Merge commit 'refs/pull/origin/28'

2025-06-21 00:30:51 +08:00
parent d373e0104d 35651e214f
commit fe9156f878
13 changed files with 2092 additions and 2128 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,4 @@
+.idea
+.vscode
+.DS_Store
+hubproxy*
--- a/README.md
+++ b/README.md
@@ -138,11 +138,17 @@ blackList = [
    "baduser/*"
 ]

-# SOCKS5代理配置，支持有用户名/密码认证和无认证模式
+# 代理配置，支持有用户名/密码认证和无认证模式
 # 无认证: socks5://127.0.0.1:1080
 # 有认证: socks5://username:password@127.0.0.1:1080
+# HTTP 代理示例
+# http://username:password@127.0.0.1:7890
+# SOCKS5 代理示例
+# socks5://username:password@127.0.0.1:1080
+# SOCKS5H 代理示例
+# socks5h://username:password@127.0.0.1:1080
 # 留空不使用代理
-socks5 = "" 
+proxy = "" 

 [download]
 # 批量下载离线镜像数量限制
--- a/src/access_control.go
+++ b/src/access_control.go
@@ -1,214 +1,212 @@
-package main
-
-import (
-	"strings"
-	"sync"
-)
-
-// ResourceType 资源类型
-type ResourceType string
-
-const (
-	ResourceTypeGitHub ResourceType = "github"
-	ResourceTypeDocker ResourceType = "docker"
-)
-
-// AccessController 统一访问控制器
-type AccessController struct {
-	mu sync.RWMutex
-}
-
-// DockerImageInfo Docker镜像信息
-type DockerImageInfo struct {
-	Namespace  string
-	Repository string
-	Tag        string
-	FullName   string
-}
-
-// 全局访问控制器实例
-var GlobalAccessController = &AccessController{}
-
-// ParseDockerImage 解析Docker镜像名称
-func (ac *AccessController) ParseDockerImage(image string) DockerImageInfo {
-	image = strings.TrimPrefix(image, "docker://")
-	
-	var tag string
-	if idx := strings.LastIndex(image, ":"); idx != -1 {
-		part := image[idx+1:]
-		if !strings.Contains(part, "/") {
-			tag = part
-			image = image[:idx]
-		}
-	}
-	if tag == "" {
-		tag = "latest"
-	}
-	
-	var namespace, repository string
-	if strings.Contains(image, "/") {
-		parts := strings.Split(image, "/")
-		if len(parts) >= 2 {
-			if strings.Contains(parts[0], ".") {
-				if len(parts) >= 3 {
-					namespace = parts[1]
-					repository = parts[2]
-				} else {
-					namespace = "library"
-					repository = parts[1]
-				}
-			} else {
-				namespace = parts[0]
-				repository = parts[1]
-			}
-		}
-	} else {
-		namespace = "library"
-		repository = image
-	}
-	
-	fullName := namespace + "/" + repository
-	
-	return DockerImageInfo{
-		Namespace:  namespace,
-		Repository: repository,
-		Tag:        tag,
-		FullName:   fullName,
-	}
-}
-
-// CheckDockerAccess 检查Docker镜像访问权限
-func (ac *AccessController) CheckDockerAccess(image string) (allowed bool, reason string) {
-	cfg := GetConfig()
-	
-	// 解析镜像名称
-	imageInfo := ac.ParseDockerImage(image)
-	
-	// 检查白名单（如果配置了白名单，则只允许白名单中的镜像）
-	if len(cfg.Proxy.WhiteList) > 0 {
-		if !ac.matchImageInList(imageInfo, cfg.Proxy.WhiteList) {
-			return false, "不在Docker镜像白名单内"
-		}
-	}
-	
-	// 检查黑名单
-	if len(cfg.Proxy.BlackList) > 0 {
-		if ac.matchImageInList(imageInfo, cfg.Proxy.BlackList) {
-			return false, "Docker镜像在黑名单内"
-		}
-	}
-	
-	return true, ""
-}
-
-// CheckGitHubAccess 检查GitHub仓库访问权限
-func (ac *AccessController) CheckGitHubAccess(matches []string) (allowed bool, reason string) {
-	if len(matches) < 2 {
-		return false, "无效的GitHub仓库格式"
-	}
-	
-	cfg := GetConfig()
-	
-	// 检查白名单
-	if len(cfg.Proxy.WhiteList) > 0 && !ac.checkList(matches, cfg.Proxy.WhiteList) {
-		return false, "不在GitHub仓库白名单内"
-	}
-	
-	// 检查黑名单
-	if len(cfg.Proxy.BlackList) > 0 && ac.checkList(matches, cfg.Proxy.BlackList) {
-		return false, "GitHub仓库在黑名单内"
-	}
-	
-	return true, ""
-}
-
-// matchImageInList 检查Docker镜像是否在指定列表中
-func (ac *AccessController) matchImageInList(imageInfo DockerImageInfo, list []string) bool {
-	fullName := strings.ToLower(imageInfo.FullName)
-	namespace := strings.ToLower(imageInfo.Namespace)
-	
-	for _, item := range list {
-		item = strings.ToLower(strings.TrimSpace(item))
-		if item == "" {
-			continue
-		}
-		
-		if fullName == item {
-			return true
-		}
-		
-		if item == namespace || item == namespace+"/*" {
-			return true
-		}
-		
-		if strings.HasSuffix(item, "*") {
-			prefix := strings.TrimSuffix(item, "*")
-			if strings.HasPrefix(fullName, prefix) {
-				return true
-			}
-		}
-		
-		if strings.HasPrefix(item, "*/") {
-			repoPattern := strings.TrimPrefix(item, "*/")
-			if strings.HasSuffix(repoPattern, "*") {
-				repoPrefix := strings.TrimSuffix(repoPattern, "*")
-				if strings.HasPrefix(imageInfo.Repository, repoPrefix) {
-					return true
-				}
-			} else {
-				if strings.ToLower(imageInfo.Repository) == repoPattern {
-					return true
-				}
-			}
-		}
-		
-		if strings.HasPrefix(fullName, item+"/") {
-			return true
-		}
-	}
-	return false
-}
-
-// checkList GitHub仓库检查逻辑
-func (ac *AccessController) checkList(matches, list []string) bool {
-	if len(matches) < 2 {
-		return false
-	}
-	
-	username := strings.ToLower(strings.TrimSpace(matches[0]))
-	repoName := strings.ToLower(strings.TrimSpace(strings.TrimSuffix(matches[1], ".git")))
-	fullRepo := username + "/" + repoName
-	
-	for _, item := range list {
-		item = strings.ToLower(strings.TrimSpace(item))
-		if item == "" {
-			continue
-		}
-		
-		// 支持多种匹配模式
-		if fullRepo == item {
-			return true
-		}
-		
-		// 用户级匹配
-		if item == username || item == username+"/*" {
-			return true
-		}
-		
-		// 前缀匹配（支持通配符）
-		if strings.HasSuffix(item, "*") {
-			prefix := strings.TrimSuffix(item, "*")
-			if strings.HasPrefix(fullRepo, prefix) {
-				return true
-			}
-		}
-		
-		// 子仓库匹配（防止 user/repo 匹配到 user/repo-fork）
-		if strings.HasPrefix(fullRepo, item+"/") {
-			return true
-		}
-	}
-	return false
-}
-
- 
+package main
+
+import (
+	"strings"
+	"sync"
+)
+
+// ResourceType 资源类型
+type ResourceType string
+
+const (
+	ResourceTypeGitHub ResourceType = "github"
+	ResourceTypeDocker ResourceType = "docker"
+)
+
+// AccessController 统一访问控制器
+type AccessController struct {
+	mu sync.RWMutex
+}
+
+// DockerImageInfo Docker镜像信息
+type DockerImageInfo struct {
+	Namespace  string
+	Repository string
+	Tag        string
+	FullName   string
+}
+
+// 全局访问控制器实例
+var GlobalAccessController = &AccessController{}
+
+// ParseDockerImage 解析Docker镜像名称
+func (ac *AccessController) ParseDockerImage(image string) DockerImageInfo {
+	image = strings.TrimPrefix(image, "docker://")
+
+	var tag string
+	if idx := strings.LastIndex(image, ":"); idx != -1 {
+		part := image[idx+1:]
+		if !strings.Contains(part, "/") {
+			tag = part
+			image = image[:idx]
+		}
+	}
+	if tag == "" {
+		tag = "latest"
+	}
+
+	var namespace, repository string
+	if strings.Contains(image, "/") {
+		parts := strings.Split(image, "/")
+		if len(parts) >= 2 {
+			if strings.Contains(parts[0], ".") {
+				if len(parts) >= 3 {
+					namespace = parts[1]
+					repository = parts[2]
+				} else {
+					namespace = "library"
+					repository = parts[1]
+				}
+			} else {
+				namespace = parts[0]
+				repository = parts[1]
+			}
+		}
+	} else {
+		namespace = "library"
+		repository = image
+	}
+
+	fullName := namespace + "/" + repository
+
+	return DockerImageInfo{
+		Namespace:  namespace,
+		Repository: repository,
+		Tag:        tag,
+		FullName:   fullName,
+	}
+}
+
+// CheckDockerAccess 检查Docker镜像访问权限
+func (ac *AccessController) CheckDockerAccess(image string) (allowed bool, reason string) {
+	cfg := GetConfig()
+
+	// 解析镜像名称
+	imageInfo := ac.ParseDockerImage(image)
+
+	// 检查白名单（如果配置了白名单，则只允许白名单中的镜像）
+	if len(cfg.Access.WhiteList) > 0 {
+		if !ac.matchImageInList(imageInfo, cfg.Access.WhiteList) {
+			return false, "不在Docker镜像白名单内"
+		}
+	}
+
+	// 检查黑名单
+	if len(cfg.Access.BlackList) > 0 {
+		if ac.matchImageInList(imageInfo, cfg.Access.BlackList) {
+			return false, "Docker镜像在黑名单内"
+		}
+	}
+
+	return true, ""
+}
+
+// CheckGitHubAccess 检查GitHub仓库访问权限
+func (ac *AccessController) CheckGitHubAccess(matches []string) (allowed bool, reason string) {
+	if len(matches) < 2 {
+		return false, "无效的GitHub仓库格式"
+	}
+
+	cfg := GetConfig()
+
+	// 检查白名单
+	if len(cfg.Access.WhiteList) > 0 && !ac.checkList(matches, cfg.Access.WhiteList) {
+		return false, "不在GitHub仓库白名单内"
+	}
+
+	// 检查黑名单
+	if len(cfg.Access.BlackList) > 0 && ac.checkList(matches, cfg.Access.BlackList) {
+		return false, "GitHub仓库在黑名单内"
+	}
+
+	return true, ""
+}
+
+// matchImageInList 检查Docker镜像是否在指定列表中
+func (ac *AccessController) matchImageInList(imageInfo DockerImageInfo, list []string) bool {
+	fullName := strings.ToLower(imageInfo.FullName)
+	namespace := strings.ToLower(imageInfo.Namespace)
+
+	for _, item := range list {
+		item = strings.ToLower(strings.TrimSpace(item))
+		if item == "" {
+			continue
+		}
+
+		if fullName == item {
+			return true
+		}
+
+		if item == namespace || item == namespace+"/*" {
+			return true
+		}
+
+		if strings.HasSuffix(item, "*") {
+			prefix := strings.TrimSuffix(item, "*")
+			if strings.HasPrefix(fullName, prefix) {
+				return true
+			}
+		}
+
+		if strings.HasPrefix(item, "*/") {
+			repoPattern := strings.TrimPrefix(item, "*/")
+			if strings.HasSuffix(repoPattern, "*") {
+				repoPrefix := strings.TrimSuffix(repoPattern, "*")
+				if strings.HasPrefix(imageInfo.Repository, repoPrefix) {
+					return true
+				}
+			} else {
+				if strings.ToLower(imageInfo.Repository) == repoPattern {
+					return true
+				}
+			}
+		}
+
+		if strings.HasPrefix(fullName, item+"/") {
+			return true
+		}
+	}
+	return false
+}
+
+// checkList GitHub仓库检查逻辑
+func (ac *AccessController) checkList(matches, list []string) bool {
+	if len(matches) < 2 {
+		return false
+	}
+
+	username := strings.ToLower(strings.TrimSpace(matches[0]))
+	repoName := strings.ToLower(strings.TrimSpace(strings.TrimSuffix(matches[1], ".git")))
+	fullRepo := username + "/" + repoName
+
+	for _, item := range list {
+		item = strings.ToLower(strings.TrimSpace(item))
+		if item == "" {
+			continue
+		}
+
+		// 支持多种匹配模式
+		if fullRepo == item {
+			return true
+		}
+
+		// 用户级匹配
+		if item == username || item == username+"/*" {
+			return true
+		}
+
+		// 前缀匹配（支持通配符）
+		if strings.HasSuffix(item, "*") {
+			prefix := strings.TrimSuffix(item, "*")
+			if strings.HasPrefix(fullRepo, prefix) {
+				return true
+			}
+		}
+
+		// 子仓库匹配（防止 user/repo 匹配到 user/repo-fork）
+		if strings.HasPrefix(fullRepo, item+"/") {
+			return true
+		}
+	}
+	return false
+}
--- a/src/config.go
+++ b/src/config.go
@@ -1,275 +1,276 @@
-package main
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/pelletier/go-toml/v2"
-)
-
-// RegistryMapping Registry映射配置
-type RegistryMapping struct {
-	Upstream string `toml:"upstream"` // 上游Registry地址
-	AuthHost string `toml:"authHost"` // 认证服务器地址
-	AuthType string `toml:"authType"` // 认证类型: docker/github/google/basic
-	Enabled  bool   `toml:"enabled"`  // 是否启用
-}
-
-// AppConfig 应用配置结构体
-type AppConfig struct {
-	Server struct {
-		Host     string `toml:"host"`     // 监听地址
-		Port     int    `toml:"port"`     // 监听端口
-		FileSize int64  `toml:"fileSize"` // 文件大小限制（字节）
-	} `toml:"server"`
-
-	RateLimit struct {
-		RequestLimit int     `toml:"requestLimit"` // 每小时请求限制
-		PeriodHours  float64 `toml:"periodHours"`  // 限制周期（小时）
-	} `toml:"rateLimit"`
-
-	Security struct {
-		WhiteList []string `toml:"whiteList"` // 白名单IP/CIDR列表
-		BlackList []string `toml:"blackList"` // 黑名单IP/CIDR列表
-	} `toml:"security"`
-
-	Proxy struct {
-		WhiteList []string `toml:"whiteList"` // 代理白名单（仓库级别）
-		BlackList []string `toml:"blackList"` // 代理黑名单（仓库级别）
-		Socks5    string   `toml:"socks5"`    // SOCKS5代理地址: socks5://[user:pass@]host:port
-	} `toml:"proxy"`
-
-	Download struct {
-		MaxImages int `toml:"maxImages"` // 单次下载最大镜像数量限制
-	} `toml:"download"`
-
-	Registries map[string]RegistryMapping `toml:"registries"`
-
-	TokenCache struct {
-		Enabled    bool   `toml:"enabled"`    // 是否启用token缓存
-		DefaultTTL string `toml:"defaultTTL"` // 默认缓存时间
-	} `toml:"tokenCache"`
-}
-
-var (
-	appConfig     *AppConfig
-	appConfigLock sync.RWMutex
-	
-	cachedConfig     *AppConfig
-	configCacheTime  time.Time
-	configCacheTTL   = 5 * time.Second
-	configCacheMutex sync.RWMutex
-)
-
-// DefaultConfig 返回默认配置
-func DefaultConfig() *AppConfig {
-	return &AppConfig{
-		Server: struct {
-			Host     string `toml:"host"`
