客户端就收到一点。
#
# proxy_cache off:
# 禁止缓存 API 响应。
#
# proxy_request_buffering off:
# 请求体直接传给后端,不先完整缓存在 OpenResty。
# ----------------------------------------------------
proxy_buffering off;
proxy_cache off;
proxy_request_buffering off;
# ----------------------------------------------------
# 超时设置
#
# 模型流式输出可能持续很久。
# 默认超时太短的话,请求还没输出完就可能被断开。
# ----------------------------------------------------
proxy_connect_timeout 60s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
# ----------------------------------------------------
# 禁止 OpenResty 自动改写后端 Location 跳转地址
# ----------------------------------------------------
proxy_redirect off;
}
}
$from_cloudflare conf.d/cloudflare.conf
# 本文件由 update-cloudflare-conf.sh 自动生成,请勿手改
# 来源: https://www.cloudflare.com/ips-v4 / https://www.cloudflare.com/ips-v6
# ---- 真实客户端 IP 还原 ----
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;
# ---- 直连白名单:原始连接 IP 是否来自 Cloudflare ----
geo $realip_remote_addr $from_cloudflare {
default 0;
173.245.48.0/20 1;
103.21.244.0/22 1;
103.22.200.0/22 1;
103.31.4.0/22 1;
141.101.64.0/18 1;
108.162.192.0/18 1;
190.93.240.0/20 1;
188.114.96.0/20 1;
197.234.240.0/22 1;
198.41.128.0/17 1;
162.158.0.0/15 1;
104.16.0.0/13 1;
104.24.0.0/14 1;
172.64.0.0/13 1;
131.0.72.0/22 1;
2400:cb00::/32 1;
2606:4700::/32 1;
2803:f800::/32 1;
2405:b500::/32 1;
2405:8100::/32 1;
2a06:98c0::/29 1;
2c0f:f248::/32 1;
}
cloudlfare tunnel
也可以使用这个# CPA ALL IN ONE
总结的说 只允许cloudflare 的ip 访问openresty的80 44 通过docker 网络访问 cpa
cf->openresty->docker netwrok (cpa)
docker 安装
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
## 如果是大陆服务
## ipv6 only 服务器
## sudo DOWNLOAD_URL=https://ipv6.mirrors.ustc.edu.cn/docker-ce sh get-docker.sh
##sudo DOWNLOAD_URL=https://mirrors.ustc.edu.cn/docker-ce sh get-docker.sh
cpa 本地安装
compose.yml
services:
cli-proxy-api:
image: eceasy/cli-proxy-api:latest
extra_hosts:
- "host.docker.internal:host-gateway"
container_name: cli-proxy-api
restart: unless-stopped
# 保持源码全端口映射,确保所有 CLI 工具劫持功能正常
ports:
- "127.0.0.1:8317:8317" # 主 API
- "127.0.0.1:8085:8085" # Antigravity OAuth 回调
- "127.0.0.1:1455:1455" # Codex OAuth 回调
- "127.0.0.1:54545:54545" # Claude OAuth 回调
- "127.0.0.1:51121:51121" # Antigravity OAuth 回调
- "127.0.0.1:11451:11451" # iFlow OAuth 回调
environment:
- TZ=Asia/Singapore
- REDIS_URL=redis://redis:6379/0
volumes:
- ./config.yaml:/CLIProxyAPI/config.yaml
- ./auths:/root/.cli-proxy-api
- ./logs:/CLIProxyAPI/logs
depends_on:
- redis
networks:
- cpa-network
- ai-net
redis:
image: redis:7-alpine
container_name: cliproxy-redis
restart: always
command: ["redis-server", "--appendonly", "yes"]
volumes:
- ./redis_data:/data
networks:
- cpa-network
### 统计 非常好用
cpa-manager:
image: seakee/cpa-manager-plus:latest
restart: unless-stopped
ports:
- "127.0.0.1:18317:18317"
volumes:
- ./cpa-manager-data:/data
networks:
- cpa-network
environment:
HTTP_ADDR: "0.0.0.0:18317"
USAGE_DB_PATH: "/data/usage.sqlite"
CPA_MANAGER_DATA_KEY_PATH: "/data/data.key"
CPA_MANAGER_ADMIN_KEY: "key11111111111111111" # !!! 修改
USAGE_COLLECTOR_MODE: "auto"
networks:
cpa-network:
driver: bridge
ai-net:
external: true
config.yml 一定要修改默认的key
wget https://raw.githubusercontent.com/router-for-me/CLIProxyAPI/refs/heads/main/config.example.yaml
参数调整
默认UA
claude-header-defaults:
user-agent: "claude-cli/2.1.174 (external, sdk-cli)"
package-version: "0.74.0"
runtime-version: "v24.16.0"
os: "Ubuntu"
arch: "x86_64"
timeout: "600"
