From e9afaa06691c63f9f394a5c1eb20875043db80f3 Mon Sep 17 00:00:00 2001 From: wnlen <62139570+wnlen@users.noreply.github.com> Date: Tue, 13 Jan 2026 22:52:55 +0800 Subject: [PATCH] Harden startup defaults and process shutdown --- README.md | 6 ++++-- restart.sh | 22 +++++++++++++++------- shutdown.sh | 19 +++++++++++++------ start.sh | 52 ++++++++++++++++++++++++++++++++-------------------- 4 files changed, 64 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index d56148f..29e824c 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,8 @@ - 本项目是基于 [clash](https://github.com/Dreamacro/clash) 、[yacd](https://github.com/haishanh/yacd) 进行的配置整合,关于clash、yacd的详细配置请去原项目查看。 - 此项目不提供任何订阅信息,请自行准备Clash订阅地址。 - 运行前请手动更改`.env`文件中的`CLASH_URL`变量值,否则无法正常运行。 +- 默认将管理面板仅绑定到本机(`127.0.0.1:9090`),如需对外访问请在`.env`中自行配置并确保`CLASH_SECRET`足够复杂。 +- 默认开启 TLS 证书校验,若确需跳过校验请在`.env`中设置`ALLOW_INSECURE_TLS=true`(不推荐)。 - 当前在RHEL系列和Debian系列Linux系统中测试过,其他系列可能需要适当修改脚本。 - 支持 x86_64/aarch64 平台 @@ -71,7 +73,7 @@ Clash订阅地址可访问! [ OK ] Clash Dashboard 访问地址:http://:9090/ui Secret:xxxxxxxxxxxxx -请执行以下命令加载环境变量: source /etc/profile.d/clash.sh +请执行以下命令加载环境变量: source /etc/profile.d/clash-for-linux.sh 请执行以下命令开启系统代理: proxy_on @@ -80,7 +82,7 @@ Secret:xxxxxxxxxxxxx ``` ```bash -$ source /etc/profile.d/clash.sh +$ source /etc/profile.d/clash-for-linux.sh $ proxy_on ``` diff --git a/restart.sh b/restart.sh index 5a2aa7c..191ad4a 100644 --- a/restart.sh +++ b/restart.sh @@ -45,12 +45,21 @@ Log_Dir="$Server_Dir/logs" Text1="服务关闭成功!" Text2="服务关闭失败!" # 查询并关闭程序进程 -PID_NUM=`ps -ef | grep [c]lash-linux-a | wc -l` -PID=`ps -ef | grep [c]lash-linux-a | awk '{print $2}'` -if [ $PID_NUM -ne 0 ]; then - kill -9 $PID - ReturnStatus=$? - # ps -ef | grep [c]lash-linux-a | awk '{print $2}' | xargs kill -9 +PIDS=$(pgrep -f "clash-linux-") +if [ -n "$PIDS" ]; then + kill $PIDS + ReturnStatus=$? + for i in {1..5}; do + sleep 1 + if ! pgrep -f "clash-linux-" >/dev/null; then + break + fi + done + if pgrep -f "clash-linux-" >/dev/null; then + kill -9 $PIDS + fi +else + ReturnStatus=0 fi if_success $Text1 $Text2 $ReturnStatus @@ -87,4 +96,3 @@ else echo -e "\033[31m\n[ERROR] Unsupported CPU Architecture!\033[0m" exit 1 fi - diff --git a/shutdown.sh b/shutdown.sh index c2ba4e7..e9b6184 100644 --- a/shutdown.sh +++ b/shutdown.sh @@ -1,14 +1,21 @@ #!/bin/bash # 关闭clash服务 -PID_NUM=`ps -ef | grep [c]lash-linux-a | wc -l` -PID=`ps -ef | grep [c]lash-linux-a | awk '{print $2}'` -if [ $PID_NUM -ne 0 ]; then - kill -9 $PID - # ps -ef | grep [c]lash-linux-a | awk '{print $2}' | xargs kill -9 +PIDS=$(pgrep -f "clash-linux-") +if [ -n "$PIDS" ]; then + kill $PIDS + for i in {1..5}; do + sleep 1 + if ! pgrep -f "clash-linux-" >/dev/null; then + break + fi + done + if pgrep -f "clash-linux-" >/dev/null; then + kill -9 $PIDS + fi fi # 清除环境变量 -> /etc/profile.d/clash.sh +> /etc/profile.d/clash-for-linux.sh echo -e "\n服务关闭成功,请执行以下命令关闭系统代理:proxy_off\n" diff --git a/start.sh b/start.sh index 24709d1..54e117d 100644 --- a/start.sh +++ b/start.sh @@ -35,9 +35,10 @@ CLASH_HTTP_PORT=${CLASH_HTTP_PORT:-7890} CLASH_SOCKS_PORT=${CLASH_SOCKS_PORT:-7891} CLASH_REDIR_PORT=${CLASH_REDIR_PORT:-7892} CLASH_LISTEN_IP=${CLASH_LISTEN_IP:-0.0.0.0} -CLASH_ALLOW_LAN=${CLASH_ALLOW_LAN:-true} +CLASH_ALLOW_LAN=${CLASH_ALLOW_LAN:-false} EXTERNAL_CONTROLLER_ENABLED=${EXTERNAL_CONTROLLER_ENABLED:-true} -EXTERNAL_CONTROLLER=${EXTERNAL_CONTROLLER:-0.0.0.0:9090} +EXTERNAL_CONTROLLER=${EXTERNAL_CONTROLLER:-127.0.0.1:9090} +ALLOW_INSECURE_TLS=${ALLOW_INSECURE_TLS:-false} @@ -110,14 +111,19 @@ Text1="Clash订阅地址可访问!" Text2="Clash订阅地址不可访问!" # 构建检测 curl 命令,添加自定义请求头 -CHECK_CMD="curl -o /dev/null -L -k -sS --retry 5 -m 10 --connect-timeout 10 -w \"%{http_code}\"" -if [ -n "$CLASH_HEADERS" ]; then - CHECK_CMD="$CHECK_CMD -H '$CLASH_HEADERS'" +CHECK_CMD=(curl -o /dev/null -L -sS --retry 5 -m 10 --connect-timeout 10 -w "%{http_code}") +if [ "$ALLOW_INSECURE_TLS" = "true" ]; then + CHECK_CMD+=(-k) + echo -e "\033[33m[WARN] 已启用不安全的 TLS 下载(跳过证书校验)\033[0m" fi -CHECK_CMD="$CHECK_CMD $URL" +if [ -n "$CLASH_HEADERS" ]; then + CHECK_CMD+=(-H "$CLASH_HEADERS") +fi +CHECK_CMD+=("$URL") # 检查订阅地址 -eval $CHECK_CMD | grep -E '^[23][0-9]{2}$' &>/dev/null +status_code=$("${CHECK_CMD[@]}") +echo "$status_code" | grep -E '^[23][0-9]{2}$' &>/dev/null ReturnStatus=$? if_success $Text1 $Text2 $ReturnStatus @@ -127,26 +133,32 @@ Text3="配置文件config.yaml下载成功!" Text4="配置文件config.yaml下载失败,退出启动!" # 构建 curl 命令,添加自定义请求头 -CURL_CMD="curl -L -k -sS --retry 5 -m 10 -o $Temp_Dir/clash.yaml" -if [ -n "$CLASH_HEADERS" ]; then - CURL_CMD="$CURL_CMD -H '$CLASH_HEADERS'" +CURL_CMD=(curl -L -sS --retry 5 -m 10 -o "$Temp_Dir/clash.yaml") +if [ "$ALLOW_INSECURE_TLS" = "true" ]; then + CURL_CMD+=(-k) fi -CURL_CMD="$CURL_CMD $URL" +if [ -n "$CLASH_HEADERS" ]; then + CURL_CMD+=(-H "$CLASH_HEADERS") +fi +CURL_CMD+=("$URL") # 尝试使用curl进行下载 -eval $CURL_CMD +"${CURL_CMD[@]}" ReturnStatus=$? if [ $ReturnStatus -ne 0 ]; then # 如果使用curl下载失败,尝试使用wget进行下载 - WGET_CMD="wget -q --no-check-certificate -O $Temp_Dir/clash.yaml" - if [ -n "$CLASH_HEADERS" ]; then - WGET_CMD="$WGET_CMD --header='$CLASH_HEADERS'" + WGET_CMD=(wget -q -O "$Temp_Dir/clash.yaml") + if [ "$ALLOW_INSECURE_TLS" = "true" ]; then + WGET_CMD+=(--no-check-certificate) fi - WGET_CMD="$WGET_CMD $URL" + if [ -n "$CLASH_HEADERS" ]; then + WGET_CMD+=(--header="$CLASH_HEADERS") + fi + WGET_CMD+=("$URL") for i in {1..10} do - eval $WGET_CMD + "${WGET_CMD[@]}" ReturnStatus=$? if [ $ReturnStatus -eq 0 ]; then break @@ -236,7 +248,7 @@ fi echo '' # 添加环境变量(root权限) - 使用配置的端口 -cat>/etc/profile.d/clash.sh</etc/profile.d/clash-for-linux.sh<