-			Port     int    `toml:"port"`
-			FileSize int64  `toml:"fileSize"`
-		}{
-			Host:     "0.0.0.0",
-			Port:     5000,
-			FileSize: 2 * 1024 * 1024 * 1024, // 2GB
-		},
-		RateLimit: struct {
-			RequestLimit int     `toml:"requestLimit"`
-			PeriodHours  float64 `toml:"periodHours"`
-		}{
-			RequestLimit: 20,
-			PeriodHours:  1.0,
-		},
-		Security: struct {
-			WhiteList []string `toml:"whiteList"`
-			BlackList []string `toml:"blackList"`
-		}{
-			WhiteList: []string{},
-			BlackList: []string{},
-		},
-		Proxy: struct {
-			WhiteList []string `toml:"whiteList"`
-			BlackList []string `toml:"blackList"`
-			Socks5    string   `toml:"socks5"`
-		}{
-			WhiteList: []string{},
-			BlackList: []string{},
-			Socks5:    "", // 默认不使用代理
-		},
-		Download: struct {
-			MaxImages int `toml:"maxImages"`
-		}{
-			MaxImages: 10, // 默认值：最多同时下载10个镜像
-		},
-		Registries: map[string]RegistryMapping{
-			"ghcr.io": {
-				Upstream: "ghcr.io",
-				AuthHost: "ghcr.io/token",
-				AuthType: "github",
-				Enabled:  true,
-			},
-			"gcr.io": {
-				Upstream: "gcr.io",
-				AuthHost: "gcr.io/v2/token",
-				AuthType: "google",
-				Enabled:  true,
-			},
-			"quay.io": {
-				Upstream: "quay.io",
-				AuthHost: "quay.io/v2/auth",
-				AuthType: "quay",
-				Enabled:  true,
-			},
-			"registry.k8s.io": {
-				Upstream: "registry.k8s.io",
-				AuthHost: "registry.k8s.io",
-				AuthType: "anonymous",
-				Enabled:  true,
-			},
-		},
-		TokenCache: struct {
-			Enabled    bool   `toml:"enabled"`
-			DefaultTTL string `toml:"defaultTTL"`
-		}{
-			Enabled:    true, // docker认证的匿名Token缓存配置，用于提升性能
-			DefaultTTL: "20m",
-		},
-	}
-}
-
-// GetConfig 安全地获取配置副本
-func GetConfig() *AppConfig {
-	configCacheMutex.RLock()
-	if cachedConfig != nil && time.Since(configCacheTime) < configCacheTTL {
-		config := cachedConfig
-		configCacheMutex.RUnlock()
-		return config
-	}
-	configCacheMutex.RUnlock()
-	
-	// 缓存过期，重新生成配置
-	configCacheMutex.Lock()
-	defer configCacheMutex.Unlock()
-	
-	// 双重检查，防止重复生成
-	if cachedConfig != nil && time.Since(configCacheTime) < configCacheTTL {
-		return cachedConfig
-	}
-	
-	appConfigLock.RLock()
-	if appConfig == nil {
-		appConfigLock.RUnlock()
-		defaultCfg := DefaultConfig()
-		cachedConfig = defaultCfg
-		configCacheTime = time.Now()
-		return defaultCfg
-	}
-	
-	// 生成新的配置深拷贝
-	configCopy := *appConfig
-	configCopy.Security.WhiteList = append([]string(nil), appConfig.Security.WhiteList...)
-	configCopy.Security.BlackList = append([]string(nil), appConfig.Security.BlackList...)
-	configCopy.Proxy.WhiteList = append([]string(nil), appConfig.Proxy.WhiteList...)
-	configCopy.Proxy.BlackList = append([]string(nil), appConfig.Proxy.BlackList...)
-	appConfigLock.RUnlock()
-	
-	cachedConfig = &configCopy
-	configCacheTime = time.Now()
-	
-	return cachedConfig
-}
-
-// setConfig 安全地设置配置
-func setConfig(cfg *AppConfig) {
-	appConfigLock.Lock()
-	defer appConfigLock.Unlock()
-	appConfig = cfg
-	
-	configCacheMutex.Lock()
-	cachedConfig = nil
-	configCacheMutex.Unlock()
-}
-
-// LoadConfig 加载配置文件
-func LoadConfig() error {
-	// 首先使用默认配置
-	cfg := DefaultConfig()
-	
-	// 尝试加载TOML配置文件
-	if data, err := os.ReadFile("config.toml"); err == nil {
-		if err := toml.Unmarshal(data, cfg); err != nil {
-			return fmt.Errorf("解析配置文件失败: %v", err)
-		}
-	} else {
-		fmt.Println("未找到config.toml，使用默认配置")
-	}
-	
-	// 从环境变量覆盖配置
-	overrideFromEnv(cfg)
-	
-	// 设置配置
-	setConfig(cfg)
-	
-	return nil
-}
-
-// overrideFromEnv 从环境变量覆盖配置
-func overrideFromEnv(cfg *AppConfig) {
-	// 服务器配置
-	if val := os.Getenv("SERVER_HOST"); val != "" {
-		cfg.Server.Host = val
-	}
-	if val := os.Getenv("SERVER_PORT"); val != "" {
-		if port, err := strconv.Atoi(val); err == nil && port > 0 {
-			cfg.Server.Port = port
-		}
-	}
-	if val := os.Getenv("MAX_FILE_SIZE"); val != "" {
-		if size, err := strconv.ParseInt(val, 10, 64); err == nil && size > 0 {
-			cfg.Server.FileSize = size
-		}
-	}
-	
-	// 限流配置
-	if val := os.Getenv("RATE_LIMIT"); val != "" {
-		if limit, err := strconv.Atoi(val); err == nil && limit > 0 {
-			cfg.RateLimit.RequestLimit = limit
-		}
-	}
-	if val := os.Getenv("RATE_PERIOD_HOURS"); val != "" {
-		if period, err := strconv.ParseFloat(val, 64); err == nil && period > 0 {
-			cfg.RateLimit.PeriodHours = period
-		}
-	}
-	
-	// IP限制配置
-	if val := os.Getenv("IP_WHITELIST"); val != "" {
-		cfg.Security.WhiteList = append(cfg.Security.WhiteList, strings.Split(val, ",")...)
-	}
-	if val := os.Getenv("IP_BLACKLIST"); val != "" {
-		cfg.Security.BlackList = append(cfg.Security.BlackList, strings.Split(val, ",")...)
-	}
-	
-	// 下载限制配置
-	if val := os.Getenv("MAX_IMAGES"); val != "" {
-		if maxImages, err := strconv.Atoi(val); err == nil && maxImages > 0 {
-			cfg.Download.MaxImages = maxImages
-		}
-	}
-}
-
-// CreateDefaultConfigFile 创建默认配置文件
-func CreateDefaultConfigFile() error {
-	cfg := DefaultConfig()
-	
-	data, err := toml.Marshal(cfg)
-	if err != nil {
-		return fmt.Errorf("序列化默认配置失败: %v", err)
-	}
-	
-	return os.WriteFile("config.toml", data, 0644)
-} 
+package main
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/pelletier/go-toml/v2"
+)
+
+// RegistryMapping Registry映射配置
+type RegistryMapping struct {
+	Upstream string `toml:"upstream"` // 上游Registry地址
+	AuthHost string `toml:"authHost"` // 认证服务器地址
+	AuthType string `toml:"authType"` // 认证类型: docker/github/google/basic
+	Enabled  bool   `toml:"enabled"`  // 是否启用
+}
+
+// AppConfig 应用配置结构体
+type AppConfig struct {
+	Server struct {
+		Host     string `toml:"host"`     // 监听地址
+		Port     int    `toml:"port"`     // 监听端口
+		FileSize int64  `toml:"fileSize"` // 文件大小限制（字节）
+	} `toml:"server"`
+
+	RateLimit struct {
+		RequestLimit int     `toml:"requestLimit"` // 每小时请求限制
+		PeriodHours  float64 `toml:"periodHours"`  // 限制周期（小时）
+	} `toml:"rateLimit"`
+
+	Security struct {
+		WhiteList []string `toml:"whiteList"` // 白名单IP/CIDR列表
+		BlackList []string `toml:"blackList"` // 黑名单IP/CIDR列表
+	} `toml:"security"`
+
+	Access struct {
+		WhiteList []string `toml:"whiteList"` // 代理白名单（仓库级别）
+		BlackList []string `toml:"blackList"` // 代理黑名单（仓库级别）
+		Proxy     string   `toml:"proxy"`     // 代理地址: 支持 http/https/socks5/socks5h
+	} `toml:"access"`
+
+	Download struct {
+		MaxImages int `toml:"maxImages"` // 单次下载最大镜像数量限制
+	} `toml:"download"`
+
+	Registries map[string]RegistryMapping `toml:"registries"`
+
+	TokenCache struct {
+		Enabled    bool   `toml:"enabled"`    // 是否启用token缓存
+		DefaultTTL string `toml:"defaultTTL"` // 默认缓存时间
+	} `toml:"tokenCache"`
+}
+
+var (
+	appConfig     *AppConfig
+	appConfigLock sync.RWMutex
+
+	cachedConfig     *AppConfig
+	configCacheTime  time.Time
+	configCacheTTL   = 5 * time.Second
+	configCacheMutex sync.RWMutex
+)
+
+// todo:Refactoring is needed
+// DefaultConfig 返回默认配置
+func DefaultConfig() *AppConfig {
+	return &AppConfig{
+		Server: struct {
+			Host     string `toml:"host"`
+			Port     int    `toml:"port"`
+			FileSize int64  `toml:"fileSize"`
+		}{
+			Host:     "0.0.0.0",
+			Port:     5000,
+			FileSize: 2 * 1024 * 1024 * 1024, // 2GB
+		},
+		RateLimit: struct {
+			RequestLimit int     `toml:"requestLimit"`
+			PeriodHours  float64 `toml:"periodHours"`
+		}{
+			RequestLimit: 20,
+			PeriodHours:  1.0,
+		},
+		Security: struct {
+			WhiteList []string `toml:"whiteList"`
+			BlackList []string `toml:"blackList"`
+		}{
+			WhiteList: []string{},
+			BlackList: []string{},
+		},
+		Access: struct {
+			WhiteList []string `toml:"whiteList"`
+			BlackList []string `toml:"blackList"`
+			Proxy     string   `toml:"proxy"`
+		}{
+			WhiteList: []string{},
+			BlackList: []string{},
+			Proxy:     "", // 默认不使用代理
+		},
+		Download: struct {
+			MaxImages int `toml:"maxImages"`
+		}{
+			MaxImages: 10, // 默认值：最多同时下载10个镜像
+		},
+		Registries: map[string]RegistryMapping{
+			"ghcr.io": {
+				Upstream: "ghcr.io",
+				AuthHost: "ghcr.io/token",
+				AuthType: "github",
+				Enabled:  true,
+			},
+			"gcr.io": {
+				Upstream: "gcr.io",
+				AuthHost: "gcr.io/v2/token",
+				AuthType: "google",
+				Enabled:  true,
+			},
+			"quay.io": {
+				Upstream: "quay.io",
+				AuthHost: "quay.io/v2/auth",
+				AuthType: "quay",
+				Enabled:  true,
+			},
+			"registry.k8s.io": {
+				Upstream: "registry.k8s.io",
+				AuthHost: "registry.k8s.io",
+				AuthType: "anonymous",
+				Enabled:  true,
+			},
+		},
+		TokenCache: struct {
+			Enabled    bool   `toml:"enabled"`
+			DefaultTTL string `toml:"defaultTTL"`
+		}{
+			Enabled:    true, // docker认证的匿名Token缓存配置，用于提升性能
+			DefaultTTL: "20m",
+		},
+	}
+}
+
+// GetConfig 安全地获取配置副本
+func GetConfig() *AppConfig {
+	configCacheMutex.RLock()
+	if cachedConfig != nil && time.Since(configCacheTime) < configCacheTTL {
+		config := cachedConfig
+		configCacheMutex.RUnlock()
+		return config
+	}
+	configCacheMutex.RUnlock()
+
+	// 缓存过期，重新生成配置
+	configCacheMutex.Lock()
+	defer configCacheMutex.Unlock()
+
+	// 双重检查，防止重复生成
+	if cachedConfig != nil && time.Since(configCacheTime) < configCacheTTL {
+		return cachedConfig
+	}
+
+	appConfigLock.RLock()
+	if appConfig == nil {
+		appConfigLock.RUnlock()
+		defaultCfg := DefaultConfig()
+		cachedConfig = defaultCfg
+		configCacheTime = time.Now()
+		return defaultCfg
+	}
+
+	// 生成新的配置深拷贝
+	configCopy := *appConfig
+	configCopy.Security.WhiteList = append([]string(nil), appConfig.Security.WhiteList...)
+	configCopy.Security.BlackList = append([]string(nil), appConfig.Security.BlackList...)
+	configCopy.Access.WhiteList = append([]string(nil), appConfig.Access.WhiteList...)
+	configCopy.Access.BlackList = append([]string(nil), appConfig.Access.BlackList...)
+	appConfigLock.RUnlock()
+
+	cachedConfig = &configCopy
+	configCacheTime = time.Now()
+
+	return cachedConfig
+}
+
+// setConfig 安全地设置配置
+func setConfig(cfg *AppConfig) {
+	appConfigLock.Lock()
+	defer appConfigLock.Unlock()
+	appConfig = cfg
+
+	configCacheMutex.Lock()
+	cachedConfig = nil
+	configCacheMutex.Unlock()
+}
+
+// LoadConfig 加载配置文件
+func LoadConfig() error {
+	// 首先使用默认配置
+	cfg := DefaultConfig()
+
+	// 尝试加载TOML配置文件
+	if data, err := os.ReadFile("config.toml"); err == nil {
+		if err := toml.Unmarshal(data, cfg); err != nil {
+			return fmt.Errorf("解析配置文件失败: %v", err)
+		}
+	} else {
+		fmt.Println("未找到config.toml，使用默认配置")
+	}
+
+	// 从环境变量覆盖配置
+	overrideFromEnv(cfg)
+
+	// 设置配置
+	setConfig(cfg)
+
+	return nil
+}
+
+// overrideFromEnv 从环境变量覆盖配置
+func overrideFromEnv(cfg *AppConfig) {
+	// 服务器配置
+	if val := os.Getenv("SERVER_HOST"); val != "" {
+		cfg.Server.Host = val
+	}
+	if val := os.Getenv("SERVER_PORT"); val != "" {
+		if port, err := strconv.Atoi(val); err == nil && port > 0 {
+			cfg.Server.Port = port
+		}
+	}
+	if val := os.Getenv("MAX_FILE_SIZE"); val != "" {
+		if size, err := strconv.ParseInt(val, 10, 64); err == nil && size > 0 {
+			cfg.Server.FileSize = size
+		}
+	}
+
+	// 限流配置
+	if val := os.Getenv("RATE_LIMIT"); val != "" {
+		if limit, err := strconv.Atoi(val); err == nil && limit > 0 {
+			cfg.RateLimit.RequestLimit = limit
+		}
+	}
+	if val := os.Getenv("RATE_PERIOD_HOURS"); val != "" {
+		if period, err := strconv.ParseFloat(val, 64); err == nil && period > 0 {
+			cfg.RateLimit.PeriodHours = period
+		}
+	}
+
+	// IP限制配置
+	if val := os.Getenv("IP_WHITELIST"); val != "" {
+		cfg.Security.WhiteList = append(cfg.Security.WhiteList, strings.Split(val, ",")...)
+	}
+	if val := os.Getenv("IP_BLACKLIST"); val != "" {
+		cfg.Security.BlackList = append(cfg.Security.BlackList, strings.Split(val, ",")...)
+	}
+
+	// 下载限制配置
+	if val := os.Getenv("MAX_IMAGES"); val != "" {
+		if maxImages, err := strconv.Atoi(val); err == nil && maxImages > 0 {
+			cfg.Download.MaxImages = maxImages
+		}
+	}
+}
+
+// CreateDefaultConfigFile 创建默认配置文件
+func CreateDefaultConfigFile() error {
+	cfg := DefaultConfig()
+
+	data, err := toml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("序列化默认配置失败: %v", err)
+	}
+
+	return os.WriteFile("config.toml", data, 0644)
+}
--- a/src/config.toml
+++ b/src/config.toml
@@ -26,7 +26,7 @@ blackList = [
    "192.168.100.0/24"
 ]

