# Sub2API Configuration File # Sub2API 配置文件 # # Copy this file to /etc/sub2api/config.yaml and modify as needed # 复制此文件到 /etc/sub2api/config.yaml 并根据需要修改 # # Documentation / 文档: https://github.com/Wei-Shaw/sub2api # ============================================================================= # Server Configuration # 服务器配置 # ============================================================================= server: # Bind address (0.0.0.0 for all interfaces) # 绑定地址(0.0.0.0 表示监听所有网络接口) host: "0.0.0.0" # Port to listen on # 监听端口 port: 8080 # Mode: "debug" for development, "release" for production # 运行模式:"debug" 用于开发,"release" 用于生产环境 mode: "release" # Trusted proxies for X-Forwarded-For parsing (CIDR/IP). Empty disables trusted proxies. # 信任的代理地址(CIDR/IP 格式),用于解析 X-Forwarded-For 头。留空则禁用代理信任。 trusted_proxies: [] # ============================================================================= # Run Mode Configuration # 运行模式配置 # ============================================================================= # Run mode: "standard" (default) or "simple" (for internal use) # 运行模式:"standard"(默认)或 "simple"(内部使用) # - standard: Full SaaS features with billing/balance checks # - standard: 完整 SaaS 功能,包含计费和余额校验 # - simple: Hides SaaS features and skips billing/balance checks # - simple: 隐藏 SaaS 功能,跳过计费和余额校验 run_mode: "standard" # ============================================================================= # CORS Configuration # 跨域资源共享 (CORS) 配置 # ============================================================================= cors: # Allowed origins list. Leave empty to disable cross-origin requests. # 允许的来源列表。留空则禁用跨域请求。 allowed_origins: [] # Allow credentials (cookies/authorization headers). Cannot be used with "*". # 允许携带凭证(cookies/授权头)。不能与 "*" 通配符同时使用。 allow_credentials: true # ============================================================================= # Security Configuration # 安全配置 # ============================================================================= security: url_allowlist: # Enable URL allowlist validation (disable to skip all URL checks) # 启用 URL 白名单验证(禁用则跳过所有 URL 检查) enabled: false # Allowed upstream hosts for API proxying # 允许代理的上游 API 主机列表 upstream_hosts: - "api.openai.com" - "api.anthropic.com" - "api.kimi.com" - "open.bigmodel.cn" - "api.minimaxi.com" - "generativelanguage.googleapis.com" - "cloudcode-pa.googleapis.com" - "*.openai.azure.com" # Allowed hosts for pricing data download # 允许下载定价数据的主机列表 pricing_hosts: - "raw.githubusercontent.com" # Allowed hosts for CRS sync (required when using CRS sync) # 允许 CRS 同步的主机列表(使用 CRS 同步功能时必须配置) crs_hosts: [] # Allow localhost/private IPs for upstream/pricing/CRS (use only in trusted networks) # 允许本地/私有 IP 地址用于上游/定价/CRS(仅在可信网络中使用) allow_private_hosts: true # Allow http:// URLs when allowlist is disabled (default: false, require https) # 白名单禁用时是否允许 http:// URL(默认: false,要求 https) allow_insecure_http: true response_headers: # Enable configurable response header filtering (disable to use default allowlist) # 启用可配置的响应头过滤(禁用则使用默认白名单) enabled: false # Extra allowed response headers from upstream # 额外允许的上游响应头 additional_allowed: [] # Force-remove response headers from upstream # 强制移除的上游响应头 force_remove: [] csp: # Enable Content-Security-Policy header # 启用内容安全策略 (CSP) 响应头 enabled: true # Default CSP policy (override if you host assets on other domains) # 默认 CSP 策略(如果静态资源托管在其他域名,请自行覆盖) # Note: __CSP_NONCE__ will be replaced with 'nonce-xxx' at request time for inline script security # 注意:__CSP_NONCE__ 会在请求时被替换为 'nonce-xxx',用于内联脚本安全 policy: "default-src 'self'; script-src 'self' __CSP_NONCE__ https://challenges.cloudflare.com https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-src https://challenges.cloudflare.