{"error_code":31211, "error_msg":"access denied"} on Terabox

[ghostWindows-files]

Please make sure of the following things

• [X] I have read the documentation. 我已经阅读了文档。

• [x] I'm sure there are no duplicate issues or discussions. 我确定没有重复的issue或讨论。

• [X] I'm sure it's due to AList and not something else(such as Network ,Dependencies or Operational). 我确定是AList的问题，而不是其他原因（例如网络，依赖或操作）。

• [x] I'm sure this issue is not fixed in the latest version. 我确定这个问题在最新版本中没有被修复。

AList Version / AList 版本

v3.35.0

Driver used / 使用的存储驱动

Terabox

Describe the bug / 问题描述

因为proxy无法发起issues所以就在这里说了 前提：我用的服务器在国外 https://github.com/alist-org/alist-proxy/blob/main/alist-proxy.js部署到cloudflare pages后国内网络代理链接可以正常调用并下载其他储存的文件,在Terabox就提示{"error_code":31211, "error_msg":"access denied"}，但是挂了梯子再打开下载链接就可以直接下载。

配置是本地代理的话还是情况同上

很神奇的Bug-.-

Reproduction / 复现链接

https://github.com/alist-org/alist-proxy

Config / 配置

Cloud flare Pages： Local Proxy： Error：

Logs / 日志

No response

[welcome[bot]]

Thanks for opening your first issue here! Be sure to follow the issue template!

[anwen-anyi]

你的代理链接是不是使用的默认的cloudflare配置的域名？

[ghostWindows-files]

你的代理链接是不是使用的默认的配置的域名？cloudflare

我用cloudflare pages+绑定自定义域名

[ekyfig]

+1,我按照官方教程搭建cloudflare workers，然后添加下载代理，下载时就会提示{"error_code":31211, "error_msg":"access denied"} WEBDAV策略改成302或者代理URL或者本地代理都一样 翻墙就可以正常下载。

[anwen-anyi]

:joy_cat: 可能确实出bug了.....

[ghostWindows-files]

+1,我按照官方教程搭建cloudflare workers，然后添加下载代理，下载时就会提示{"error_code":31211, "error_msg":"access denied"} WEBDAV策略改成302或者代理URL或者本地代理都一样 翻墙就可以正常下载。

我有一个临时的解决方案：就是再次用新worker代理原本翻墙才能下载的那个worker这样就可以正常下载，二次代理worker脚本：https://github.com/weaigc/bingo/blob/main/cloudflare/worker.js

[ghostWindows-files]

😹 可能确实出bug了.....

Alist worker代理的时候会不会把ip位置检测的代码一起代理了😱

[ekyfig]

+1,我按照官方教程搭建cloudflare workers，然后添加下载代理，下载时就会提示{"error_code":31211, "error_msg":"access denied"} WEBDAV策略改成302或者代理URL或者本地代理都一样 翻墙就可以正常下载。

我有一个临时的解决方案：就是再次用新worker代理原本翻墙才能下载的那个worker这样就可以正常下载，二次代理worker脚本：https://github.com/weaigc/bingo/blob/main/cloudflare/worker.js

请问alist下载代理URL填新worker的域名吗，我只显示一个Hello world

[ghostWindows-files]

+1,我按照官方教程搭建cloudflare workers，然后添加下载代理，下载时就会提示{"error_code":31211, "error_msg":"access denied"} WEBDAV策略改成302或者代理URL或者本地代理都一样 翻墙就可以正常下载。

我有一个临时的解决方案：就是再次用新worker代理原本翻墙才能下载的那个worker这样就可以正常下载，二次代理worker脚本：https://github.com/weaigc/bingo/blob/main/cloudflare/worker.js

请问alist下载代理URL填新worker的域名吗，我只显示一个Hello world

需要将 https://github.com/weaigc/bingo/blob/main/cloudflare/worker.js 中的代码填写到二次代理的worker编辑器中

[GLASS20]