-[proxy]
+[access]
 # 代理服务白名单（支持GitHub仓库和Docker镜像，支持通配符）
 # 只允许访问白名单中的仓库/镜像，为空时不限制
 whiteList = []
@@ -39,11 +39,17 @@ blackList = [
    "baduser/*"
 ]

-# SOCKS5代理配置，支持有用户名/密码认证和无认证模式
+# 代理配置，支持有用户名/密码认证和无认证模式
 # 无认证: socks5://127.0.0.1:1080
 # 有认证: socks5://username:password@127.0.0.1:1080
+# HTTP 代理示例
+# http://username:password@127.0.0.1:7890
+# SOCKS5 代理示例
+# socks5://username:password@127.0.0.1:1080
+# SOCKS5H 代理示例
+# socks5h://username:password@127.0.0.1:1080
 # 留空不使用代理
-socks5 = "" 
+proxy = "" 

 [download]
 # 批量下载离线镜像数量限制
--- a/src/docker.go
+++ b/src/docker.go
--- a/src/go.mod
+++ b/src/go.mod
@@ -6,7 +6,6 @@ require (
 	github.com/gin-gonic/gin v1.10.0
 	github.com/google/go-containerregistry v0.20.5
 	github.com/pelletier/go-toml/v2 v2.2.3
-	golang.org/x/net v0.33.0
 	golang.org/x/time v0.11.0
 )

@@ -44,6 +43,7 @@ require (
 	github.com/vbatts/tar-split v0.12.1 // indirect
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
--- a/src/http_client.go
+++ b/src/http_client.go
@@ -1,113 +1,68 @@
-package main
-
-import (
-	"context"
-	"log"
-	"net"
-	"net/http"
-	"net/url"
-	"time"
-
-	"golang.org/x/net/proxy"
-)
-
-var (
-	// 全局HTTP客户端 - 用于代理请求（长超时）
-	globalHTTPClient *http.Client
-	// 搜索HTTP客户端 - 用于API请求（短超时） 
-	searchHTTPClient *http.Client
-)
-
-// initHTTPClients 初始化HTTP客户端
-func initHTTPClients() {
-	cfg := GetConfig()
-	
-	// 创建DialContext函数，支持SOCKS5代理
-	createDialContext := func(timeout time.Duration) func(ctx context.Context, network, addr string) (net.Conn, error) {
-		if cfg.Proxy.Socks5 == "" {
-			// 没有配置代理，使用直连
-			dialer := &net.Dialer{
-				Timeout:   timeout,
-				KeepAlive: 30 * time.Second,
-			}
-			return dialer.DialContext
-		}
-		
-		// 解析SOCKS5代理URL
-		proxyURL, err := url.Parse(cfg.Proxy.Socks5)
-		if err != nil {
-			log.Printf("SOCKS5代理配置错误，使用直连: %v", err)
-			dialer := &net.Dialer{
-				Timeout:   timeout,
-				KeepAlive: 30 * time.Second,
-			}
-			return dialer.DialContext
-		}
-		
-		// 创建基础dialer
-		baseDialer := &net.Dialer{
-			Timeout:   timeout,
-			KeepAlive: 30 * time.Second,
-		}
-		
-		// 创建SOCKS5代理dialer
-		var auth *proxy.Auth
-		if proxyURL.User != nil {
-			if password, ok := proxyURL.User.Password(); ok {
-				auth = &proxy.Auth{
-					User:     proxyURL.User.Username(),
-					Password: password,
-				}
-			}
-		}
-		
-		socks5Dialer, err := proxy.SOCKS5("tcp", proxyURL.Host, auth, baseDialer)
-		if err != nil {
-			log.Printf("创建SOCKS5代理失败，使用直连: %v", err)
-			return baseDialer.DialContext
-		}
-		
-		log.Printf("使用SOCKS5代理: %s", proxyURL.Host)
-		
-		// 返回带上下文的dial函数
-		return func(ctx context.Context, network, addr string) (net.Conn, error) {
-			return socks5Dialer.Dial(network, addr)
-		}
-	}
-	
-	// 代理客户端配置 - 适用于大文件传输
-	globalHTTPClient = &http.Client{
-		Transport: &http.Transport{
-			DialContext:           createDialContext(30 * time.Second),
-			MaxIdleConns:          1000,
-			MaxIdleConnsPerHost:   1000,
-			IdleConnTimeout:       90 * time.Second,
-			TLSHandshakeTimeout:   10 * time.Second,
-			ExpectContinueTimeout: 1 * time.Second,
-			ResponseHeaderTimeout: 300 * time.Second,
-		},
-	}
-	
-	// 搜索客户端配置 - 适用于API调用
-	searchHTTPClient = &http.Client{
-		Timeout: 10 * time.Second,
-		Transport: &http.Transport{
-			DialContext:         createDialContext(5 * time.Second),
-			MaxIdleConns:        100,
-			MaxIdleConnsPerHost: 10,
-			IdleConnTimeout:     90 * time.Second,
-			TLSHandshakeTimeout: 5 * time.Second,
-			DisableCompression:  false,
-		},
-	}
-}
-
-// GetGlobalHTTPClient 获取全局HTTP客户端（用于代理）
-func GetGlobalHTTPClient() *http.Client {
-	return globalHTTPClient
-}
-
-// GetSearchHTTPClient 获取搜索HTTP客户端（用于API调用）
-func GetSearchHTTPClient() *http.Client {
-	return searchHTTPClient
-} 
+package main
+
+import (
+	"net"
+	"net/http"
+	"os"
+	"time"
+)
+
+var (
+	// 全局HTTP客户端 - 用于代理请求（长超时）
+	globalHTTPClient *http.Client
+	// 搜索HTTP客户端 - 用于API请求（短超时）
+	searchHTTPClient *http.Client
+)
+
+// initHTTPClients 初始化HTTP客户端
+func initHTTPClients() {
+	cfg := GetConfig()
+
+	if p := cfg.Access.Proxy; p != "" {
+		os.Setenv("HTTP_PROXY", p)
+		os.Setenv("HTTPS_PROXY", p)
+	}
+	// 代理客户端配置 - 适用于大文件传输
+	globalHTTPClient = &http.Client{
+		Transport: &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			MaxIdleConns:          1000,
+			MaxIdleConnsPerHost:   1000,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+			ResponseHeaderTimeout: 300 * time.Second,
+		},
+	}
+
+	// 搜索客户端配置 - 适用于API调用
+	searchHTTPClient = &http.Client{
+		Timeout: 10 * time.Second,
+		Transport: &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   5 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			MaxIdleConns:        100,
+			MaxIdleConnsPerHost: 10,
+			IdleConnTimeout:     90 * time.Second,
+			TLSHandshakeTimeout: 5 * time.Second,
+			DisableCompression:  false,
+		},
+	}
+}
+
+// GetGlobalHTTPClient 获取全局HTTP客户端（用于代理）
+func GetGlobalHTTPClient() *http.Client {
+	return globalHTTPClient
+}
+
+// GetSearchHTTPClient 获取搜索HTTP客户端（用于API调用）
+func GetSearchHTTPClient() *http.Client {
+	return searchHTTPClient
+}
--- a/src/imagetar.go
+++ b/src/imagetar.go
@@ -52,28 +52,28 @@ func NewDownloadDebouncer(window time.Duration) *DownloadDebouncer {
 func (d *DownloadDebouncer) ShouldAllow(userID, contentKey string) bool {
 	d.mu.Lock()
 	defer d.mu.Unlock()
-	
+
 	key := userID + ":" + contentKey
 	now := time.Now()
-	
+
 	if entry, exists := d.entries[key]; exists {
 		if now.Sub(entry.LastRequest) < d.window {
 			return false // 在防抖窗口内，拒绝请求
 		}
 	}
-	
+
 	// 更新或创建条目
 	d.entries[key] = &DebounceEntry{
 		LastRequest: now,
 		UserID:      userID,
 	}
-	
+
 	// 清理过期条目（每5分钟清理一次）
 	if time.Since(d.lastCleanup) > 5*time.Minute {
 		d.cleanup(now)
 		d.lastCleanup = now
 	}
-	
+
 	return true
 }