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" proxy_probe: # Allow skipping TLS verification for proxy probe (debug only) # 允许代理探测时跳过 TLS 证书验证(仅用于调试) insecure_skip_verify: false # ============================================================================= # Gateway Configuration # 网关配置 # ============================================================================= gateway: # Timeout for waiting upstream response headers (seconds) # 等待上游响应头超时时间(秒) response_header_timeout: 600 # Max request body size in bytes (default: 100MB) # 请求体最大字节数(默认 100MB) max_body_size: 104857600 # Connection pool isolation strategy: # 连接池隔离策略: # - proxy: Isolate by proxy, same proxy shares connection pool (suitable for few proxies, many accounts) # - proxy: 按代理隔离,同一代理共享连接池(适合代理少、账户多) # - account: Isolate by account, same account shares connection pool (suitable for few accounts, strict isolation) # - account: 按账户隔离,同一账户共享连接池(适合账户少、需严格隔离) # - account_proxy: Isolate by account+proxy combination (default, finest granularity) # - account_proxy: 按账户+代理组合隔离(默认,最细粒度) connection_pool_isolation: "account_proxy" # HTTP upstream connection pool settings (HTTP/2 + multi-proxy scenario defaults) # HTTP 上游连接池配置(HTTP/2 + 多代理场景默认值) # Max idle connections across all hosts # 所有主机的最大空闲连接数 max_idle_conns: 240 # Max idle connections per host # 每个主机的最大空闲连接数 max_idle_conns_per_host: 120 # Max connections per host # 每个主机的最大连接数 max_conns_per_host: 240 # Idle connection timeout (seconds) # 空闲连接超时时间(秒) idle_conn_timeout_seconds: 90 # Upstream client cache settings # 上游连接池客户端缓存配置 # max_upstream_clients: Max cached clients, evicts least recently used when exceeded # max_upstream_clients: 最大缓存客户端数量,超出后淘汰最久未使用的 max_upstream_clients: 5000 # client_idle_ttl_seconds: Client idle reclaim threshold (seconds), reclaimed when idle and no active requests # client_idle_ttl_seconds: 客户端空闲回收阈值(秒),超时且无活跃请求时回收 client_idle_ttl_seconds: 900 # Concurrency slot expiration time (minutes) # 并发槽位过期时间(分钟) concurrency_slot_ttl_minutes: 30 # Stream data interval timeout (seconds), 0=disable # 流数据间隔超时(秒),0=禁用 stream_data_interval_timeout: 180 # Stream keepalive interval (seconds), 0=disable # 流式 keepalive 间隔(秒),0=禁用 stream_keepalive_interval: 10 # SSE max line size in bytes (default: 40MB) # SSE 单行最大字节数(默认 40MB) max_line_size: 41943040 # Log upstream error response body summary (safe/truncated; does not log request content) # 记录上游错误响应体摘要(安全/截断;不记录请求内容) log_upstream_error_body: true # Max bytes to log from upstream error body # 记录上游错误响应体的最大字节数 log_upstream_error_body_max_bytes: 2048 # Auto inject anthropic-beta header for API-key accounts when needed (default: off) # 需要时自动为 API-key 账户注入 anthropic-beta 头(默认:关闭) inject_beta_for_apikey: false # Allow failover on selected 400 errors (default: off) # 允许在特定 400 错误时进行故障转移(默认:关闭) failover_on_400: false # Scheduling configuration # 调度配置 scheduling: # Sticky session max waiting queue size # 粘性会话最大排队长度 sticky_session_max_waiting: 3 # Sticky session wait timeout (duration) # 粘性会话等待超时(时间段) sticky_session_wait_timeout: 120s # Fallback wait timeout (duration) # 兜底排队等待超时(时间段) fallback_wait_timeout: 30s # Fallback max waiting queue size # 兜底最大排队长度 fallback_max_waiting: 100 # Enable batch load calculation for scheduling # 启用调度批量负载计算 load_batch_enabled: true # Slot cleanup interval (duration) # 并发槽位清理周期(时间段) slot_cleanup_interval: 30s # 是否允许受控回源到 DB(默认 true,保持现有行为) db_fallback_enabled: true # 受控回源超时(秒),0 表示不额外收紧超时 db_fallback_timeout_seconds: 0 # 受控回源限流(实例级 QPS),0 表示不限制 db_fallback_max_qps: 0 # outbox 轮询周期(秒) outbox_poll_interval_seconds: 1 # outbox 滞后告警阈值(秒) outbox_lag_warn_seconds: 5 # outbox 触发强制重建阈值(秒) outbox_lag_rebuild_seconds: 10 # outbox 连续滞后触发次数 outbox_lag_rebuild_failures: 3 # outbox 积压触发重建阈值(行数) outbox_backlog_rebuild_rows: 10000 # 全量重建周期(秒),0 表示禁用 full_rebuild_interval_seconds: 300 # TLS fingerprint simulation / TLS 指纹伪装 # Default profile "claude_cli_v2" simulates Node.js 20.x # 默认模板 "claude_cli_v2" 模拟 Node.js 20.x 指纹 tls_fingerprint: enabled: true # profiles: # profile_1: # name: "Custom Profile 1" # profile_2: # name: "Custom Profile 2" # cipher_suites: [4866, 4867, 4865, 49199, 49195, 49200, 49196] # curves: [29, 23, 24] # point_formats: [0] # ============================================================================= # API