feat: add fingerprint recognition feature and update documentation

- Add fingerprint recognition section to README with support for 2.7W+ rules from multiple sources (EHole, Goby, Wappalyzer, Fingers, FingerPrintHub, ARL) - Update scanning pipeline architecture diagram to include fingerprint recognition stage between site identification and deep analysis - Add fingerprint recognition styling to mermaid diagram for visual consistency - Include WORKER_API_KEY environment variable in task distributor for worker authentication - Update WeChat QR code image and public account name from "洋洋的小黑屋" to "塔罗安全学苑" - Fix import statements in nav-system.tsx to use i18n navigation utilities instead of next/link and next/navigation - Enhance scanning workflow documentation to reflect complete pipeline: subdomain discovery → port scanning → site identification → fingerprint recognition → URL collection → directory scanning → vulnerability scanning
docs: simplify quick-start guide
2026-01-31 19:53:11 +08:00 · 2025-12-31 23:09:25 +08:00 · 2025-12-31 22:50:08 +08:00 · 2025-12-31 22:46:42 +08:00 · 2025-12-31 22:40:38 +08:00 · 2025-12-31 22:21:40 +08:00
14 changed files with 66 additions and 30 deletions
--- a/README.md
+++ b/README.md
@@ -62,9 +62,14 @@
 - **自定义流程** - YAML 配置扫描流程，灵活编排
 - **定时扫描** - Cron 表达式配置，自动化周期扫描

+### 🔖 指纹识别
+- **多源指纹库** - 内置 EHole、Goby、Wappalyzer、Fingers、FingerPrintHub、ARL 等 2.7W+ 指纹规则
+- **自动识别** - 扫描流程自动执行，识别 Web 应用技术栈
+- **指纹管理** - 支持查询、导入、导出指纹规则
+
 #### 扫描流程架构

-完整的扫描流程包括：子域名发现、端口扫描、站点发现、URL 收集、目录扫描、漏洞扫描等阶段
+完整的扫描流程包括：子域名发现、端口扫描、站点发现、指纹识别、URL 收集、目录扫描、漏洞扫描等阶段

 ```mermaid
 flowchart LR
@@ -75,7 +80,8 @@ flowchart LR
        SUB["子域名发现<br/>subfinder, amass, puredns"]
        PORT["端口扫描<br/>naabu"]
        SITE["站点识别<br/>httpx"]
-        SUB --> PORT --> SITE
+        FINGER["指纹识别<br/>xingfinger"]
+        SUB --> PORT --> SITE --> FINGER
    end
    
    subgraph STAGE2["阶段 2: 深度分析"]
@@ -91,7 +97,7 @@ flowchart LR
    FINISH["扫描完成"]
    
    START --> STAGE1
-    SITE --> STAGE2
+    FINGER --> STAGE2
    STAGE2 --> STAGE3
    STAGE3 --> FINISH
    
@@ -103,6 +109,7 @@ flowchart LR
    style SUB fill:#5dade2,stroke:#3498db,stroke-width:1px,color:#fff
    style PORT fill:#5dade2,stroke:#3498db,stroke-width:1px,color:#fff
    style SITE fill:#5dade2,stroke:#3498db,stroke-width:1px,color:#fff
+    style FINGER fill:#5dade2,stroke:#3498db,stroke-width:1px,color:#fff
    style URL fill:#bb8fce,stroke:#9b59b6,stroke-width:1px,color:#fff
    style DIR fill:#bb8fce,stroke:#9b59b6,stroke-width:1px,color:#fff
    style VULN fill:#f0b27a,stroke:#e67e22,stroke-width:1px,color:#fff
@@ -216,7 +223,7 @@ sudo ./uninstall.sh
 - 目前版本就我个人使用，可能会有很多边界问题
 - 如有问题，建议，其他，优先提交[Issue](https://github.com/yyhuni/xingrin/issues)，也可以直接给我的公众号发消息，我都会回复的

- 微信公众号: **洋洋的小黑屋**
+- 微信公众号: **塔罗安全学苑**

 <img src="docs/wechat-qrcode.png" alt="微信公众号" width="200">

--- a/2
+++ b/2
@@ -1 +1 @@
-v1.2.8-dev
+v1.2.9-dev
--- a/backend/apps/common/urls.py
+++ b/backend/apps/common/urls.py
@@ -2,14 +2,18 @@
 通用模块 URL 配置

 路由说明：
+- /api/health/    健康检查接口（无需认证）
 - /api/auth/*     认证相关接口（登录、登出、用户信息）
 - /api/system/*   系统管理接口（日志查看等）
 """

 from django.urls import path
-from .views import LoginView, LogoutView, MeView, ChangePasswordView, SystemLogsView, SystemLogFilesView
+from .views import LoginView, LogoutView, MeView, ChangePasswordView, SystemLogsView, SystemLogFilesView, HealthCheckView

 urlpatterns = [
+    # 健康检查（无需认证）
+    path('health/', HealthCheckView.as_view(), name='health-check'),
+    
    # 认证相关
    path('auth/login/', LoginView.as_view(), name='auth-login'),
    path('auth/logout/', LogoutView.as_view(), name='auth-logout'),
--- a/backend/apps/common/views/init.py
+++ b/backend/apps/common/views/init.py
@@ -2,11 +2,17 @@
 通用模块视图导出

 包含：
+- 健康检查视图：Docker 健康检查
 - 认证相关视图：登录、登出、用户信息、修改密码
 - 系统日志视图：实时日志查看
 """

+from .health_views import HealthCheckView
 from .auth_views import LoginView, LogoutView, MeView, ChangePasswordView
