feat(gost): require upstream proxy for geo-bypass

gost now always requires an external upstream proxy to function. wizard prompts for upstream proxy url when gost is selected. if no upstream provided, gost is removed from selection.
2026-03-07 14:23:08 +00:00 · 2025-12-20 15:21:27 -07:00
parent ed046b3c68
commit 26485b32c0
6 changed files with 44 additions and 5 deletions
--- a/.env.example
+++ b/.env.example
@@ -401,15 +401,20 @@ CLOUDFLARE_TUNNEL_TOKEN=
 # ============================================
 # Gost Proxy Configuration (Optional)
 # ============================================
-# Internal HTTP proxy for AI services outbound traffic
+# Routes AI service traffic through an external proxy for geo-bypass.
+# Use this to access OpenAI/Anthropic/Google APIs from restricted regions.

 # Credentials (auto-generated)
 GOST_USERNAME=
 GOST_PASSWORD=

-# Proxy URL (auto-generated: http://user:pass@gost:8080)
+# Proxy URL for AI services (auto-generated: http://user:pass@gost:8080)
 GOST_PROXY_URL=

+# External upstream proxy (REQUIRED - asked during wizard if gost is selected)
+# Examples: socks5://user:pass@proxy.com:1080, http://user:pass@proxy.com:8080
+GOST_UPSTREAM_PROXY=
+
 # Internal services bypass list (prevents internal Docker traffic from going through proxy)
 GOST_NO_PROXY=localhost,127.0.0.1,postgres,redis,caddy,ollama,neo4j,qdrant,weaviate,clickhouse,minio,searxng,crawl4ai,gotenberg,langfuse-web,langfuse-worker,flowise,n8n,n8n-import,n8n-worker-1,n8n-worker-2,n8n-worker-3,n8n-worker-4,n8n-runner-1,n8n-runner-2,n8n-runner-3,n8n-runner-4,letta,lightrag,docling,postiz,ragflow,ragflow-mysql,ragflow-minio,ragflow-redis,ragflow-elasticsearch,ragapp,open-webui,comfyui,waha,libretranslate,paddleocr,gost

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -356,6 +356,8 @@ services:
    command:
      - "-L"
      - "http://${GOST_USERNAME}:${GOST_PASSWORD}@:8080"
+      - "-F"
+      - "${GOST_UPSTREAM_PROXY}"
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider http://localhost:8080 || exit 1"]
      interval: 30s
--- a/scripts/04_wizard.sh
+++ b/scripts/04_wizard.sh
@@ -203,6 +203,35 @@ if [ $ollama_selected -eq 1 ]; then
    fi
 fi

+# If Gost was selected, prompt for upstream proxy URL
+gost_selected=0
+for p in "${selected_profiles[@]}"; do
+    [ "$p" = "gost" ] && gost_selected=1 && break
+done
+
+if [ $gost_selected -eq 1 ]; then
+    # Get existing value from .env if available
+    EXISTING_UPSTREAM=$(read_env_var "GOST_UPSTREAM_PROXY")
+
+    GOST_UPSTREAM_INPUT=$(wt_input "Gost Upstream Proxy" \
+        "Enter your external proxy URL for geo-bypass.\n\nExamples:\n  socks5://user:pass@proxy.com:1080\n  http://user:pass@proxy.com:8080\n\nThis proxy should be located outside restricted regions." \
+        "$EXISTING_UPSTREAM") || true
+
+    if [ -n "$GOST_UPSTREAM_INPUT" ]; then
+        # Save to .env file
+        write_env_var "GOST_UPSTREAM_PROXY" "$GOST_UPSTREAM_INPUT"
+        log_info "Gost upstream proxy configured: $GOST_UPSTREAM_INPUT"
+    else
+        # Remove gost from selected profiles if no upstream provided
+        tmp=()
+        for p in "${selected_profiles[@]}"; do
+            [ "$p" != "gost" ] && tmp+=("$p")
+        done
+        selected_profiles=("${tmp[@]}")
+        log_warning "Gost requires an upstream proxy. Gost has been removed from selection."
+    fi
+fi
+
 if [ ${#selected_profiles[@]} -eq 0 ]; then
    log_info "No optional services selected."
    COMPOSE_PROFILES_VALUE=""
--- a/scripts/07_final_report.sh
+++ b/scripts/07_final_report.sh
@@ -92,7 +92,7 @@ if is_profile_active "open-webui"; then
    echo -e "     ${GREEN}*${NC} ${WHITE}Open WebUI${NC}: Register your account"
 fi
 if is_profile_active "gost"; then
-    echo -e "     ${GREEN}*${NC} ${WHITE}Gost Proxy${NC}: Active - AI services route outbound traffic through proxy"
+    echo -e "     ${GREEN}*${NC} ${WHITE}Gost Proxy${NC}: Routing AI traffic through external proxy"
 fi
 echo ""
 echo -e "  ${WHITE}4.${NC} Run ${CYAN}make doctor${NC} if you experience any issues"
--- a/scripts/generate_welcome_page.sh
+++ b/scripts/generate_welcome_page.sh
@@ -431,8 +431,9 @@ if is_profile_active "gost"; then
        \"password\": \"$(json_escape "$GOST_PASSWORD")\"
      },
      \"extra\": {
-        \"note\": \"Internal HTTP proxy for AI services\",
+        \"note\": \"Routes AI traffic through external proxy for geo-bypass\",
        \"proxy_url\": \"$(json_escape "$GOST_PROXY_URL")\",
+        \"upstream_proxy\": \"$(json_escape "$GOST_UPSTREAM_PROXY")\",
        \"internal_api\": \"http://gost:8080\"
      }
    }")
--- a/welcome/app.js
+++ b/welcome/app.js
@@ -597,7 +597,9 @@
        swagger_pass: { label: 'Swagger Pass', isSecret: true },
        internal_host: { label: 'Internal Host', isSecret: false },
        internal_port: { label: 'Internal Port', isSecret: false },
-        database: { label: 'Database', isSecret: false }
+        database: { label: 'Database', isSecret: false },
+        proxy_url: { label: 'Proxy URL', isSecret: true },
+        upstream_proxy: { label: 'Upstream', isSecret: true }
    };

    /**