Key Auth Cache Configuration # API Key 认证缓存配置 # ============================================================================= api_key_auth_cache: # L1 cache size (entries), in-process LRU/TTL cache # L1 缓存容量(条目数),进程内 LRU/TTL 缓存 l1_size: 65535 # L1 cache TTL (seconds) # L1 缓存 TTL(秒) l1_ttl_seconds: 15 # L2 cache TTL (seconds), stored in Redis # L2 缓存 TTL(秒),Redis 中存储 l2_ttl_seconds: 300 # Negative cache TTL (seconds) # 负缓存 TTL(秒) negative_ttl_seconds: 30 # TTL jitter percent (0-100) # TTL 抖动百分比(0-100) jitter_percent: 10 # Enable singleflight for cache misses # 缓存未命中时启用 singleflight 合并回源 singleflight: true # ============================================================================= # Dashboard Cache Configuration # 仪表盘缓存配置 # ============================================================================= dashboard_cache: # Enable dashboard cache # 启用仪表盘缓存 enabled: true # Redis key prefix for multi-environment isolation # Redis key 前缀,用于多环境隔离 key_prefix: "sub2api:" # Fresh TTL (seconds); within this window cached stats are considered fresh # 新鲜阈值(秒);命中后处于该窗口视为新鲜数据 stats_fresh_ttl_seconds: 15 # Cache TTL (seconds) stored in Redis # Redis 缓存 TTL(秒) stats_ttl_seconds: 30 # Async refresh timeout (seconds) # 异步刷新超时(秒) stats_refresh_timeout_seconds: 30 # ============================================================================= # Dashboard Aggregation Configuration # 仪表盘预聚合配置(重启生效) # ============================================================================= dashboard_aggregation: # Enable aggregation job # 启用聚合作业 enabled: true # Refresh interval (seconds) # 刷新间隔(秒) interval_seconds: 60 # Lookback window (seconds) for late-arriving data # 回看窗口(秒),处理迟到数据 lookback_seconds: 120 # Allow manual backfill # 允许手动回填 backfill_enabled: false # Backfill max range (days) # 回填最大跨度(天) backfill_max_days: 31 # Recompute recent N days on startup # 启动时重算最近 N 天 recompute_days: 2 # Retention windows (days) # 保留窗口(天) retention: # Raw usage_logs retention # 原始 usage_logs 保留天数 usage_logs_days: 90 # Hourly aggregation retention # 小时聚合保留天数 hourly_days: 180 # Daily aggregation retention # 日聚合保留天数 daily_days: 730 # ============================================================================= # Usage Cleanup Task Configuration # 使用记录清理任务配置(重启生效) # ============================================================================= usage_cleanup: # Enable cleanup task worker # 启用清理任务执行器 enabled: true # Max date range (days) per task # 单次任务最大时间跨度(天) max_range_days: 31 # Batch delete size # 单批删除数量 batch_size: 5000 # Worker interval (seconds) # 执行器轮询间隔(秒) worker_interval_seconds: 10 # Task execution timeout (seconds) # 单次任务最大执行时长(秒) task_timeout_seconds: 1800 # ============================================================================= # Concurrency Wait Configuration # 并发等待配置 # ============================================================================= concurrency: # SSE ping interval during concurrency wait (seconds) # 并发等待期间的 SSE ping 间隔(秒) ping_interval: 10 # ============================================================================= # Database Configuration (PostgreSQL) # 数据库配置 (PostgreSQL) # ============================================================================= database: # Database host address # 数据库主机地址 host: "localhost" # Database port # 数据库端口 port: 5432 # Database username # 数据库用户名 user: "postgres" # Database password # 数据库密码 password: "your_secure_password_here" # Database name # 数据库名称 dbname: "sub2api" # SSL mode: disable, require, verify-ca, verify-full # SSL 模式:disable(禁用), require(要求), verify-ca(验证CA), verify-full(完全验证) sslmode: "disable" # ============================================================================= # Redis Configuration # Redis 配置 # ============================================================================= redis: # Redis host address # Redis 主机地址 host: "localhost" # Redis port # Redis 端口 port: 6379 # Redis password (leave empty if no password is set) # Redis 密码(如果未设置密码则留空) password: "" # Database number (0-15) # 