Terabox检测了请求头是否为国内，是的话则拦截请求，我们可以伪造请求头来绕过（2024.6.17通过）

// 伪造地区头
request.headers.set("Accept-Language", "en-US,en;q=0.9");

// 伪造IP头
request.headers.set("X-Forwarded-For", "8.8.8.8"); // 替换为你想要的IP地址
request.headers.set("X-Real-IP", "8.8.8.8"); // 替换为你想要的IP地址

修改后的handleDownload函数如下：

async function handleDownload(request) {
  const origin = request.headers.get("origin") ?? "*";
  const url = new URL(request.url);
  const path = decodeURIComponent(url.pathname);
  const sign = url.searchParams.get("sign") ?? "";
  const verifyResult = await verify(path, sign);
  if (verifyResult !== "") {
    const resp2 = new Response(
      JSON.stringify({
        code: 401,
        message: verifyResult
      }),
      {
        headers: {
          "content-type": "application/json;charset=UTF-8"
        }
      }
    );
    resp2.headers.set("Access-Control-Allow-Origin", origin);
    return resp2;
  }
  let resp = await fetch(`${ADDRESS}/api/fs/link`, {
    method: "POST",
    headers: {
      "content-type": "application/json;charset=UTF-8",
      Authorization: TOKEN
    },
    body: JSON.stringify({
      path
    })
  });
  let res = await resp.json();
  if (res.code !== 200) {
    return new Response(JSON.stringify(res));
  }
  request = new Request(res.data.url, request);
  if (res.data.header) {
    for (const k in res.data.header) {
      for (const v of res.data.header[k]) {
        request.headers.set(k, v);
      }
    }
  }
  // 伪造地区头
  request.headers.set("Accept-Language", "en-US,en;q=0.9");

  // 伪造IP头
  request.headers.set("X-Forwarded-For", "8.8.8.8"); // 替换为你想要的IP地址
  request.headers.set("X-Real-IP", "8.8.8.8"); // 替换为你想要的IP地址
  let response = await fetch(request);
  while (response.status >= 300 && response.status < 400) {
    const location = response.headers.get("Location");
    if (location) {
      if (location.startsWith(`${WORKER_ADDRESS}/`)) {
        request = new Request(location, request);
        return await handleRequest(request);
      } else {
        request = new Request(location, request);
        response = await fetch(request);
      }
    } else {
      break;
    }
  }
  response = new Response(response.body, response);
  response.headers.delete("set-cookie");
  response.headers.set("Access-Control-Allow-Origin", origin);
  response.headers.append("Vary", "Origin");
  return response;
}

[ghostWindows-files]

Terabox检测了请求头是否为国内，是的话则拦截请求，我们可以伪造请求头来绕过（2024.6.17通过）

// 伪造地区头
request.headers.set("Accept-Language", "en-US,en;q=0.9");

// 伪造IP头
request.headers.set("X-Forwarded-For", "8.8.8.8"); // 替换为你想要的IP地址
request.headers.set("X-Real-IP", "8.8.8.8"); // 替换为你想要的IP地址

修改后的handleDownload函数如下：

async function handleDownload(request) {
  const origin = request.headers.get("origin") ?? "*";
  const url = new URL(request.url);
  const path = decodeURIComponent(url.pathname);
  const sign = url.searchParams.get("sign") ?? "";
  const verifyResult = await verify(path, sign);
  if (verifyResult !== "") {
    const resp2 = new Response(
      JSON.stringify({
        code: 401,
        message: verifyResult
      }),
      {
        headers: {
          "content-type": "application/json;charset=UTF-8"
        }
      }
    );
    resp2.headers.set("Access-Control-Allow-Origin", origin);
    return resp2;
  }
  let resp = await fetch(`${ADDRESS}/api/fs/link`, {
    method: "POST",
    headers: {
      "content-type": "application/json;charset=UTF-8",
      Authorization: TOKEN
    },
    body: JSON.stringify({
      path
    })
  });
  let res = await resp.json();
  if (res.code !== 200) {
    return new Response(JSON.stringify(res));
  }
  request = new Request(res.data.url, request);
  if (res.data.header) {
    for (const k in res.data.header) {
      for (const v of res.data.header[k]) {
        request.headers.set(k, v);
      }
    }
  }
  // 伪造地区头
  request.headers.set("Accept-Language", "en-US,en;q=0.9");