 from .system_log_views import SystemLogsView, SystemLogFilesView

-__all__ = ['LoginView', 'LogoutView', 'MeView', 'ChangePasswordView', 'SystemLogsView', 'SystemLogFilesView']
+__all__ = [
+    'HealthCheckView',
+    'LoginView', 'LogoutView', 'MeView', 'ChangePasswordView',
+    'SystemLogsView', 'SystemLogFilesView',
+]
--- a/backend/apps/common/views/health_views.py
+++ b/backend/apps/common/views/health_views.py
@@ -0,0 +1,24 @@
+"""
+健康检查视图
+
+提供 Docker 健康检查端点，无需认证。
+"""
+
+from rest_framework.views import APIView
+from rest_framework.response import Response
+from rest_framework.permissions import AllowAny
+
+
+class HealthCheckView(APIView):
+    """
+    健康检查端点
+    
+    GET /api/health/
+    
+    返回服务状态，用于 Docker 健康检查。
+    此端点无需认证。
+    """
+    permission_classes = [AllowAny]
+    
+    def get(self, request):
+        return Response({'status': 'ok'})
--- a/backend/apps/engine/services/task_distributor.py
+++ b/backend/apps/engine/services/task_distributor.py
@@ -284,6 +284,7 @@ class TaskDistributor:
        env_vars = [
            f"-e SERVER_URL={shlex.quote(server_url)}",
            f"-e IS_LOCAL={is_local_str}",
+            f"-e WORKER_API_KEY={shlex.quote(settings.WORKER_API_KEY)}",  # Worker API 认证密钥
            "-e PREFECT_HOME=/tmp/.prefect",  # 设置 Prefect 数据目录到可写位置
            "-e PREFECT_SERVER_EPHEMERAL_ENABLED=true",  # 启用 ephemeral server（本地临时服务器）
            "-e PREFECT_SERVER_EPHEMERAL_STARTUP_TIMEOUT_SECONDS=120",  # 增加启动超时时间
--- a/backend/apps/scan/notifications/views.py
+++ b/backend/apps/scan/notifications/views.py
@@ -7,8 +7,7 @@ from typing import Any
 from django.http import JsonResponse
 from django.utils import timezone
 from rest_framework import status
-from rest_framework.decorators import api_view, permission_classes
-from rest_framework.permissions import AllowAny
+from rest_framework.decorators import api_view
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -198,12 +197,13 @@ class NotificationSettingsView(APIView):
 # ============================================

@api_view(['POST'])
-@permission_classes([AllowAny])  # Worker 容器无认证，可考虑添加 Token 验证
+# 权限由全局 IsAuthenticatedOrPublic 处理，/api/callbacks/* 需要 Worker API Key 认证
 def notification_callback(request):
    """
    接收 Worker 的通知推送请求
    
    Worker 容器无法直接访问 Redis，通过此 API 回调让 Server 推送 WebSocket。
+    需要 Worker API Key 认证（X-Worker-API-Key Header）。
    
    POST /api/callbacks/notification/
    {
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -47,7 +47,8 @@ services:
      - /opt/xingrin:/opt/xingrin
      - /var/run/docker.sock:/var/run/docker.sock
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8888/api/"]
+      # 使用专门的健康检查端点（无需认证）
+      test: ["CMD", "curl", "-f", "http://localhost:8888/api/health/"]
      interval: 30s
      timeout: 10s
      retries: 3
@@ -66,6 +67,7 @@ services:
      - WORKER_NAME=本地节点
      - IS_LOCAL=true
      - IMAGE_TAG=${IMAGE_TAG:-dev}
+      - WORKER_API_KEY=${WORKER_API_KEY}
    depends_on:
      server:
        condition: service_healthy
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -50,7 +50,8 @@ services:
      # Docker Socket 挂载：允许 Django 服务器执行本地 docker 命令（用于本地 Worker 任务分发）
      - /var/run/docker.sock:/var/run/docker.sock
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8888/api/"]
+      # 使用专门的健康检查端点（无需认证）
+      test: ["CMD", "curl", "-f", "http://localhost:8888/api/health/"]
      interval: 30s
      timeout: 10s
      retries: 3
--- a/docker/worker/Dockerfile
+++ b/docker/worker/Dockerfile
@@ -1,5 +1,6 @@
 # 第一阶段：使用 Go 官方镜像编译工具
-FROM golang:1.24 AS go-builder
+# 锁定 digest 避免上游更新导致缓存失效
+FROM golang:1.24@sha256:7e050c14ae9ca5ae56408a288336545b18632f51402ab0ec8e7be0e649a1fc42 AS go-builder

 ENV GOPROXY=https://goproxy.cn,direct
 # Naabu 需要 CGO 和 libpcap
@@ -36,7 +37,8 @@ RUN CGO_ENABLED=0 go install -v github.com/owasp-amass/amass/v5/cmd/amass@main