数据库编号(0-15) db: 0 # ============================================================================= # Ops Monitoring (Optional) # 运维监控 (可选) # ============================================================================= ops: # Enable ops monitoring features (background jobs and APIs) # 是否启用运维监控功能(后台任务和接口) # Set to false to hide ops menu in sidebar and disable all ops features # 设置为 false 可在左侧栏隐藏运维监控菜单并禁用所有运维监控功能 # Other detailed settings (cleanup, aggregation, etc.) are configured in ops settings dialog # 其他详细设置(数据清理、预聚合等)在运维监控设置对话框中配置 enabled: true # ============================================================================= # JWT Configuration # JWT 配置 # ============================================================================= jwt: # IMPORTANT: Change this to a random string in production! # 重要:生产环境中请更改为随机字符串! # Generate with / 生成命令: openssl rand -hex 32 secret: "change-this-to-a-secure-random-string" # Token expiration time in hours (max 24) # 令牌过期时间(小时,最大 24) expire_hour: 24 # ============================================================================= # TOTP (2FA) Configuration # TOTP 双因素认证配置 # ============================================================================= totp: # IMPORTANT: Set a fixed encryption key for TOTP secrets. # 重要:设置固定的 TOTP 加密密钥。 # If left empty, a random key will be generated on each startup, causing all # existing TOTP configurations to become invalid (users won't be able to # login with 2FA). # 如果留空,每次启动将生成随机密钥,导致现有的 TOTP 配置失效(用户无法使用 # 双因素认证登录)。 # Generate with / 生成命令: openssl rand -hex 32 encryption_key: "" # ============================================================================= # LinuxDo Connect OAuth Login (SSO) # LinuxDo Connect OAuth 登录(用于 Sub2API 用户登录) # ============================================================================= linuxdo_connect: enabled: false client_id: "" client_secret: "" authorize_url: "https://connect.linux.do/oauth2/authorize" token_url: "https://connect.linux.do/oauth2/token" userinfo_url: "https://connect.linux.do/api/user" scopes: "user" # 示例: "https://your-domain.com/api/v1/auth/oauth/linuxdo/callback" redirect_url: "" # 安全提示: # - 建议使用同源相对路径(以 / 开头),避免把 token 重定向到意外的第三方域名 # - 该地址不应包含 #fragment(本实现使用 URL fragment 传递 access_token) frontend_redirect_url: "/auth/linuxdo/callback" token_auth_method: "client_secret_post" # client_secret_post | client_secret_basic | none # 注意:当 token_auth_method=none(public client)时,必须启用 PKCE use_pkce: false userinfo_email_path: "" userinfo_id_path: "" userinfo_username_path: "" # ============================================================================= # Default Settings # 默认设置 # ============================================================================= default: # Initial admin account (created on first run) # 初始管理员账户(首次运行时创建) admin_email: "admin@example.com" admin_password: "admin123" # Default settings for new users # 新用户默认设置 # Max concurrent requests per user # 每用户最大并发请求数 user_concurrency: 5 # Initial balance for new users # 新用户初始余额 user_balance: 0 # API key settings # API 密钥设置 # Prefix for generated API keys # 生成的 API 密钥前缀 api_key_prefix: "sk-" # Rate multiplier (affects billing calculation) # 费率倍数(影响计费计算) rate_multiplier: 1.0 # ============================================================================= # Rate Limiting # 速率限制 # ============================================================================= rate_limit: # Cooldown time (in minutes) when upstream returns 529 (overloaded) # 上游返回 529(过载)时的冷却时间(分钟) overload_cooldown_minutes: 10 # ============================================================================= # Pricing Data Source (Optional) # 定价数据源(可选) # ============================================================================= pricing: # URL to fetch model pricing data (default: LiteLLM) # 获取模型定价数据的 URL(默认:LiteLLM) remote_url: "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json" # Hash verification URL (optional) # 哈希校验 URL(可选) hash_url: "" # Local data directory for caching # 本地数据缓存目录 