From 204190f807e5b1b9e8bcd77983994caa94f9bf20 Mon Sep 17 00:00:00 2001
From: Jiahao Luo <luoshitou9@gmail.com>
Date: Mon, 5 Jan 2026 12:57:03 +0800
Subject: [PATCH] feat(crs-sync): improve error messages and add private IP
 allowlist support

## Changes

### 1. Enhanced Error Messages
- Modified CRS sync error handling to show detailed error messages
- Changed from generic "internal error" to "CRS sync failed: <details>"
- Helps diagnose connection issues with private CRS deployments

### 2. Security Configuration
- Added SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS environment variable
- Allows administrators to enable/disable private IP access for CRS sync
- Production default: false (secure)
- Test environment default: true (convenient for internal testing)

### 3. Flexible Configuration Support
- Added config.yaml mount support in both production and test environments
- Supports dual configuration methods:
  * config.yaml for detailed/complex configurations
  * Environment variables for quick overrides
- Priority: ENV vars > config.yaml > defaults

## Use Case
Enables CRS sync from internal deployments where CRS resolves to private IPs
(e.g., 10.x.x.x, 192.168.x.x) while maintaining security by default.

## Files Modified
- backend/internal/handler/admin/account_handler.go
- deploy/docker-compose.yml
- deploy/docker-compose-test.yml
---
 backend/internal/handler/admin/account_handler.go | 3 ++-
 deploy/docker-compose-test.yml                    | 8 ++++++++
 deploy/docker-compose.yml                         | 6 +++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/backend/internal/handler/admin/account_handler.go b/backend/internal/handler/admin/account_handler.go
index e9a27ba6..1c26fa8d 100644
--- a/backend/internal/handler/admin/account_handler.go
+++ b/backend/internal/handler/admin/account_handler.go
@@ -354,7 +354,8 @@ func (h *AccountHandler) SyncFromCRS(c *gin.Context) {
 		SyncProxies: syncProxies,
 	})
 	if err != nil {
-		response.ErrorFrom(c, err)
+		// Provide detailed error message for CRS sync failures
+		response.InternalError(c, "CRS sync failed: "+err.Error())
 		return
 	}
 
diff --git a/deploy/docker-compose-test.yml b/deploy/docker-compose-test.yml
index 1a02fedd..bcda3141 100644
--- a/deploy/docker-compose-test.yml
+++ b/deploy/docker-compose-test.yml
@@ -32,6 +32,8 @@ services:
     volumes:
       # Data persistence (config.yaml will be auto-generated here)
       - sub2api_data:/app/data
+      # Mount custom config.yaml (optional, overrides auto-generated config)
+      - ./config.yaml:/app/data/config.yaml:ro
     environment:
       # =======================================================================
       # Auto Setup (REQUIRED for Docker deployment)
@@ -95,6 +97,12 @@ services:
       - GEMINI_OAUTH_CLIENT_SECRET=${GEMINI_OAUTH_CLIENT_SECRET:-}
       - GEMINI_OAUTH_SCOPES=${GEMINI_OAUTH_SCOPES:-}
       - GEMINI_QUOTA_POLICY=${GEMINI_QUOTA_POLICY:-}
+
+      # =======================================================================
+      # Security Configuration (URL Allowlist)
+      # =======================================================================
+      # Allow private IP addresses for CRS sync (for internal deployments)
+      - SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=${SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS:-true}
     depends_on:
       postgres:
         condition: service_healthy
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 9c786d6d..17e75e2a 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -28,6 +28,8 @@ services:
     volumes:
       # Data persistence (config.yaml will be auto-generated here)
       - sub2api_data:/app/data
+      # Mount custom config.yaml (optional, overrides auto-generated config)
+      - ./config.yaml:/app/data/config.yaml:ro
     environment:
       # =======================================================================
       # Auto Setup (REQUIRED for Docker deployment)
@@ -93,9 +95,11 @@ services:
       - GEMINI_QUOTA_POLICY=${GEMINI_QUOTA_POLICY:-}
 
       # =======================================================================
-      # Security Configuration
+      # Security Configuration (URL Allowlist)
       # =======================================================================
       - SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS=${SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS:-}
+      # Allow private IP addresses for CRS sync (for internal deployments)
+      - SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=${SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS:-false}
     depends_on:
       postgres:
         condition: service_healthy