@@ -92,10 +92,10 @@ func generateContentFingerprint(images []string, platform string) string {
 	sortedImages := make([]string, len(images))
 	copy(sortedImages, images)
 	sort.Strings(sortedImages)
-	
+
 	// 组合内容：镜像列表 + 平台信息
 	content := strings.Join(sortedImages, "|") + ":" + platform
-	
+
 	// 生成MD5哈希
 	hash := md5.Sum([]byte(content))
 	return hex.EncodeToString(hash[:])
@@ -107,14 +107,14 @@ func getUserID(c *gin.Context) string {
 	if sessionID, err := c.Cookie("session_id"); err == nil && sessionID != "" {
 		return "session:" + sessionID
 	}
-	
+
 	// 备用方案：IP + User-Agent组合
 	ip := c.ClientIP()
 	userAgent := c.GetHeader("User-Agent")
 	if userAgent == "" {
 		userAgent = "unknown"
 	}
-	
+
 	// 生成简短标识
 	combined := ip + ":" + userAgent
 	hash := md5.Sum([]byte(combined))
@@ -228,7 +228,7 @@ func (is *ImageStreamer) StreamImageToGin(ctx context.Context, imageRef string,
 	filename := strings.ReplaceAll(imageRef, "/", "_") + ".tar"
 	c.Header("Content-Type", "application/octet-stream")
 	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filename))
-	
+
 	if options.Compression {
 		c.Header("Content-Encoding", "gzip")
 	}
@@ -295,18 +295,18 @@ func (is *ImageStreamer) streamDockerFormatWithReturn(ctx context.Context, tarWr
 	if err != nil {
 		return err
 	}
-	
+
 	configData, err := json.Marshal(configFile)
 	if err != nil {
 		return err
 	}
-	
+
 	configHeader := &tar.Header{
 		Name: configDigest.String() + ".json",
 		Size: int64(len(configData)),
 		Mode: 0644,
 	}
-	
+
 	if err := tarWriter.WriteHeader(configHeader); err != nil {
 		return err
 	}
@@ -335,14 +335,14 @@ func (is *ImageStreamer) streamDockerFormatWithReturn(ctx context.Context, tarWr
 				Typeflag: tar.TypeDir,
 				Mode:     0755,
 			}
-			
+
 			if err := tarWriter.WriteHeader(layerHeader); err != nil {
 				return err
 			}

 			var layerSize int64
 			var layerReader io.ReadCloser
-			
+
 			// 根据配置选择使用压缩层或未压缩层
 			if options != nil && options.UseCompressedLayers {
 				layerSize, err = layer.Size()
@@ -357,7 +357,7 @@ func (is *ImageStreamer) streamDockerFormatWithReturn(ctx context.Context, tarWr
 				}
 				layerReader, err = layer.Uncompressed()
 			}
-			
+
 			if err != nil {
 				return err
 			}
@@ -368,7 +368,7 @@ func (is *ImageStreamer) streamDockerFormatWithReturn(ctx context.Context, tarWr
 				Size: layerSize,
 				Mode: 0644,
 			}
-			
+
 			if err := tarWriter.WriteHeader(layerTarHeader); err != nil {
 				return err
 			}
@@ -385,12 +385,11 @@ func (is *ImageStreamer) streamDockerFormatWithReturn(ctx context.Context, tarWr
 		log.Printf("已处理层 %d/%d", i+1, len(layers))
 	}

-
 	// 构建单个镜像的manifest信息
 	singleManifest := map[string]interface{}{
 		"Config":   configDigest.String() + ".json",
 		"RepoTags": []string{imageRef},
-		"Layers":   func() []string {
+		"Layers": func() []string {
 			var layers []string
 			for _, digest := range layerDigests {
 				layers = append(layers, digest+"/layer.tar")
@@ -417,22 +416,22 @@ func (is *ImageStreamer) streamDockerFormatWithReturn(ctx context.Context, tarWr

 	// 单镜像下载，直接写入manifest.json
 	manifest := []map[string]interface{}{singleManifest}
-	
+
 	manifestData, err := json.Marshal(manifest)
 	if err != nil {
 		return err
 	}
-	
+
 	manifestHeader := &tar.Header{
 		Name: "manifest.json",
 		Size: int64(len(manifestData)),
 		Mode: 0644,
 	}
-	
+
 	if err := tarWriter.WriteHeader(manifestHeader); err != nil {
 		return err
 	}
-	
+
 	if _, err := tarWriter.Write(manifestData); err != nil {
 		return err
 	}
@@ -442,17 +441,17 @@ func (is *ImageStreamer) streamDockerFormatWithReturn(ctx context.Context, tarWr
 	if err != nil {
 		return err
 	}
-	
+
 	repositoriesHeader := &tar.Header{
 		Name: "repositories",
 		Size: int64(len(repositoriesData)),
 		Mode: 0644,
 	}
-	
+
 	if err := tarWriter.WriteHeader(repositoriesHeader); err != nil {
 		return err
 	}
-	
+
 	_, err = tarWriter.Write(repositoriesData)
 	return err
 }
@@ -473,12 +472,12 @@ func (is *ImageStreamer) processImageForBatch(ctx context.Context, img v1.Image,

 	var manifest map[string]interface{}
 	var repositories map[string]map[string]string
-	
+
 	err = is.streamDockerFormatWithReturn(ctx, tarWriter, img, layers, configFile, imageRef, &manifest, &repositories, options)
 	if err != nil {
 		return nil, nil, err
 	}
-	
+
 	return manifest, repositories, nil
 }

@@ -537,7 +536,7 @@ func (is *ImageStreamer) selectPlatformImage(desc *remote.Descriptor, options *S
 		if m.Platform == nil {
 			continue
 		}
-		
+
 		if options.Platform != "" {
 			platformParts := strings.Split(options.Platform, "/")
 			if len(platformParts) >= 2 {
@@ -547,10 +546,10 @@ func (is *ImageStreamer) selectPlatformImage(desc *remote.Descriptor, options *S
 				if len(platformParts) >= 3 {
 					targetVariant = platformParts[2]
 				}
-				
-				if m.Platform.OS == targetOS && 
-				   m.Platform.Architecture == targetArch &&
-				   m.Platform.Variant == targetVariant {
+
+				if m.Platform.OS == targetOS &&
+					m.Platform.Architecture == targetArch &&
+					m.Platform.Variant == targetVariant {
 					selectedDesc = &m
 					break
 				}
@@ -629,10 +628,10 @@ func handleDirectImageDownload(c *gin.Context) {
 	// 防抖检查
 	userID := getUserID(c)
 	contentKey := generateContentFingerprint([]string{imageRef}, platform)
-	
+
 	if !singleImageDebouncer.ShouldAllow(userID, contentKey) {
 		c.JSON(http.StatusTooManyRequests, gin.H{
-			"error": "请求过于频繁，请稍后再试",
+			"error":       "请求过于频繁，请稍后再试",
 			"retry_after": 5,
 		})
 		return
@@ -689,10 +688,10 @@ func handleSimpleBatchDownload(c *gin.Context) {
 	// 批量下载防抖检查
 	userID := getUserID(c)
 	contentKey := generateContentFingerprint(req.Images, req.Platform)
-	
+
 	if !batchImageDebouncer.ShouldAllow(userID, contentKey) {
 		c.JSON(http.StatusTooManyRequests, gin.H{
-			"error": "批量下载请求过于频繁，请稍后再试",
+			"error":       "批量下载请求过于频繁，请稍后再试",
 			"retry_after": 60,
 		})
 		return
@@ -713,7 +712,7 @@ func handleSimpleBatchDownload(c *gin.Context) {
 	log.Printf("批量下载 %d 个镜像 (平台: %s)", len(req.Images), formatPlatformText(req.Platform))

 	filename := fmt.Sprintf("batch_%d_images.tar", len(req.Images))
-	
+
 	c.Header("Content-Type", "application/octet-stream")
 	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filename))

@@ -811,12 +810,12 @@ func (is *ImageStreamer) StreamMultipleImages(ctx context.Context, imageRefs []s
 		}

 		log.Printf("处理镜像 %d/%d: %s", i+1, len(imageRefs), imageRef)
-		
+
 		// 防止单个镜像处理时间过长
 		timeoutCtx, cancel := context.WithTimeout(ctx, 15*time.Minute)
 		manifest, repositories, err := is.streamSingleImageForBatch(timeoutCtx, tarWriter, imageRef, options)
 		cancel()
-		
+
 		if err != nil {
 			log.Printf("下载镜像 %s 失败: %v", imageRef, err)
 			return fmt.Errorf("下载镜像 %s 失败: %w", imageRef, err)
@@ -845,17 +844,17 @@ func (is *ImageStreamer) StreamMultipleImages(ctx context.Context, imageRefs []s
 	if err != nil {
 		return fmt.Errorf("序列化manifest失败: %w", err)
 	}
-	
+
 	manifestHeader := &tar.Header{
 		Name: "manifest.json",
 		Size: int64(len(manifestData)),
 		Mode: 0644,
 	}
-	
+
 	if err := tarWriter.WriteHeader(manifestHeader); err != nil {
 		return fmt.Errorf("写入manifest header失败: %w", err)
 	}
-	
+
 	if _, err := tarWriter.Write(manifestData); err != nil {
 		return fmt.Errorf("写入manifest数据失败: %w", err)
 	}
@@ -865,21 +864,21 @@ func (is *ImageStreamer) StreamMultipleImages(ctx context.Context, imageRefs []s
 	if err != nil {
 		return fmt.Errorf("序列化repositories失败: %w", err)
 	}
-	
+
 	repositoriesHeader := &tar.Header{
 		Name: "repositories",
 		Size: int64(len(repositoriesData)),
 		Mode: 0644,
 	}
-	
+
 	if err := tarWriter.WriteHeader(repositoriesHeader); err != nil {
 		return fmt.Errorf("写入repositories header失败: %w", err)
 	}
-	
+
 	if _, err := tarWriter.Write(repositoriesData); err != nil {
 		return fmt.Errorf("写入repositories数据失败: %w", err)
 	}