  // 伪造IP头
  request.headers.set("X-Forwarded-For", "8.8.8.8"); // 替换为你想要的IP地址
  request.headers.set("X-Real-IP", "8.8.8.8"); // 替换为你想要的IP地址
  let response = await fetch(request);
  while (response.status >= 300 && response.status < 400) {
    const location = response.headers.get("Location");
    if (location) {
      if (location.startsWith(`${WORKER_ADDRESS}/`)) {
        request = new Request(location, request);
        return await handleRequest(request);
      } else {
        request = new Request(location, request);
        response = await fetch(request);
      }
    } else {
      break;
    }
  }
  response = new Response(response.body, response);
  response.headers.delete("set-cookie");
  response.headers.set("Access-Control-Allow-Origin", origin);
  response.headers.append("Vary", "Origin");
  return response;
}

非常感谢，这样就不需要二次代理了

[ghostWindows-files]

Terabox检测了请求头是否为国内，是的话则拦截请求，我们可以伪造请求头来绕过（2024.6.17通过）

// 伪造地区头
request.headers.set("Accept-Language", "en-US,en;q=0.9");

// 伪造IP头
request.headers.set("X-Forwarded-For", "8.8.8.8"); // 替换为你想要的IP地址
request.headers.set("X-Real-IP", "8.8.8.8"); // 替换为你想要的IP地址

修改后的函数如下：handleDownload

async function handleDownload(request) {
  const origin = request.headers.get("origin") ?? "*";
  const url = new URL(request.url);
  const path = decodeURIComponent(url.pathname);
  const sign = url.searchParams.get("sign") ?? "";
  const verifyResult = await verify(path, sign);
  if (verifyResult !== "") {
    const resp2 = new Response(
      JSON.stringify({
        code: 401,
        message: verifyResult
      }),
      {
        headers: {
          "content-type": "application/json;charset=UTF-8"
        }
      }
    );
    resp2.headers.set("Access-Control-Allow-Origin", origin);
    return resp2;
  }
  let resp = await fetch(`${ADDRESS}/api/fs/link`, {
    method: "POST",
    headers: {
      "content-type": "application/json;charset=UTF-8",
      Authorization: TOKEN
    },
    body: JSON.stringify({
      path
    })
  });
  let res = await resp.json();
  if (res.code !== 200) {
    return new Response(JSON.stringify(res));
  }
  request = new Request(res.data.url, request);
  if (res.data.header) {
    for (const k in res.data.header) {
      for (const v of res.data.header[k]) {
        request.headers.set(k, v);
      }
    }
  }
  // 伪造地区头
  request.headers.set("Accept-Language", "en-US,en;q=0.9");

  // 伪造IP头
  request.headers.set("X-Forwarded-For", "8.8.8.8"); // 替换为你想要的IP地址
  request.headers.set("X-Real-IP", "8.8.8.8"); // 替换为你想要的IP地址
  let response = await fetch(request);
  while (response.status >= 300 && response.status < 400) {
    const location = response.headers.get("Location");
    if (location) {
      if (location.startsWith(`${WORKER_ADDRESS}/`)) {
        request = new Request(location, request);
        return await handleRequest(request);
      } else {
        request = new Request(location, request);
        response = await fetch(request);
      }
    } else {
      break;
    }
  }
  response = new Response(response.body, response);
  response.headers.delete("set-cookie");
  response.headers.set("Access-Control-Allow-Origin", origin);
  response.headers.append("Vary", "Origin");
  return response;
}

再次感谢大佬。如果方便的话吧代码给alist官方吧

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.