stabilize-device-profile: true
codex-header-defaults:
user-agent: "codex_exec/0.141.0 (Ubuntu 24.4.0; x86_64) xterm-256color (codex_exec; 0.141.0)"
transient-error-cooldown-seconds
#如果账户 很少 可以设置为-1
transient-error-cooldown-seconds: 3
反向代理
openresty
.env
REDIS_PASSWORD=change1111!1231231
compose.yml
services:
openresty:
image: openresty/openresty:bookworm
restart: unless-stopped
depends_on:
- redis
ports:
- "80:80"
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d:ro
- ./lua:/etc/nginx/lua:ro
- ./logs:/var/log/openresty
- ./certs:/etc/openresty/certs:ro
networks:
default: {}
openresty-private: {}
proxy-net: {}
redis:
image: redis:7.4-bookworm
restart: unless-stopped
command:
- sh
- -c
- exec redis-server --appendonly yes --requirepass "$$REDIS_PASSWORD"
environment:
REDIS_PASSWORD: ${REDIS_PASSWORD:?please set REDIS_PASSWORD in .env}
ports:
- "127.0.0.1:6379:6379"
volumes:
- ./redis-data:/data
networks:
redis-host: {}
openresty-private: {}
healthcheck:
test: ["CMD-SHELL", "redis-cli -a \"$${REDIS_PASSWORD}\" ping | grep PONG"]
interval: 10s
timeout: 3s
retries: 5
networks:
default:
redis-host:
openresty-private:
internal: true
proxy-net:
external: true
反向代理配置 以newapi.x.xyz 举例
# ============================================================
# New API Reverse Proxy
# 域名:newapi.x.xyz
# 场景:OpenResty 与 new-api 不在同一个 Docker 网络
# ============================================================
# ------------------------------------------------------------
# WebSocket / SSE / 流式响应兼容
#
# New API 主要是 HTTP API + 流式输出。
# 这里主要是为了兼容可能存在的 Upgrade 请求。
# 普通 HTTP 请求时,Connection 为空,避免影响 upstream keepalive。
# ------------------------------------------------------------
map $http_upgrade $connection_upgrade {
default upgrade;
'' '';
}
# ------------------------------------------------------------
# Host 白名单
#
# 作用:
# 即使 TLS SNI 是 newapi.x.xyz,
# 也防止客户端在 HTTP Host 里伪造其他域名。
#
# 例如:
# curl --resolve newapi.x.xyz:443:服务器IP https://newapi.x.xyz \
# -H "Host: evil.com"
#
# 这种请求会被后面的 if 直接 444 断开。
# ------------------------------------------------------------
map $http_host $valid_newapi_host {
default 0;
newapi.x.xyz 1;
newapi.x.xyz:443 1;
}
# ------------------------------------------------------------
# New API 后端地址
# ------------------------------------------------------------
upstream newapi_backend {
server new-api:3000;
keepalive 64;
}
# ============================================================
# HTTP 入口
#
# 只处理 newapi.x.xyz 的 80 请求。
# 访问 http://newapi.x.xyz 会跳转到 HTTPS。
#
# 你的 default 80 server 可以继续保持 return 444。
# ============================================================
server {
listen 80;
server_name newapi.x.xyz;
if ($from_cloudflare = 0) {
return 444;
}
return 301 https://newapi.x.xyz$request_uri;
}
# ============================================================
# HTTPS 反向代理入口
# ============================================================
server {
listen 443 ssl;
server_name newapi.x.xyz;
if ($from_cloudflare = 0) {
return 444;
}
# --------------------------------------------------------
# TLS 证书 可以使用 cloudflare 长期证书
# --------------------------------------------------------
ssl_certificate /etc/openresty/certs/xyz.pem;
ssl_certificate_key /etc/openresty/certs/xyz.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# --------------------------------------------------------
# 请求体大小限制
# --------------------------------------------------------
client_max_body_size 100m;