 	log.Printf("批量下载完成，共处理 %d 个镜像", len(imageRefs))
 	return nil
-}
+}
--- a/src/main.go
+++ b/src/main.go
@@ -1,382 +1,379 @@
-package main
-
-import (
-	"embed"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"regexp"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/gin-gonic/gin"
-)
-
-//go:embed public/*
-var staticFiles embed.FS
-
-// 服务嵌入的静态文件
-func serveEmbedFile(c *gin.Context, filename string) {
-	data, err := staticFiles.ReadFile(filename)
-	if err != nil {
-		c.Status(404)
-		return
-	}
-	contentType := "text/html; charset=utf-8"
-	if strings.HasSuffix(filename, ".ico") {
-		contentType = "image/x-icon"
-	}
-	c.Data(200, contentType, data)
-}
-
-var (
-	exps = []*regexp.Regexp{
-		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:releases|archive)/.*$`),
-		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:blob|raw)/.*$`),
-		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:info|git-).*$`),
-		regexp.MustCompile(`^(?:https?://)?raw\.github(?:usercontent|)\.com/([^/]+)/([^/]+)/.+?/.+$`),
-		regexp.MustCompile(`^(?:https?://)?gist\.github(?:usercontent|)\.com/([^/]+)/.+?/.+`),
-		regexp.MustCompile(`^(?:https?://)?api\.github\.com/repos/([^/]+)/([^/]+)/.*`),
-		regexp.MustCompile(`^(?:https?://)?huggingface\.co(?:/spaces)?/([^/]+)/(.+)$`),
-		regexp.MustCompile(`^(?:https?://)?cdn-lfs\.hf\.co(?:/spaces)?/([^/]+)/([^/]+)(?:/(.*))?$`),
-		regexp.MustCompile(`^(?:https?://)?download\.docker\.com/([^/]+)/.*\.(tgz|zip)$`),
-		regexp.MustCompile(`^(?:https?://)?(github|opengraph)\.githubassets\.com/([^/]+)/.+?$`),
-	}
-	globalLimiter *IPRateLimiter
-	
-	// 服务启动时间
-	serviceStartTime = time.Now()
-)
-
-func main() {
-	// 加载配置
-	if err := LoadConfig(); err != nil {
-		fmt.Printf("配置加载失败: %v\n", err)
-		return
-	}
-	
-	// 初始化HTTP客户端
-	initHTTPClients()
-	
-	// 初始化限流器
-	initLimiter()
-	
-	// 初始化Docker流式代理
-	initDockerProxy()
-
-	// 初始化镜像流式下载器
-	initImageStreamer()
-
-	// 初始化防抖器
-	initDebouncer()
-
-	gin.SetMode(gin.ReleaseMode)
-	router := gin.Default()
-
-	// 全局Panic恢复保护
-	router.Use(gin.CustomRecovery(func(c *gin.Context, recovered interface{}) {
-		log.Printf("🚨 Panic recovered: %v", recovered)
-		c.JSON(http.StatusInternalServerError, gin.H{
-			"error": "Internal server error",
-			"code":  "INTERNAL_ERROR",
-		})
-	}))
-
-	// 全局限流中间件 - 应用到所有路由
-	router.Use(RateLimitMiddleware(globalLimiter))
-
-	// 初始化监控端点
-	initHealthRoutes(router)
-	
-	// 初始化镜像tar下载路由
-	initImageTarRoutes(router)
-	
-	// 静态文件路由
-	router.GET("/", func(c *gin.Context) {
-		serveEmbedFile(c, "public/index.html")
-	})
-	router.GET("/public/*filepath", func(c *gin.Context) {
-		filepath := strings.TrimPrefix(c.Param("filepath"), "/")
-		serveEmbedFile(c, "public/"+filepath)
-	})
-
-	router.GET("/images.html", func(c *gin.Context) {
-		serveEmbedFile(c, "public/images.html")
-	})
-	router.GET("/search.html", func(c *gin.Context) {
-		serveEmbedFile(c, "public/search.html")
-	})
-	router.GET("/favicon.ico", func(c *gin.Context) {
-		serveEmbedFile(c, "public/favicon.ico")
-	})
-
-	// 注册dockerhub搜索路由
-	RegisterSearchRoute(router)
-	
-	// 注册Docker认证路由（/token*）
-	router.Any("/token", ProxyDockerAuthGin)
-	router.Any("/token/*path", ProxyDockerAuthGin)
-	
-	// 注册Docker Registry代理路由
-	router.Any("/v2/*path", ProxyDockerRegistryGin)
-	
-
-	// 注册NoRoute处理器
-	router.NoRoute(handler)
-
-	cfg := GetConfig()
-	fmt.Printf("🚀 HubProxy 启动成功\n")
-	fmt.Printf("📡 监听地址: %s:%d\n", cfg.Server.Host, cfg.Server.Port)
-	fmt.Printf("⚡ 限流配置: %d请求/%g小时\n", cfg.RateLimit.RequestLimit, cfg.RateLimit.PeriodHours)
-	fmt.Printf("🔗 项目地址: https://github.com/sky22333/hubproxy\n")
-	
-	err := router.Run(fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port))
-	if err != nil {
-		fmt.Printf("启动服务失败: %v\n", err)
-	}
-}
-
-func handler(c *gin.Context) {
-	rawPath := strings.TrimPrefix(c.Request.URL.RequestURI(), "/")
-
-	for strings.HasPrefix(rawPath, "/") {
-		rawPath = strings.TrimPrefix(rawPath, "/")
-	}
-
-	if !strings.HasPrefix(rawPath, "http") {
-		c.String(http.StatusForbidden, "无效输入")
-		return
-	}
-
-	matches := checkURL(rawPath)
-	if matches != nil {
-		// GitHub仓库访问控制检查
-		if allowed, reason := GlobalAccessController.CheckGitHubAccess(matches); !allowed {
-			// 构建仓库名用于日志
-			var repoPath string
-			if len(matches) >= 2 {
-				username := matches[0]
-				repoName := strings.TrimSuffix(matches[1], ".git")
-				repoPath = username + "/" + repoName
-			}
-			fmt.Printf("GitHub仓库 %s 访问被拒绝: %s\n", repoPath, reason)
-			c.String(http.StatusForbidden, reason)
-			return
-		}
-	} else {
-		c.String(http.StatusForbidden, "无效输入")
-		return
-	}
-
-	if exps[1].MatchString(rawPath) {
-		rawPath = strings.Replace(rawPath, "/blob/", "/raw/", 1)
-	}
-
-	proxyRequest(c, rawPath)
-}
-
-
-func proxyRequest(c *gin.Context, u string) {
-	proxyWithRedirect(c, u, 0)
-}
-
-
-func proxyWithRedirect(c *gin.Context, u string, redirectCount int) {
-	// 限制最大重定向次数，防止无限递归
-	const maxRedirects = 20
-	if redirectCount > maxRedirects {
-		c.String(http.StatusLoopDetected, "重定向次数过多，可能存在循环重定向")
-		return
-	}
-	req, err := http.NewRequest(c.Request.Method, u, c.Request.Body)
-	if err != nil {
-		c.String(http.StatusInternalServerError, fmt.Sprintf("server error %v", err))
-		return
-	}
-
-	for key, values := range c.Request.Header {
-		for _, value := range values {
-			req.Header.Add(key, value)
-		}
-	}
-	req.Header.Del("Host")
-
-	resp, err := GetGlobalHTTPClient().Do(req)
-	if err != nil {
-		c.String(http.StatusInternalServerError, fmt.Sprintf("server error %v", err))
-		return
-	}
-	defer func() {
-		if err := resp.Body.Close(); err != nil {
-			fmt.Printf("关闭响应体失败: %v\n", err)
-		}
-	}()
-
-	// 检查文件大小限制
-	cfg := GetConfig()
-	if contentLength := resp.Header.Get("Content-Length"); contentLength != "" {
-		if size, err := strconv.ParseInt(contentLength, 10, 64); err == nil && size > cfg.Server.FileSize {
-			c.String(http.StatusRequestEntityTooLarge, 
-				fmt.Sprintf("文件过大，限制大小: %d MB", cfg.Server.FileSize/(1024*1024)))
-			return
-		}
-	}
-
-	// 清理安全相关的头
-	resp.Header.Del("Content-Security-Policy")
-	resp.Header.Del("Referrer-Policy")
-	resp.Header.Del("Strict-Transport-Security")
-	
-	// 获取真实域名
-	realHost := c.Request.Header.Get("X-Forwarded-Host")
-	if realHost == "" {
-		realHost = c.Request.Host
-	}
-	// 如果域名中没有协议前缀，添加https://
-	if !strings.HasPrefix(realHost, "http://") && !strings.HasPrefix(realHost, "https://") {
-		realHost = "https://" + realHost
-	}
-
-	if strings.HasSuffix(strings.ToLower(u), ".sh") {
-		isGzipCompressed := resp.Header.Get("Content-Encoding") == "gzip"
-		
-		processedBody, processedSize, err := ProcessSmart(resp.Body, isGzipCompressed, realHost)
-		if err != nil {
-			fmt.Printf("智能处理失败，回退到直接代理: %v\n", err)
-			processedBody = resp.Body
-			processedSize = 0
-		}
-
-		// 智能设置响应头
-		if processedSize > 0 {
-			resp.Header.Del("Content-Length")
-			resp.Header.Del("Content-Encoding")
-			resp.Header.Set("Transfer-Encoding", "chunked")
-		}
-
-		// 复制其他响应头
-		for key, values := range resp.Header {
-			for _, value := range values {
-				c.Header(key, value)
-			}
-		}
-
-		if location := resp.Header.Get("Location"); location != "" {
-			if checkURL(location) != nil {
-				c.Header("Location", "/"+location)
-			} else {
-				proxyWithRedirect(c, location, redirectCount+1)
-				return
-			}
-		}
-
-		c.Status(resp.StatusCode)
-
-		// 输出处理后的内容
-		if _, err := io.Copy(c.Writer, processedBody); err != nil {
-			return
-		}
-	} else {
-		for key, values := range resp.Header {
-			for _, value := range values {
-				c.Header(key, value)
-			}
-		}
-
-		// 处理重定向
-		if location := resp.Header.Get("Location"); location != "" {
-			if checkURL(location) != nil {
-				c.Header("Location", "/"+location)
-			} else {
-				proxyWithRedirect(c, location, redirectCount+1)
-				return
-			}
-		}
-
-		c.Status(resp.StatusCode)
-
-		// 直接流式转发
-		io.Copy(c.Writer, resp.Body)
-	}
-}
-
-func checkURL(u string) []string {
-	for _, exp := range exps {
-		if matches := exp.FindStringSubmatch(u); matches != nil {
-			return matches[1:]
-		}
-	}
-	return nil
-}
-
-// 初始化健康监控路由
-func initHealthRoutes(router *gin.Engine) {
-	// 健康检查端点
-	router.GET("/health", func(c *gin.Context) {
-		c.JSON(http.StatusOK, gin.H{
-			"status":    "healthy",
-			"timestamp": time.Now().Unix(),
-			"uptime":    time.Since(serviceStartTime).Seconds(),
-			"service":   "hubproxy",
-		})
-	})
-	
-	// 就绪检查端点
-	router.GET("/ready", func(c *gin.Context) {
-		checks := make(map[string]string)
-		allReady := true
-		
-		if GetConfig() != nil {
-			checks["config"] = "ok"
-		} else {
-			checks["config"] = "failed"
-			allReady = false
-		}
-		
-		// 检查全局缓存状态
-		if globalCache != nil {
-			checks["cache"] = "ok"
-		} else {
-			checks["cache"] = "failed"
-			allReady = false
-		}
-		
-		// 检查限流器状态
-		if globalLimiter != nil {
-			checks["ratelimiter"] = "ok"
-		} else {
-			checks["ratelimiter"] = "failed"
-			allReady = false
-		}
-		
-		// 检查镜像下载器状态
-		if globalImageStreamer != nil {
-			checks["imagestreamer"] = "ok"
-		} else {
-			checks["imagestreamer"] = "failed"
-			allReady = false
-		}
-		
-		// 检查HTTP客户端状态
-		if GetGlobalHTTPClient() != nil {
-			checks["httpclient"] = "ok"
-		} else {
-			checks["httpclient"] = "failed"
-			allReady = false
-		}
-		
-		status := http.StatusOK
-		if !allReady {
-			status = http.StatusServiceUnavailable
-		}
-		
-		c.JSON(status, gin.H{
-			"ready":     allReady,
-			"checks":    checks,
-			"timestamp": time.Now().Unix(),
-			"uptime":    time.Since(serviceStartTime).Seconds(),
-		})
-	})
-}
+package main
+
+import (
+	"embed"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+//go:embed public/*
+var staticFiles embed.FS
+
+// 服务嵌入的静态文件
+func serveEmbedFile(c *gin.Context, filename string) {
+	data, err := staticFiles.ReadFile(filename)
+	if err != nil {
+		c.Status(404)
+		return
+	}
+	contentType := "text/html; charset=utf-8"
+	if strings.HasSuffix(filename, ".ico") {
+		contentType = "image/x-icon"
+	}
+	c.Data(200, contentType, data)
+}
+
+var (
+	exps = []*regexp.Regexp{
+		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:releases|archive)/.*$`),
+		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:blob|raw)/.*$`),
+		regexp.MustCompile(`^(?:https?://)?github\.com/([^/]+)/([^/]+)/(?:info|git-).*$`),
+		regexp.MustCompile(`^(?:https?://)?raw\.github(?:usercontent|)\.com/([^/]+)/([^/]+)/.+?/.+$`),
+		regexp.MustCompile(`^(?:https?://)?gist\.github(?:usercontent|)\.com/([^/]+)/.+?/.+`),
+		regexp.MustCompile(`^(?:https?://)?api\.github\.com/repos/([^/]+)/([^/]+)/.*`),
+		regexp.MustCompile(`^(?:https?://)?huggingface\.co(?:/spaces)?/([^/]+)/(.+)$`),
+		regexp.MustCompile(`^(?:https?://)?cdn-lfs\.hf\.co(?:/spaces)?/([^/]+)/([^/]+)(?:/(.*))?$`),
+		regexp.MustCompile(`^(?:https?://)?download\.docker\.com/([^/]+)/.*\.(tgz|zip)$`),
+		regexp.MustCompile(`^(?:https?://)?(github|opengraph)\.githubassets\.com/([^/]+)/.+?$`),
+	}
+	globalLimiter *IPRateLimiter
+
+	// 服务启动时间
+	serviceStartTime = time.Now()
+)
+
+func main() {
+	// 加载配置
+	if err := LoadConfig(); err != nil {
+		fmt.Printf("配置加载失败: %v\n", err)
+		return
+	}
+
+	// 初始化HTTP客户端
+	initHTTPClients()
+
+	// 初始化限流器
+	initLimiter()
+
+	// 初始化Docker流式代理
+	initDockerProxy()
+
+	// 初始化镜像流式下载器
+	initImageStreamer()
+
+	// 初始化防抖器
+	initDebouncer()
+
+	gin.SetMode(gin.ReleaseMode)
+	router := gin.Default()
+
+	// 全局Panic恢复保护
+	router.Use(gin.CustomRecovery(func(c *gin.Context, recovered interface{}) {
+		log.Printf("🚨 Panic recovered: %v", recovered)
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Internal server error",
+			"code":  "INTERNAL_ERROR",
+		})
+	}))
+
+	// 全局限流中间件 - 应用到所有路由
+	router.Use(RateLimitMiddleware(globalLimiter))
+
+	// 初始化监控端点
+	initHealthRoutes(router)
+
+	// 初始化镜像tar下载路由
+	initImageTarRoutes(router)
+
+	// 静态文件路由
+	router.GET("/", func(c *gin.Context) {
+		serveEmbedFile(c, "public/index.html")
+	})
+	router.GET("/public/*filepath", func(c *gin.Context) {
+		filepath := strings.TrimPrefix(c.Param("filepath"), "/")
+		serveEmbedFile(c, "public/"+filepath)
+	})
+
+	router.GET("/images.html", func(c *gin.Context) {
+		serveEmbedFile(c, "public/images.html")
+	})
+	router.GET("/search.html", func(c *gin.Context) {
+		serveEmbedFile(c, "public/search.html")
+	})
+	router.GET("/favicon.ico", func(c *gin.Context) {
+		serveEmbedFile(c, "public/favicon.ico")
+	})
+
+	// 注册dockerhub搜索路由
+	RegisterSearchRoute(router)
+
+	// 注册Docker认证路由（/token*）
+	router.Any("/token", ProxyDockerAuthGin)
+	router.Any("/token/*path", ProxyDockerAuthGin)
+
+	// 注册Docker Registry代理路由
+	router.Any("/v2/*path", ProxyDockerRegistryGin)
+
