From 03b8b52315f760664ad85f9c3b68659703d6b182 Mon Sep 17 00:00:00 2001
From: hotwa <pylyzeng@gmail.com>
Date: Fri, 3 Oct 2025 14:52:04 +0800
Subject: [PATCH] =?UTF-8?q?fix(registrar):=20=E6=A0=87=E7=AD=BE=E6=8C=89?=
 =?UTF-8?q?=E8=A1=8C=E6=8B=BC=E6=8E=A5=E9=81=BF=E5=85=8D=E9=80=97=E5=8F=B7?=
 =?UTF-8?q?=E6=8B=86=E5=88=86=EF=BC=9B=E9=BB=98=E8=AE=A4=E5=90=AF=E7=94=A8?=
 =?UTF-8?q?=20TCP=20TLS=EF=BC=9B=E6=96=B0=E5=A2=9E=20TLS=5FMODE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 修复 ConsulCatalog 标签因逗号分割导致的解析错误：
  「error parsing server URL ... : invalid port ':9009,'」
  现在改为按“行”累加标签，再转换为 JSON 数组，避免值中逗号（如 middlewares）被错误拆分
- TCP 路由默认启用 TLS（terminating），补齐 tls=true / tls.certresolver
  修复「HostSNI(...) but no TLS on router」
- 新增 TLS_MODE=terminating|passthrough|plaintext 三种模式
- 统一使用 loadbalancer.server.port（替代 server.url），规避尾逗号风险
- 提供严格的 to_json_array 实现，避免尾逗号 JSON 问题
- HTTP 路由补充 priority=10000；保留可选中间件（需与动态配置名称一致）

Test plan:
- 清理旧服务并重注册：
  curl -s http://100.64.0.1:8500/v1/agent/services \
    | jq 'to_entries[] | select(.value.Service=="mcp") | .key' \
    | xargs -I{} curl -s -X PUT http://100.64.0.1:8500/v1/agent/service/deregister/{}
  然后重启注册器容器
- 验证 Traefik 路由：
  curl -s http://localhost:8083/api/tcp/routers \
    | jq '.[] | select(.rule|test("ci-agent\\.jmsu\\.top")) | {name,entryPoints,tls}'
- 验证证书握手：
  openssl s_client -connect ci-agent.jmsu.top:4443 -servername ci-agent.jmsu.top -brief </dev/null

Refs:
- invalid port ":9009,"
- HostSNI(...) but no TLS on router
---
 docker/registrar.sh | 73 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 56 insertions(+), 17 deletions(-)

diff --git a/docker/registrar.sh b/docker/registrar.sh
index d43d8c4..f0b7b1c 100755
--- a/docker/registrar.sh
+++ b/docker/registrar.sh
@@ -15,6 +15,8 @@ CHECK_TIMEOUT="${CHECK_TIMEOUT:-2s}"
 DEREG_AFTER="${DEREG_AFTER:-1m}"
 TRAEFIK_HTTP_ENTRYPOINT="${TRAEFIK_HTTP_ENTRYPOINT:-websecure}"
 TRAEFIK_TCP_ENTRYPOINT="${TRAEFIK_TCP_ENTRYPOINT:-tcp}"
+TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-alidns}"
+TLS_MODE="${TLS_MODE:-terminating}"   # terminating | passthrough | plaintext
 # TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-cf}"
 
 echo "[registrar] consul: $CONSUL, service: $SERVICE_NAME@$SERVICE_ADDR:$SERVICE_PORT"
@@ -29,27 +31,64 @@ done
 
 ID="${SERVICE_NAME}-${SERVICE_ADDR}-${SERVICE_PORT}"
 
-# 组装 Traefik tags（ConsulCatalog）
+# 组装 Traefik tags（按“行”累加，避免值中逗号被拆）
+NL='
+'
 TAGS="traefik.enable=true"
+
 if [ "$SERVICE_PROTOCOL" = "http" ]; then
-  TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.rule=Host(\`${ROUTE_HOST}\`)"
-  TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_HTTP_ENTRYPOINT}"
-  TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.tls=true"
-  TAGS="$TAGS,traefik.http.services.${SERVICE_NAME}.loadbalancer.server.scheme=http"
-  TAGS="$TAGS,traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
-  # 可选：应用云端 dynamic.yml 的中间件
-  TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.middlewares=gzip-all@file,security-headers@file"
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.rule=Host(\`${ROUTE_HOST}\`)"
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_HTTP_ENTRYPOINT}"
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls=true"
+  TAGS="$TAGS${NL}traefik.http.services.${SERVICE_NAME}.loadbalancer.server.scheme=http"
+  TAGS="$TAGS${NL}traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+  # 抢占路由：给当前 Host 的 router 设置更高优先级
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.priority=10000"
+  # 可选中间件（注意：值里有逗号也安全）
+  TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.middlewares=gzip-all@file,sec-headers@file"
+  # 如需 ACME 证书解析器可再加一行（取消注释）
+  # TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
 elif [ "$SERVICE_PROTOCOL" = "tcp" ]; then
-  TAGS="$TAGS,traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
-  TAGS="$TAGS,traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
-  TAGS="$TAGS,traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+  case "$TLS_MODE" in
+    # A：Traefik 终止 TLS（推荐公网）
+    terminating)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls=true"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    # A-备用：后端自己终止 TLS（需要给 woodpecker-server 配 cert/key）
+    passthrough)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.passthrough=true"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    # B：明文 TCP（仅内网/Tailscale，用 * 兜底）
+    plaintext)
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`*\`)"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
+      TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.priority=1"
+      TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
+      ;;
+
+    *)
+      echo "unsupported TLS_MODE=$TLS_MODE" >&2; exit 2;;
+  esac
 else
   echo "unsupported SERVICE_PROTOCOL=$SERVICE_PROTOCOL" >&2; exit 2
 fi
 
-# 转 JSON 数组（按逗号拆分）
-to_json_array() { echo "$1" | awk -v RS=, 'NF{print "\""$0"\""}' | paste -sd, - | sed 's/^/[/' | sed 's/$/]/'; }
-TAGS_JSON="$(to_json_array "$TAGS")"
+# 转 JSON 数组（按“行”解析）
+to_json_array() {
+  # 逐行 -> trim -> "..." -> [ ... ]
+  awk 'BEGIN{RS="\n"} NF {gsub(/^[ \t]+|[ \t]+$/,""); printf "\"%s\",\n",$0}' |
+  sed '1s/^/[/' | sed '$s/,\s*$/]/'
+}
+TAGS_JSON="$(printf "%s" "$TAGS" | to_json_array)"
 
 # 健康检查 JSON
 if [ "$CHECK_TYPE" = "http" ]; then
@@ -64,12 +103,12 @@ EOF
 )
 fi
 
-# 写 service 定义并注册到"云端" Consul Server
+# 写 service 定义并注册到云端 Consul
 cat > /tmp/svc.json <<EOF
 {"service":{"id":"${ID}","name":"${SERVICE_NAME}","address":"${SERVICE_ADDR}","port":${SERVICE_PORT},"tags":${TAGS_JSON},"checks":[${CHECK_JSON}]}}
 EOF
 
-echo "[registrar] register ${ID} -\u003e ${CONSUL}"
+echo "[registrar] register ${ID} -> ${CONSUL}"
 consul services register -http-addr="$CONSUL" /tmp/svc.json
 
 term() {
@@ -79,4 +118,4 @@ term() {
 }
 trap term TERM INT
 
-tail -f /dev/null
\ No newline at end of file
+tail -f /dev/null