# --------------------------------------------------------
# Host 防伪造
#
# --------------------------------------------------------
if ($valid_newapi_host = 0) {
return 444;
}
# --------------------------------------------------------
# New API 主反向代理
# --------------------------------------------------------
location / {
proxy_pass http://newapi_backend;
# 使用 HTTP/1.1,支持 keepalive / streaming / upgrade
proxy_http_version 1.1;
# ----------------------------------------------------
# 转发真实请求信息
# ----------------------------------------------------
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# ----------------------------------------------------
# WebSocket / Upgrade 兼容
# ----------------------------------------------------
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# ----------------------------------------------------
# 流式响应关键配置
#
# New API 转发 OpenAI / Claude / Gemini 等模型时,
# 经常会使用 stream=true。
#
# proxy_buffering off:
# 不让 OpenResty 缓冲上游响应,
# 后端返回一点,客户端就收到一点。
#
# proxy_cache off:
# 禁止缓存 API 响应。
#
# proxy_request_buffering off:
# 请求体直接传给后端,不先完整缓存在 OpenResty。
# ----------------------------------------------------
proxy_buffering off;
proxy_cache off;
proxy_request_buffering off;
# ----------------------------------------------------
# 超时设置
#
# 模型流式输出可能持续很久。
# 默认超时太短的话,请求还没输出完就可能被断开。
# ----------------------------------------------------
proxy_connect_timeout 60s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
# ----------------------------------------------------
# 禁止 OpenResty 自动改写后端 Location 跳转地址
# ----------------------------------------------------
proxy_redirect off;
}
}
$from_cloudflare conf.d/cloudflare.conf
# 本文件由 update-cloudflare-conf.sh 自动生成,请勿手改
# 来源: https://www.cloudflare.com/ips-v4 / https://www.cloudflare.com/ips-v6
# ---- 真实客户端 IP 还原 ----
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;
# ---- 直连白名单:原始连接 IP 是否来自 Cloudflare ----
geo $realip_remote_addr $from_cloudflare {
default 0;
173.245.48.0/20 1;
103.21.244.0/22 1;
103.22.200.0/22 1;
103.31.4.0/22 1;
141.101.64.0/18 1;
108.162.192.0/18 1;
190.93.240.0/20 1;
188.114.96.0/20 1;
197.234.240.0/22 1;
198.41.128.0/17 1;
162.158.0.0/15 1;
104.16.0.0/13 1;
104.24.0.0/14 1;
172.64.0.0/13 1;
131.0.72.0/22 1;
2400:cb00::/32 1;
2606:4700::/32 1;
2803:f800::/32 1;
2405:b500::/32 1;
2405:8100::/32 1;
2a06:98c0::/29 1;
2c0f:f248::/32 1;
}
cloudlfare tunnel
也可以使用这个# CPA ALL IN ONE
总结的说 只允许cloudflare 的ip 访问openresty的80 44 通过docker 网络访问 cpa
cf->openresty->docker netwrok (cpa)
docker 安装
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
## 如果是大陆服务
## ipv6 only 服务器
## sudo DOWNLOAD_URL=https://ipv6.mirrors.ustc.edu.cn/docker-ce sh get-docker.sh
##sudo DOWNLOAD_URL=https://mirrors.ustc.edu.cn/docker-ce sh get-docker.sh
cpa 本地安装
compose.yml
services:
cli-proxy-api:
image: eceasy/cli-proxy-api:latest
extra_hosts:
- "host.docker.internal:host-gateway"
container_name: cli-proxy-api
restart: unless-stopped
# 保持源码全端口映射,确保所有 CLI 工具劫持功能正常
ports:
- "127.0.0.1:8317:8317" # 主 API
- "127.0.0.1:8085:8085" # Antigravity OAuth 回调
- "127.0.0.1:1455:1455" # Codex OAuth 回调
- "127.0.0.1:54545:54545" # Claude OAuth 回调
- "127.0.0.1:51121:51121" # Antigravity OAuth 回调
- "127.0.0.1:11451:11451" # iFlow OAuth 回调
environment:
- TZ=Asia/Singapore
- REDIS_URL=redis://redis:6379/0
volumes:
- ./config.yaml:/CLIProxyAPI/config.yaml
- ./auths:/root/.cli-proxy-api
- ./logs:/CLIProxyAPI/logs
depends_on:
- redis
networks:
- cpa-network
- ai-net
redis:
image: redis:7-alpine
container_name: cliproxy-redis
restart: always
command: ["redis-server", "--appendonly", "yes"]
volumes:
- ./redis_data:/data
networks:
- cpa-network
### 统计 非常好用
cpa-manager:
image: seakee/cpa-manager-plus:latest
restart: unless-stopped
ports:
- "127.0.0.1:18317:18317"
volumes:
- ./cpa-manager-data:/data
networks:
- cpa-network
environment:
HTTP_ADDR: "0.0.0.0:18317"
USAGE_DB_PATH: "/data/usage.sqlite"
CPA_MANAGER_DATA_KEY_PATH: "/data/data.key"
CPA_MANAGER_ADMIN_KEY: "key11111111111111111" # !!! 修改
USAGE_COLLECTOR_MODE: "auto"
networks:
cpa-network:
driver: bridge
ai-net:
external: true
config.yml 一定要修改默认的key
wget https://raw.githubusercontent.com/router-for-me/CLIProxyAPI/refs/heads/main/config.example.yaml
参数调整
默认UA
claude-header-defaults:
user-agent: "claude-cli/2.1.174 (external, sdk-cli)"
package-version: "0.74.0"
runtime-version: "v24.16.0"
os: "Ubuntu"
arch: "x86_64"
timeout: "600"
stabilize-device-profile: true
codex-header-defaults:
user-agent: "codex_exec/0.141.0 (Ubuntu 24.4.0; x86_64) xterm-256color (codex_exec; 0.141.0)"
transient-error-cooldown-seconds
#如果账户 很少 可以设置为-1
transient-error-cooldown-seconds: 3
反向代理
openresty
.env
REDIS_PASSWORD=change1111!1231231
compose.yml
services:
openresty:
image: openresty/openresty:bookworm
restart: unless-stopped
depends_on:
- redis
ports:
- "80:80"
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d:ro
- ./lua:/etc/nginx/lua:ro
- ./logs:/var/log/openresty
- ./certs:/etc/openresty/certs:ro
networks:
default: {}
openresty-private: {}
proxy-net: {}
redis:
image: redis:7.4-bookworm
restart: unless-stopped
command:
- sh
- -c
- exec redis-server --appendonly yes --requirepass "$$REDIS_PASSWORD"
environment:
REDIS_PASSWORD: ${REDIS_PASSWORD:?please set REDIS_PASSWORD in .env}
ports:
- "127.0.0.1:6379:6379"
volumes:
- ./redis-data:/data
networks:
redis-host: {}
openresty-private: {}
healthcheck:
test: ["CMD-SHELL", "redis-cli -a \"$${REDIS_PASSWORD}\" ping | grep PONG"]
interval: 10s
timeout: 3s
retries: 5
networks:
default:
redis-host:
openresty-private:
internal: true
proxy-net:
external: true
反向代理配置 以newapi.x.xyz 举例
# ============================================================
# New API Reverse Proxy
# 域名:newapi.x.xyz
# 场景:OpenResty 与 new-api 不在同一个 Docker 网络
# ============================================================
# ------------------------------------------------------------
# WebSocket / SSE / 流式响应兼容
#
# New API 主要是 HTTP API + 流式输出。
# 这里主要是为了兼容可能存在的 Upgrade 请求。
# 普通 HTTP 请求时,Connection 为空,避免影响 upstream keepalive。
# ------------------------------------------------------------
map $http_upgrade $connection_upgrade {
default upgrade;
'' '';
}
# ------------------------------------------------------------
# Host 白名单
#
# 作用:
# 即使 TLS SNI 是 newapi.x.xyz,
# 也防止客户端在 HTTP Host 里伪造其他域名。
#
# 例如:
# curl --resolve newapi.x.xyz:443:服务器IP https://newapi.x.xyz \
# -H "Host: evil.com"
#
# 这种请求会被后面的 if 直接 444 断开。
# ------------------------------------------------------------
map $http_host $valid_newapi_host {
default 0;
newapi.x.xyz 1;
newapi.x.xyz:443 1;
}
# ------------------------------------------------------------
# New API 后端地址
# ------------------------------------------------------------
upstream newapi_backend {
server new-api:3000;
keepalive 64;
}