+	// 注册NoRoute处理器
+	router.NoRoute(handler)
+
+	cfg := GetConfig()
+	fmt.Printf("🚀 HubProxy 启动成功\n")
+	fmt.Printf("📡 监听地址: %s:%d\n", cfg.Server.Host, cfg.Server.Port)
+	fmt.Printf("⚡ 限流配置: %d请求/%g小时\n", cfg.RateLimit.RequestLimit, cfg.RateLimit.PeriodHours)
+	fmt.Printf("🔗 项目地址: https://github.com/sky22333/hubproxy\n")
+
+	err := router.Run(fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port))
+	if err != nil {
+		fmt.Printf("启动服务失败: %v\n", err)
+	}
+}
+
+func handler(c *gin.Context) {
+	rawPath := strings.TrimPrefix(c.Request.URL.RequestURI(), "/")
+
+	for strings.HasPrefix(rawPath, "/") {
+		rawPath = strings.TrimPrefix(rawPath, "/")
+	}
+
+	if !strings.HasPrefix(rawPath, "http") {
+		c.String(http.StatusForbidden, "无效输入")
+		return
+	}
+
+	matches := checkURL(rawPath)
+	if matches != nil {
+		// GitHub仓库访问控制检查
+		if allowed, reason := GlobalAccessController.CheckGitHubAccess(matches); !allowed {
+			// 构建仓库名用于日志
+			var repoPath string
+			if len(matches) >= 2 {
+				username := matches[0]
+				repoName := strings.TrimSuffix(matches[1], ".git")
+				repoPath = username + "/" + repoName
+			}
+			fmt.Printf("GitHub仓库 %s 访问被拒绝: %s\n", repoPath, reason)
+			c.String(http.StatusForbidden, reason)
+			return
+		}
+	} else {
+		c.String(http.StatusForbidden, "无效输入")
+		return
+	}
+
+	if exps[1].MatchString(rawPath) {
+		rawPath = strings.Replace(rawPath, "/blob/", "/raw/", 1)
+	}
+
+	proxyRequest(c, rawPath)
+}
+
+func proxyRequest(c *gin.Context, u string) {
+	proxyWithRedirect(c, u, 0)
+}
+
+func proxyWithRedirect(c *gin.Context, u string, redirectCount int) {
+	// 限制最大重定向次数，防止无限递归
+	const maxRedirects = 20
+	if redirectCount > maxRedirects {
+		c.String(http.StatusLoopDetected, "重定向次数过多，可能存在循环重定向")
+		return
+	}
+	req, err := http.NewRequest(c.Request.Method, u, c.Request.Body)
+	if err != nil {
+		c.String(http.StatusInternalServerError, fmt.Sprintf("server error %v", err))
+		return
+	}
+
+	for key, values := range c.Request.Header {
+		for _, value := range values {
+			req.Header.Add(key, value)
+		}
+	}
+	req.Header.Del("Host")
+
+	resp, err := GetGlobalHTTPClient().Do(req)
+	if err != nil {
+		c.String(http.StatusInternalServerError, fmt.Sprintf("server error %v", err))
+		return
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			fmt.Printf("关闭响应体失败: %v\n", err)
+		}
+	}()
+
+	// 检查文件大小限制
+	cfg := GetConfig()
+	if contentLength := resp.Header.Get("Content-Length"); contentLength != "" {
+		if size, err := strconv.ParseInt(contentLength, 10, 64); err == nil && size > cfg.Server.FileSize {
+			c.String(http.StatusRequestEntityTooLarge,
+				fmt.Sprintf("文件过大，限制大小: %d MB", cfg.Server.FileSize/(1024*1024)))
+			return
+		}
+	}
+
+	// 清理安全相关的头
+	resp.Header.Del("Content-Security-Policy")
+	resp.Header.Del("Referrer-Policy")
+	resp.Header.Del("Strict-Transport-Security")
+
+	// 获取真实域名
+	realHost := c.Request.Header.Get("X-Forwarded-Host")
+	if realHost == "" {
+		realHost = c.Request.Host
+	}
+	// 如果域名中没有协议前缀，添加https://
+	if !strings.HasPrefix(realHost, "http://") && !strings.HasPrefix(realHost, "https://") {
+		realHost = "https://" + realHost
+	}
+
+	if strings.HasSuffix(strings.ToLower(u), ".sh") {
+		isGzipCompressed := resp.Header.Get("Content-Encoding") == "gzip"
+
+		processedBody, processedSize, err := ProcessSmart(resp.Body, isGzipCompressed, realHost)
+		if err != nil {
+			fmt.Printf("智能处理失败，回退到直接代理: %v\n", err)
+			processedBody = resp.Body
+			processedSize = 0
+		}
+
+		// 智能设置响应头
+		if processedSize > 0 {
+			resp.Header.Del("Content-Length")
+			resp.Header.Del("Content-Encoding")
+			resp.Header.Set("Transfer-Encoding", "chunked")
+		}
+
+		// 复制其他响应头
+		for key, values := range resp.Header {
+			for _, value := range values {
+				c.Header(key, value)
+			}
+		}
+
+		if location := resp.Header.Get("Location"); location != "" {
+			if checkURL(location) != nil {
+				c.Header("Location", "/"+location)
+			} else {
+				proxyWithRedirect(c, location, redirectCount+1)
+				return
+			}
+		}
+
+		c.Status(resp.StatusCode)
+
+		// 输出处理后的内容
+		if _, err := io.Copy(c.Writer, processedBody); err != nil {
+			return
+		}
+	} else {
+		for key, values := range resp.Header {
+			for _, value := range values {
+				c.Header(key, value)
+			}
+		}
+
+		// 处理重定向
+		if location := resp.Header.Get("Location"); location != "" {
+			if checkURL(location) != nil {
+				c.Header("Location", "/"+location)
+			} else {
+				proxyWithRedirect(c, location, redirectCount+1)
+				return
+			}
+		}
+
+		c.Status(resp.StatusCode)
+
+		// 直接流式转发
+		io.Copy(c.Writer, resp.Body)
+	}
+}
+
+func checkURL(u string) []string {
+	for _, exp := range exps {
+		if matches := exp.FindStringSubmatch(u); matches != nil {
+			return matches[1:]
+		}
+	}
+	return nil
+}
+
+// 初始化健康监控路由
+func initHealthRoutes(router *gin.Engine) {
+	// 健康检查端点
+	router.GET("/health", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{
+			"status":    "healthy",
+			"timestamp": time.Now().Unix(),
+			"uptime":    time.Since(serviceStartTime).Seconds(),
+			"service":   "hubproxy",
+		})
+	})
+
+	// 就绪检查端点
+	router.GET("/ready", func(c *gin.Context) {
+		checks := make(map[string]string)
+		allReady := true
+
+		if GetConfig() != nil {
+			checks["config"] = "ok"
+		} else {
+			checks["config"] = "failed"
+			allReady = false
+		}
+
+		// 检查全局缓存状态
+		if globalCache != nil {
+			checks["cache"] = "ok"
+		} else {
+			checks["cache"] = "failed"
+			allReady = false
+		}
+
+		// 检查限流器状态
+		if globalLimiter != nil {
+			checks["ratelimiter"] = "ok"
+		} else {
+			checks["ratelimiter"] = "failed"
+			allReady = false
+		}
+
+		// 检查镜像下载器状态
+		if globalImageStreamer != nil {
+			checks["imagestreamer"] = "ok"
+		} else {
+			checks["imagestreamer"] = "failed"
+			allReady = false
+		}
+
+		// 检查HTTP客户端状态
+		if GetGlobalHTTPClient() != nil {
+			checks["httpclient"] = "ok"
+		} else {
+			checks["httpclient"] = "failed"
+			allReady = false
+		}
+
+		status := http.StatusOK
+		if !allReady {
+			status = http.StatusServiceUnavailable
+		}
+
+		c.JSON(status, gin.H{
+			"ready":     allReady,
+			"checks":    checks,
+			"timestamp": time.Now().Unix(),
+			"uptime":    time.Since(serviceStartTime).Seconds(),
+		})
+	})
+}
--- a/src/proxysh.go
+++ b/src/proxysh.go
@@ -1,95 +1,95 @@
-package main
-
-import (
-	"bytes"
-	"compress/gzip"
-	"fmt"
-	"io"
-	"regexp"
-	"strings"
-)
-
-// GitHub URL正则表达式
-var githubRegex = regexp.MustCompile(`https?://(?:github\.com|raw\.githubusercontent\.com|raw\.github\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.github\.com)[^\s'"]+`)
-
-// ProcessSmart Shell脚本智能处理函数
-func ProcessSmart(input io.ReadCloser, isCompressed bool, host string) (io.Reader, int64, error) {
-	defer input.Close()
-	
-	content, err := readShellContent(input, isCompressed)
-	if err != nil {
-		return nil, 0, fmt.Errorf("内容读取失败: %v", err)
-	}
-	
-	if len(content) == 0 {
-		return strings.NewReader(""), 0, nil
-	}
-	
-	if len(content) > 10*1024*1024 {
-		return strings.NewReader(content), int64(len(content)), nil
-	}
-	
-	if !strings.Contains(content, "github.com") && !strings.Contains(content, "githubusercontent.com") {
-		return strings.NewReader(content), int64(len(content)), nil
-	}
-	
-	processed := processGitHubURLs(content, host)
-	
-	return strings.NewReader(processed), int64(len(processed)), nil
-}
-
-func readShellContent(input io.ReadCloser, isCompressed bool) (string, error) {
-	var reader io.Reader = input
-	
-	// 处理gzip压缩
-	if isCompressed {
-		peek := make([]byte, 2)
-		n, err := input.Read(peek)
-		if err != nil && err != io.EOF {
-			return "", fmt.Errorf("读取数据失败: %v", err)
-		}
-		
-		if n >= 2 && peek[0] == 0x1f && peek[1] == 0x8b {
-			combinedReader := io.MultiReader(bytes.NewReader(peek[:n]), input)
-			gzReader, err := gzip.NewReader(combinedReader)
-			if err != nil {
-				return "", fmt.Errorf("gzip解压失败: %v", err)
-			}
-			defer gzReader.Close()
-			reader = gzReader
-		} else {
-			reader = io.MultiReader(bytes.NewReader(peek[:n]), input)
-		}
-	}
-	
-	data, err := io.ReadAll(reader)
-	if err != nil {
-		return "", fmt.Errorf("读取内容失败: %v", err)
-	}
-	
-	return string(data), nil
-}
-
-func processGitHubURLs(content, host string) string {
-	return githubRegex.ReplaceAllStringFunc(content, func(url string) string {
-		return transformURL(url, host)
-	})
-}
-
-// transformURL URL转换函数
-func transformURL(url, host string) string {
-	if strings.Contains(url, host) {
-		return url
-	}
-	
-	if strings.HasPrefix(url, "http://") {
-		url = "https" + url[4:]
-	} else if !strings.HasPrefix(url, "https://") && !strings.HasPrefix(url, "//") {
-		url = "https://" + url
-	}
-	cleanHost := strings.TrimPrefix(host, "https://")
-	cleanHost = strings.TrimPrefix(cleanHost, "http://")
-	cleanHost = strings.TrimSuffix(cleanHost, "/")
-	
-	return cleanHost + "/" + url
-}
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"regexp"
+	"strings"
+)
+
+// GitHub URL正则表达式
+var githubRegex = regexp.MustCompile(`https?://(?:github\.com|raw\.githubusercontent\.com|raw\.github\.com|gist\.githubusercontent\.com|gist\.github\.com|api\.github\.com)[^\s'"]+`)
+
+// ProcessSmart Shell脚本智能处理函数
+func ProcessSmart(input io.ReadCloser, isCompressed bool, host string) (io.Reader, int64, error) {
+	defer input.Close()
+
+	content, err := readShellContent(input, isCompressed)
+	if err != nil {
+		return nil, 0, fmt.Errorf("内容读取失败: %v", err)
+	}
+
+	if len(content) == 0 {
+		return strings.NewReader(""), 0, nil
+	}
+
+	if len(content) > 10*1024*1024 {
+		return strings.NewReader(content), int64(len(content)), nil
+	}
+
+	if !strings.Contains(content, "github.com") && !strings.Contains(content, "githubusercontent.com") {
+		return strings.NewReader(content), int64(len(content)), nil
+	}
+
+	processed := processGitHubURLs(content, host)
+
+	return strings.NewReader(processed), int64(len(processed)), nil
+}
+
+func readShellContent(input io.ReadCloser, isCompressed bool) (string, error) {
+	var reader io.Reader = input
+
+	// 处理gzip压缩
+	if isCompressed {
+		peek := make([]byte, 2)
+		n, err := input.Read(peek)
+		if err != nil && err != io.EOF {
+			return "", fmt.Errorf("读取数据失败: %v", err)
+		}
+
+		if n >= 2 && peek[0] == 0x1f && peek[1] == 0x8b {
+			combinedReader := io.MultiReader(bytes.NewReader(peek[:n]), input)
+			gzReader, err := gzip.NewReader(combinedReader)
+			if err != nil {
+				return "", fmt.Errorf("gzip解压失败: %v", err)
+			}
+			defer gzReader.Close()
+			reader = gzReader
+		} else {
+			reader = io.MultiReader(bytes.NewReader(peek[:n]), input)
+		}
+	}
+
+	data, err := io.ReadAll(reader)
+	if err != nil {
+		return "", fmt.Errorf("读取内容失败: %v", err)
+	}
+
+	return string(data), nil
+}
+
+func processGitHubURLs(content, host string) string {
+	return githubRegex.ReplaceAllStringFunc(content, func(url string) string {
+		return transformURL(url, host)
+	})
+}
+
+// transformURL URL转换函数
+func transformURL(url, host string) string {
+	if strings.Contains(url, host) {
+		return url
+	}
+
+	if strings.HasPrefix(url, "http://") {
+		url = "https" + url[4:]
+	} else if !strings.HasPrefix(url, "https://") && !strings.HasPrefix(url, "//") {
+		url = "https://" + url
+	}
+	cleanHost := strings.TrimPrefix(host, "https://")
+	cleanHost = strings.TrimPrefix(cleanHost, "http://")
+	cleanHost = strings.TrimSuffix(cleanHost, "/")
+
+	return cleanHost + "/" + url
+}
--- a/src/ratelimiter.go
+++ b/src/ratelimiter.go
@@ -1,303 +1,301 @@
-package main
-
-import (
-	"fmt"
-	"net"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"golang.org/x/time/rate"
-)
-
-const (
-	// 清理间隔
-	CleanupInterval = 10 * time.Minute
-	MaxIPCacheSize = 10000
-)
-
-// IPRateLimiter IP限流器结构体
-type IPRateLimiter struct {
-	ips       map[string]*rateLimiterEntry // IP到限流器的映射
-	mu        *sync.RWMutex                // 读写锁，保证并发安全
-	r         rate.Limit                   // 速率限制（每秒允许的请求数）
-	b         int                          // 令牌桶容量（突发请求数）
-	whitelist []*net.IPNet                 // 白名单IP段
-	blacklist []*net.IPNet                 // 黑名单IP段
-}
-
-// rateLimiterEntry 限流器条目
-type rateLimiterEntry struct {
-	limiter    *rate.Limiter
-	lastAccess time.Time
-}
-
-// initGlobalLimiter 初始化全局限流器
-func initGlobalLimiter() *IPRateLimiter {
-	cfg := GetConfig()
-	
-	whitelist := make([]*net.IPNet, 0, len(cfg.Security.WhiteList))
-	for _, item := range cfg.Security.WhiteList {
-		if item = strings.TrimSpace(item); item != "" {
-			if !strings.Contains(item, "/") {
-				item = item + "/32" // 单个IP转为CIDR格式
-			}
-			_, ipnet, err := net.ParseCIDR(item)
-			if err == nil {
-				whitelist = append(whitelist, ipnet)
-			} else {