data_dir: "./data" # Fallback pricing file # 备用定价文件 fallback_file: "./resources/model-pricing/model_prices_and_context_window.json" # Update interval in hours # 更新间隔(小时) update_interval_hours: 24 # Hash check interval in minutes # 哈希检查间隔(分钟) hash_check_interval_minutes: 10 # ============================================================================= # Billing Configuration # 计费配置 # ============================================================================= billing: circuit_breaker: # Enable circuit breaker for billing service # 启用计费服务熔断器 enabled: true # Number of failures before opening circuit # 触发熔断的失败次数阈值 failure_threshold: 5 # Time to wait before attempting reset (seconds) # 熔断后重试等待时间(秒) reset_timeout_seconds: 30 # Number of requests to allow in half-open state # 半开状态允许通过的请求数 half_open_requests: 3 # ============================================================================= # Turnstile Configuration # Turnstile 人机验证配置 # ============================================================================= turnstile: # Require Turnstile in release mode (when enabled, login/register will fail if not configured) # 在 release 模式下要求 Turnstile 验证(启用后,若未配置则登录/注册会失败) required: false # ============================================================================= # Gemini OAuth (Required for Gemini accounts) # Gemini OAuth 配置(Gemini 账户必需) # ============================================================================= # Sub2API supports TWO Gemini OAuth modes: # Sub2API 支持两种 Gemini OAuth 模式: # # 1. Code Assist OAuth (requires GCP project_id) # 1. Code Assist OAuth(需要 GCP project_id) # - Uses: cloudcode-pa.googleapis.com (Code Assist API) # - 使用:cloudcode-pa.googleapis.com(Code Assist API) # # 2. AI Studio OAuth (no project_id needed) # 2. AI Studio OAuth(不需要 project_id) # - Uses: generativelanguage.googleapis.com (AI Studio API) # - 使用:generativelanguage.googleapis.com(AI Studio API) # # Default: Uses Gemini CLI's public OAuth credentials (same as Google's official CLI tool) # 默认:使用 Gemini CLI 的公开 OAuth 凭证(与 Google 官方 CLI 工具相同) gemini: oauth: # Gemini CLI public OAuth credentials (works for both Code Assist and AI Studio) # Gemini CLI 公开 OAuth 凭证(适用于 Code Assist 和 AI Studio) client_id: "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com" client_secret: "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" # Optional scopes (space-separated). Leave empty to auto-select based on oauth_type. # 可选的权限范围(空格分隔)。留空则根据 oauth_type 自动选择。 scopes: "" quota: # Optional: local quota simulation for Gemini Code Assist (local billing). # 可选:Gemini Code Assist 本地配额模拟(本地计费)。 # These values are used for UI progress + precheck scheduling, not official Google quotas. # 这些值用于 UI 进度显示和预检调度,并非 Google 官方配额。 tiers: LEGACY: # Pro model requests per day # Pro 模型每日请求数 pro_rpd: 50 # Flash model requests per day # Flash 模型每日请求数 flash_rpd: 1500 # Cooldown time (minutes) after hitting quota # 达到配额后的冷却时间(分钟) cooldown_minutes: 30 PRO: # Pro model requests per day # Pro 模型每日请求数 pro_rpd: 1500 # Flash model requests per day # Flash 模型每日请求数 flash_rpd: 4000 # Cooldown time (minutes) after hitting quota # 达到配额后的冷却时间(分钟) cooldown_minutes: 5 ULTRA: # Pro model requests per day # Pro 模型每日请求数 pro_rpd: 2000 # Flash model requests per day (0 = unlimited) # Flash 模型每日请求数(0 = 无限制) flash_rpd: 0 # Cooldown time (minutes) after hitting quota # 达到配额后的冷却时间(分钟) cooldown_minutes: 5 # ============================================================================= # Update Configuration (在线更新配置) # ============================================================================= update: # Proxy URL for accessing GitHub (used for online updates and pricing data) # 用于访问 GitHub 的代理地址(用于在线更新和定价数据获取) # Supports: http, https, socks5, socks5h # Examples: # - HTTP proxy: "http://127.0.0.1:7890" # - SOCKS5 proxy: "socks5://127.0.0.1:1080" # - With authentication: "http://user:pass@proxy.example.com:8080" # Leave empty for direct connection (recommended for overseas servers) # 留空表示直连(适用于海外服务器) proxy_url: ""