# ============================================================
# HTTP 入口
#
# 只处理 newapi.x.xyz 的 80 请求。
# 访问 http://newapi.x.xyz 会跳转到 HTTPS。
#
# 你的 default 80 server 可以继续保持 return 444。
# ============================================================
server {
listen 80;
server_name newapi.x.xyz;
if ($from_cloudflare = 0) {
return 444;
}
return 301 https://newapi.x.xyz$request_uri;
}
# ============================================================
# HTTPS 反向代理入口
# ============================================================
server {
listen 443 ssl;
server_name newapi.x.xyz;
if ($from_cloudflare = 0) {
return 444;
}
# --------------------------------------------------------
# TLS 证书 可以使用 cloudflare 长期证书
# --------------------------------------------------------
ssl_certificate /etc/openresty/certs/xyz.pem;
ssl_certificate_key /etc/openresty/certs/xyz.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# --------------------------------------------------------
# 请求体大小限制
# --------------------------------------------------------
client_max_body_size 100m;
# --------------------------------------------------------
# Host 防伪造
#
# --------------------------------------------------------
if ($valid_newapi_host = 0) {
return 444;
}
# --------------------------------------------------------
# New API 主反向代理
# --------------------------------------------------------
location / {
proxy_pass http://newapi_backend;
# 使用 HTTP/1.1,支持 keepalive / streaming / upgrade
proxy_http_version 1.1;
# ----------------------------------------------------
# 转发真实请求信息
# ----------------------------------------------------
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# ----------------------------------------------------
# WebSocket / Upgrade 兼容
# ----------------------------------------------------
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# ----------------------------------------------------
# 流式响应关键配置
#
# New API 转发 OpenAI / Claude / Gemini 等模型时,
# 经常会使用 stream=true。
#
# proxy_buffering off:
# 不让 OpenResty 缓冲上游响应,
# 后端返回一点,客户端就收到一点。
#
# proxy_cache off:
# 禁止缓存 API 响应。
#
# proxy_request_buffering off:
# 请求体直接传给后端,不先完整缓存在 OpenResty。
# ----------------------------------------------------
proxy_buffering off;
proxy_cache off;
proxy_request_buffering off;
# ----------------------------------------------------
# 超时设置
#
# 模型流式输出可能持续很久。
# 默认超时太短的话,请求还没输出完就可能被断开。
# ----------------------------------------------------
proxy_connect_timeout 60s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
# ----------------------------------------------------
# 禁止 OpenResty 自动改写后端 Location 跳转地址
# ----------------------------------------------------
proxy_redirect off;
}
}
$from_cloudflare conf.d/cloudflare.conf
# 本文件由 update-cloudflare-conf.sh 自动生成,请勿手改
# 来源: https://www.cloudflare.com/ips-v4 / https://www.cloudflare.com/ips-v6
# ---- 真实客户端 IP 还原 ----
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;
# ---- 直连白名单:原始连接 IP 是否来自 Cloudflare ----
geo $realip_remote_addr $from_cloudflare {
default 0;
173.245.48.0/20 1;
103.21.244.0/22 1;
103.22.200.0/22 1;
103.31.4.0/22 1;
141.101.64.0/18 1;
108.162.192.0/18 1;
190.93.240.0/20 1;
188.114.96.0/20 1;
197.234.240.0/22 1;
198.41.128.0/17 1;
162.158.0.0/15 1;
104.16.0.0/13 1;
104.24.0.0/14 1;
172.64.0.0/13 1;
131.0.72.0/22 1;
2400:cb00::/32 1;
2606:4700::/32 1;
2803:f800::/32 1;
2405:b500::/32 1;
2405:8100::/32 1;
2a06:98c0::/29 1;
2c0f:f248::/32 1;
}
cloudlfare tunnel
也可以使用这个
最新回复 (1)
-
hopemarks 07-07 07:301楼佬这么折腾一下,响应会不会变慢?
* 帖子来源Linux.do
附近帖子