-				fmt.Printf("警告: 无效的白名单IP格式: %s\n", item)
-			}
-		}
-	}
-	
-	// 解析黑名单IP段
-	blacklist := make([]*net.IPNet, 0, len(cfg.Security.BlackList))
-	for _, item := range cfg.Security.BlackList {
-		if item = strings.TrimSpace(item); item != "" {
-			if !strings.Contains(item, "/") {
-				item = item + "/32" // 单个IP转为CIDR格式
-			}
-			_, ipnet, err := net.ParseCIDR(item)
-			if err == nil {
-				blacklist = append(blacklist, ipnet)
-			} else {
-				fmt.Printf("警告: 无效的黑名单IP格式: %s\n", item)
-			}
-		}
-	}
-	
-	// 计算速率：将 "每N小时X个请求" 转换为 "每秒Y个请求"
-	ratePerSecond := rate.Limit(float64(cfg.RateLimit.RequestLimit) / (cfg.RateLimit.PeriodHours * 3600))
-	
-	burstSize := cfg.RateLimit.RequestLimit
-	if burstSize < 1 {
-		burstSize = 1
-	}
-	
-	limiter := &IPRateLimiter{
-		ips:       make(map[string]*rateLimiterEntry),
-		mu:        &sync.RWMutex{},
-		r:         ratePerSecond,
-		b:         burstSize,
-		whitelist: whitelist,
-		blacklist: blacklist,
-	}
-	
-	// 启动定期清理goroutine
-	go limiter.cleanupRoutine()
-	
-	return limiter
-}
-
-// initLimiter 初始化限流器
-func initLimiter() {
-	globalLimiter = initGlobalLimiter()
-}
-
-// cleanupRoutine 定期清理过期的限流器
-func (i *IPRateLimiter) cleanupRoutine() {
-	ticker := time.NewTicker(CleanupInterval)
-	defer ticker.Stop()
-	
-	for range ticker.C {
-		now := time.Now()
-		expired := make([]string, 0)
-		
-		// 查找过期的条目
-		i.mu.RLock()
-		for ip, entry := range i.ips {
-			// 如果最后访问时间超过1小时，认为过期
-			if now.Sub(entry.lastAccess) > 1*time.Hour {
-				expired = append(expired, ip)
-			}
-		}
-		i.mu.RUnlock()
-		
-		// 如果有过期条目或者缓存过大，进行清理
-		if len(expired) > 0 || len(i.ips) > MaxIPCacheSize {
-			i.mu.Lock()
-			// 删除过期条目
-			for _, ip := range expired {
-				delete(i.ips, ip)
-			}
-			
-			// 如果缓存仍然过大，全部清理
-			if len(i.ips) > MaxIPCacheSize {
-				i.ips = make(map[string]*rateLimiterEntry)
-			}
-			i.mu.Unlock()
-		}
-	}
-}
-
-// extractIPFromAddress 从地址中提取纯IP
-func extractIPFromAddress(address string) string {
-	if host, _, err := net.SplitHostPort(address); err == nil {
-		return host
-	}
-	return address
-}
-
-// normalizeIPForRateLimit 标准化IP地址用于限流：IPv4保持不变，IPv6标准化为/64网段
-func normalizeIPForRateLimit(ipStr string) string {
-	ip := net.ParseIP(ipStr)
-	if ip == nil {
-		return ipStr // 解析失败，返回原值
-	}
-	
-	if ip.To4() != nil {
-		return ipStr // IPv4保持不变
-	}
-	
-	// IPv6：标准化为 /64 网段
-	ipv6 := ip.To16()
-	for i := 8; i < 16; i++ {
-		ipv6[i] = 0 // 清零后64位
-	}
-	return ipv6.String() + "/64"
-}
-
-// isIPInCIDRList 检查IP是否在CIDR列表中
-func isIPInCIDRList(ip string, cidrList []*net.IPNet) bool {
-	// 先提取纯IP地址
-	cleanIP := extractIPFromAddress(ip)
-	parsedIP := net.ParseIP(cleanIP)
-	if parsedIP == nil {
-		return false
-	}
-	
-	for _, cidr := range cidrList {
-		if cidr.Contains(parsedIP) {
-			return true
-		}
-	}
-	return false
-}
-
-// GetLimiter 获取指定IP的限流器，同时返回是否允许访问
-func (i *IPRateLimiter) GetLimiter(ip string) (*rate.Limiter, bool) {
-	// 提取纯IP地址
-	cleanIP := extractIPFromAddress(ip)
-	
-	// 检查是否在黑名单中
-	if isIPInCIDRList(cleanIP, i.blacklist) {
-		return nil, false
-	}
-	
-	// 检查是否在白名单中
-	if isIPInCIDRList(cleanIP, i.whitelist) {
-		return rate.NewLimiter(rate.Inf, i.b), true
-	}
-	
-	// 标准化IP用于限流：IPv4保持不变，IPv6标准化为/64网段
-	normalizedIP := normalizeIPForRateLimit(cleanIP)
-	
-	now := time.Now()
-	
-	i.mu.RLock()
-	entry, exists := i.ips[normalizedIP]
-	i.mu.RUnlock()
-	
-	if exists {
-		i.mu.Lock()
-		if entry, stillExists := i.ips[normalizedIP]; stillExists {
-			entry.lastAccess = now
-			i.mu.Unlock()
-			return entry.limiter, true
-		}
-		i.mu.Unlock()
-	}
-	
-	i.mu.Lock()
-	if entry, exists := i.ips[normalizedIP]; exists {
-		entry.lastAccess = now
-		i.mu.Unlock()
-		return entry.limiter, true
-	}
-	
-	entry = &rateLimiterEntry{
-		limiter:    rate.NewLimiter(i.r, i.b),
-		lastAccess: now,
-	}
-	i.ips[normalizedIP] = entry
-	i.mu.Unlock()
-	
-	return entry.limiter, true
-}
-
-// RateLimitMiddleware 速率限制中间件
-func RateLimitMiddleware(limiter *IPRateLimiter) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		// 静态文件豁免：跳过限流检查
-		path := c.Request.URL.Path
-		if path == "/" || path == "/favicon.ico" || path == "/images.html" || path == "/search.html" || 
-		   strings.HasPrefix(path, "/public/") {
-			c.Next()
-			return
-		}
-
-		// 获取客户端真实IP
-		var ip string
-		
-		// 优先尝试从请求头获取真实IP
-		if forwarded := c.GetHeader("X-Forwarded-For"); forwarded != "" {
-			// X-Forwarded-For可能包含多个IP，取第一个
-			ips := strings.Split(forwarded, ",")
-			ip = strings.TrimSpace(ips[0])
-		} else if realIP := c.GetHeader("X-Real-IP"); realIP != "" {
-			// 如果有X-Real-IP头
-			ip = realIP
-		} else if remoteIP := c.GetHeader("X-Original-Forwarded-For"); remoteIP != "" {
-			// 某些代理可能使用此头
-			ips := strings.Split(remoteIP, ",")
-			ip = strings.TrimSpace(ips[0])
-		} else {
-			// 回退到ClientIP方法
-			ip = c.ClientIP()
-		}
-		
-		// 提取纯IP地址（去除可能存在的端口）
-		cleanIP := extractIPFromAddress(ip)
-		
-		// 日志记录请求IP和头信息
-		normalizedIP := normalizeIPForRateLimit(cleanIP)
-		if cleanIP != normalizedIP {
-			fmt.Printf("请求IP: %s (提纯后: %s, 限流段: %s), X-Forwarded-For: %s, X-Real-IP: %s\n", 
-				ip, cleanIP, normalizedIP,
-				c.GetHeader("X-Forwarded-For"), 
-				c.GetHeader("X-Real-IP"))
-		} else {
-			fmt.Printf("请求IP: %s (提纯后: %s), X-Forwarded-For: %s, X-Real-IP: %s\n", 
-				ip, cleanIP,
-				c.GetHeader("X-Forwarded-For"), 
-				c.GetHeader("X-Real-IP"))
-		}
-		
-		// 获取限流器并检查是否允许访问
-		ipLimiter, allowed := limiter.GetLimiter(cleanIP)
-		
-		// 如果IP在黑名单中
-		if !allowed {
-			c.JSON(403, gin.H{
-				"error": "您已被限制访问",
-			})
-			c.Abort()
-			return
-		}
-		
-		// 检查限流
-		if !ipLimiter.Allow() {
-			c.JSON(429, gin.H{
-				"error": "请求频率过快，暂时限制访问",
-			})
-			c.Abort()
-			return
-		}
-		
-		c.Next()
-	}
-}
-
-
+package main
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"golang.org/x/time/rate"
+)
+
+const (
+	// 清理间隔
+	CleanupInterval = 10 * time.Minute
+	MaxIPCacheSize  = 10000
+)
+
+// IPRateLimiter IP限流器结构体
+type IPRateLimiter struct {
+	ips       map[string]*rateLimiterEntry // IP到限流器的映射
+	mu        *sync.RWMutex                // 读写锁，保证并发安全
+	r         rate.Limit                   // 速率限制（每秒允许的请求数）
+	b         int                          // 令牌桶容量（突发请求数）
+	whitelist []*net.IPNet                 // 白名单IP段
+	blacklist []*net.IPNet                 // 黑名单IP段
+}
+
+// rateLimiterEntry 限流器条目
+type rateLimiterEntry struct {
+	limiter    *rate.Limiter
+	lastAccess time.Time
+}
+
+// initGlobalLimiter 初始化全局限流器
+func initGlobalLimiter() *IPRateLimiter {
+	cfg := GetConfig()
+
+	whitelist := make([]*net.IPNet, 0, len(cfg.Security.WhiteList))
+	for _, item := range cfg.Security.WhiteList {
+		if item = strings.TrimSpace(item); item != "" {
+			if !strings.Contains(item, "/") {
+				item = item + "/32" // 单个IP转为CIDR格式
+			}
+			_, ipnet, err := net.ParseCIDR(item)
+			if err == nil {
+				whitelist = append(whitelist, ipnet)
+			} else {
+				fmt.Printf("警告: 无效的白名单IP格式: %s\n", item)
+			}
+		}
+	}
+
+	// 解析黑名单IP段
+	blacklist := make([]*net.IPNet, 0, len(cfg.Security.BlackList))
+	for _, item := range cfg.Security.BlackList {
+		if item = strings.TrimSpace(item); item != "" {
+			if !strings.Contains(item, "/") {
+				item = item + "/32" // 单个IP转为CIDR格式
+			}
+			_, ipnet, err := net.ParseCIDR(item)
+			if err == nil {
+				blacklist = append(blacklist, ipnet)
+			} else {
+				fmt.Printf("警告: 无效的黑名单IP格式: %s\n", item)
+			}
+		}
+	}
+
+	// 计算速率：将 "每N小时X个请求" 转换为 "每秒Y个请求"
+	ratePerSecond := rate.Limit(float64(cfg.RateLimit.RequestLimit) / (cfg.RateLimit.PeriodHours * 3600))
+
+	burstSize := cfg.RateLimit.RequestLimit
+	if burstSize < 1 {
+		burstSize = 1
+	}
+
+	limiter := &IPRateLimiter{
+		ips:       make(map[string]*rateLimiterEntry),
+		mu:        &sync.RWMutex{},
+		r:         ratePerSecond,
+		b:         burstSize,
+		whitelist: whitelist,
+		blacklist: blacklist,
+	}
+
+	// 启动定期清理goroutine
+	go limiter.cleanupRoutine()
+
+	return limiter
+}
+
+// initLimiter 初始化限流器
+func initLimiter() {
+	globalLimiter = initGlobalLimiter()
+}
+
+// cleanupRoutine 定期清理过期的限流器
+func (i *IPRateLimiter) cleanupRoutine() {
+	ticker := time.NewTicker(CleanupInterval)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		now := time.Now()
+		expired := make([]string, 0)
+
+		// 查找过期的条目
+		i.mu.RLock()
+		for ip, entry := range i.ips {
+			// 如果最后访问时间超过1小时，认为过期
+			if now.Sub(entry.lastAccess) > 1*time.Hour {
+				expired = append(expired, ip)
+			}
+		}
+		i.mu.RUnlock()
+
+		// 如果有过期条目或者缓存过大，进行清理
+		if len(expired) > 0 || len(i.ips) > MaxIPCacheSize {
+			i.mu.Lock()
+			// 删除过期条目
+			for _, ip := range expired {
+				delete(i.ips, ip)
+			}
+
+			// 如果缓存仍然过大，全部清理
+			if len(i.ips) > MaxIPCacheSize {
+				i.ips = make(map[string]*rateLimiterEntry)
+			}
+			i.mu.Unlock()
+		}
+	}
+}
+
+// extractIPFromAddress 从地址中提取纯IP
+func extractIPFromAddress(address string) string {
+	if host, _, err := net.SplitHostPort(address); err == nil {
+		return host
+	}
+	return address
+}
+
+// normalizeIPForRateLimit 标准化IP地址用于限流：IPv4保持不变，IPv6标准化为/64网段
+func normalizeIPForRateLimit(ipStr string) string {
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return ipStr // 解析失败，返回原值
+	}
+
+	if ip.To4() != nil {
+		return ipStr // IPv4保持不变
+	}
+
+	// IPv6：标准化为 /64 网段
+	ipv6 := ip.To16()
+	for i := 8; i < 16; i++ {
+		ipv6[i] = 0 // 清零后64位
+	}
+	return ipv6.String() + "/64"
+}
+
+// isIPInCIDRList 检查IP是否在CIDR列表中
+func isIPInCIDRList(ip string, cidrList []*net.IPNet) bool {
+	// 先提取纯IP地址
+	cleanIP := extractIPFromAddress(ip)
+	parsedIP := net.ParseIP(cleanIP)
+	if parsedIP == nil {
+		return false
+	}
+
+	for _, cidr := range cidrList {
+		if cidr.Contains(parsedIP) {
+			return true
+		}
+	}
+	return false
+}
+
+// GetLimiter 获取指定IP的限流器，同时返回是否允许访问
+func (i *IPRateLimiter) GetLimiter(ip string) (*rate.Limiter, bool) {
+	// 提取纯IP地址
+	cleanIP := extractIPFromAddress(ip)
+
+	// 检查是否在黑名单中
+	if isIPInCIDRList(cleanIP, i.blacklist) {
+		return nil, false
+	}
+
+	// 检查是否在白名单中
+	if isIPInCIDRList(cleanIP, i.whitelist) {
+		return rate.NewLimiter(rate.Inf, i.b), true
+	}
+
+	// 标准化IP用于限流：IPv4保持不变，IPv6标准化为/64网段
+	normalizedIP := normalizeIPForRateLimit(cleanIP)
+
+	now := time.Now()
+
+	i.mu.RLock()
+	entry, exists := i.ips[normalizedIP]
+	i.mu.RUnlock()
+
+	if exists {
+		i.mu.Lock()
+		if entry, stillExists := i.ips[normalizedIP]; stillExists {
+			entry.lastAccess = now
+			i.mu.Unlock()
+			return entry.limiter, true
+		}
+		i.mu.Unlock()
+	}
+
+	i.mu.Lock()
+	if entry, exists := i.ips[normalizedIP]; exists {
+		entry.lastAccess = now
+		i.mu.Unlock()
+		return entry.limiter, true
+	}
+
+	entry = &rateLimiterEntry{
+		limiter:    rate.NewLimiter(i.r, i.b),
+		lastAccess: now,
+	}
+	i.ips[normalizedIP] = entry
+	i.mu.Unlock()
+
+	return entry.limiter, true
+}
+
+// RateLimitMiddleware 速率限制中间件
+func RateLimitMiddleware(limiter *IPRateLimiter) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// 静态文件豁免：跳过限流检查
+		path := c.Request.URL.Path
+		if path == "/" || path == "/favicon.ico" || path == "/images.html" || path == "/search.html" ||
+			strings.HasPrefix(path, "/public/") {
+			c.Next()
+			return
+		}
+
+		// 获取客户端真实IP
+		var ip string
+
+		// 优先尝试从请求头获取真实IP
+		if forwarded := c.GetHeader("X-Forwarded-For"); forwarded != "" {
+			// X-Forwarded-For可能包含多个IP，取第一个
+			ips := strings.Split(forwarded, ",")
+			ip = strings.TrimSpace(ips[0])
+		} else if realIP := c.GetHeader("X-Real-IP"); realIP != "" {
+			// 如果有X-Real-IP头
+			ip = realIP
+		} else if remoteIP := c.GetHeader("X-Original-Forwarded-For"); remoteIP != "" {
+			// 某些代理可能使用此头
+			ips := strings.Split(remoteIP, ",")
+			ip = strings.TrimSpace(ips[0])
+		} else {
+			// 回退到ClientIP方法
+			ip = c.ClientIP()
+		}
+
+		// 提取纯IP地址（去除可能存在的端口）
+		cleanIP := extractIPFromAddress(ip)
+
+		// 日志记录请求IP和头信息
+		normalizedIP := normalizeIPForRateLimit(cleanIP)
+		if cleanIP != normalizedIP {
+			fmt.Printf("请求IP: %s (提纯后: %s, 限流段: %s), X-Forwarded-For: %s, X-Real-IP: %s\n",
+				ip, cleanIP, normalizedIP,
+				c.GetHeader("X-Forwarded-For"),
+				c.GetHeader("X-Real-IP"))
+		} else {
+			fmt.Printf("请求IP: %s (提纯后: %s), X-Forwarded-For: %s, X-Real-IP: %s\n",
+				ip, cleanIP,
+				c.GetHeader("X-Forwarded-For"),
+				c.GetHeader("X-Real-IP"))
+		}
+
+		// 获取限流器并检查是否允许访问
+		ipLimiter, allowed := limiter.GetLimiter(cleanIP)
+
+		// 如果IP在黑名单中
+		if !allowed {
+			c.JSON(403, gin.H{
+				"error": "您已被限制访问",
+			})
+			c.Abort()
+			return
+		}
+
+		// 检查限流
+		if !ipLimiter.Allow() {
+			c.JSON(429, gin.H{
+				"error": "请求频率过快，暂时限制访问",
+			})
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
--- a/src/token_cache.go
+++ b/src/token_cache.go
@@ -13,10 +13,10 @@ import (

 // CachedItem 通用缓存项，支持Token和Manifest
 type CachedItem struct {
-	Data        []byte         // 缓存数据(token字符串或manifest字节)
-	ContentType string         // 内容类型
+	Data        []byte            // 缓存数据(token字符串或manifest字节)
+	ContentType string            // 内容类型
 	Headers     map[string]string // 额外的响应头
-	ExpiresAt   time.Time      // 过期时间
+	ExpiresAt   time.Time         // 过期时间
 }

 // UniversalCache 通用缓存，支持Token和Manifest
@@ -79,18 +79,18 @@ func getManifestTTL(reference string) time.Duration {
 			defaultTTL = parsed
 		}
 	}
-	
+
 	if strings.HasPrefix(reference, "sha256:") {
 		return 24 * time.Hour
 	}
-	
+
 	// mutable tag的智能判断
-	if reference == "latest" || reference == "main" || reference == "master" || 
-	   reference == "dev" || reference == "develop" {
+	if reference == "latest" || reference == "main" || reference == "master" ||
+		reference == "dev" || reference == "develop" {
 		// 热门可变标签: 短期缓存
 		return 10 * time.Minute
 	}
-	
+
 	return defaultTTL
 }

@@ -99,17 +99,17 @@ func extractTTLFromResponse(responseBody []byte) time.Duration {
 	var tokenResp struct {
 		ExpiresIn int `json:"expires_in"`
 	}
-	
+
 	// 默认30分钟TTL，确保稳定性
 	defaultTTL := 30 * time.Minute
-	
+
 	if json.Unmarshal(responseBody, &tokenResp) == nil && tokenResp.ExpiresIn > 0 {
 		safeTTL := time.Duration(tokenResp.ExpiresIn-300) * time.Second
 		if safeTTL > 5*time.Minute {
 			return safeTTL
 		}
 	}
-	
+
 	return defaultTTL
 }

@@ -122,12 +122,12 @@ func writeCachedResponse(c *gin.Context, item *CachedItem) {
 	if item.ContentType != "" {
 		c.Header("Content-Type", item.ContentType)
 	}
-	
+
 	// 设置额外的响应头
 	for key, value := range item.Headers {
 		c.Header(key, value)
 	}
-	
+
 	// 返回数据
 	c.Data(200, item.ContentType, item.Data)
 }
@@ -148,21 +148,21 @@ func init() {
 	go func() {
 		ticker := time.NewTicker(20 * time.Minute)
 		defer ticker.Stop()
-		
+
 		for range ticker.C {
 			now := time.Now()
 			expiredKeys := make([]string, 0)
-			
+
 			globalCache.cache.Range(func(key, value interface{}) bool {
 				if cached := value.(*CachedItem); now.After(cached.ExpiresAt) {
 					expiredKeys = append(expiredKeys, key.(string))
 				}
 				return true
 			})
-			
+
 			for _, key := range expiredKeys {
 				globalCache.cache.Delete(key)
 			}
 		}
 	}()
-} 
+}