 RUN go install github.com/hahwul/dalfox/v2@latest

 # 第二阶段：运行时镜像
-FROM ubuntu:24.04
+# 锁定 digest 避免上游更新导致缓存失效
+FROM ubuntu:24.04@sha256:4fdf0125919d24aec972544669dcd7d6a26a8ad7e6561c73d5549bd6db258ac2

 # 避免交互式提示
 ENV DEBIAN_FRONTEND=noninteractive
--- a/docs/quick-start.md
+++ b/docs/quick-start.md
@@ -21,13 +21,8 @@

 ### 1. 下载项目
 ```bash
-# 方式 1：Git 克隆（推荐）
 git clone https://github.com/你的用户名/xingrin.git
 cd xingrin
-
-# 方式 2：下载 ZIP
-wget https://github.com/你的用户名/xingrin/archive/main.zip
-unzip main.zip && cd xingrin-main
 ```

 ### 2. 执行安装
@@ -109,9 +104,6 @@ graph TD
 # 重启服务
 ./restart.sh

-# 更新系统
-./update.sh
-
 # 卸载系统
 ./uninstall.sh
 ```
@@ -233,11 +225,6 @@ docker logs --tail 100 xingrin-agent
 tail -f /opt/xingrin/logs/*.log
 ```

-### 3. 定期更新
-```bash
-# 定期执行系统更新
-./update.sh
-```

 ## 下一步

--- a/docs/wechat-qrcode.png
+++ b/docs/wechat-qrcode.png
--- a/frontend/components/nav-system.tsx
+++ b/frontend/components/nav-system.tsx
@@ -1,10 +1,10 @@
 "use client"

 import { type Icon } from "@tabler/icons-react"
-import Link from "next/link"
-import { usePathname } from "next/navigation"
 import { useTranslations } from "next-intl"

+import { Link, usePathname } from "@/i18n/navigation"
+
 import {
  SidebarGroup,
  SidebarGroupLabel,
--- a/install.sh
+++ b/install.sh
@@ -198,11 +198,13 @@ generate_self_signed_cert() {
 # 自动为 docker/.env 填充敏感变量
 auto_fill_docker_env_secrets() {
    local env_file="$1"
-    info "自动生成 DJANGO_SECRET_KEY 和 DB_PASSWORD..."
+    info "自动生成 DJANGO_SECRET_KEY、DB_PASSWORD 和 WORKER_API_KEY..."
    GENERATED_DJANGO_KEY="$(generate_random_string 64)"
    GENERATED_DB_PASSWORD="$(generate_random_string 32)"
+    GENERATED_WORKER_API_KEY="$(generate_random_string 32)"
    update_env_var "$env_file" "DJANGO_SECRET_KEY" "$GENERATED_DJANGO_KEY"
    update_env_var "$env_file" "DB_PASSWORD" "$GENERATED_DB_PASSWORD"
+    update_env_var "$env_file" "WORKER_API_KEY" "$GENERATED_WORKER_API_KEY"
    success "密钥生成完成"
 }
Author	SHA1	Message	Date
yyhuni	df0810c863	feat: add fingerprint recognition feature and update documentation - Add fingerprint recognition section to README with support for 2.7W+ rules from multiple sources (EHole, Goby, Wappalyzer, Fingers, FingerPrintHub, ARL) - Update scanning pipeline architecture diagram to include fingerprint recognition stage between site identification and deep analysis - Add fingerprint recognition styling to mermaid diagram for visual consistency - Include WORKER_API_KEY environment variable in task distributor for worker authentication - Update WeChat QR code image and public account name from "洋洋的小黑屋" to "塔罗安全学苑" - Fix import statements in nav-system.tsx to use i18n navigation utilities instead of next/link and next/navigation - Enhance scanning workflow documentation to reflect complete pipeline: subdomain discovery → port scanning → site identification → fingerprint recognition → URL collection → directory scanning → vulnerability scanning	2025-12-31 23:09:25 +08:00
yyhuni	d33e54c440	docs: simplify quick-start guide - Remove alternative ZIP download method, keep only Git clone approach - Remove update.sh script reference from service management section - Remove dedicated "定期更新" (periodic updates) section - Streamline documentation to focus on primary installation and usage paths	2025-12-31 22:50:08 +08:00
yyhuni	35a306fe8b	fix：dev环境	2025-12-31 22:46:42 +08:00
yyhuni	724df82931	chore: pin Docker base image digests and add worker API key generation - Pin golang:1.24 base image to specific digest to prevent upstream cache invalidation - Pin ubuntu:24.04 base image to specific digest to prevent upstream cache invalidation - Add WORKER_API_KEY generation in install.sh auto_fill_docker_env_secrets function - Generate random 32-character string for WORKER_API_KEY during installation - Update installation info message to include WORKER_API_KEY in generated secrets list - Improve build reproducibility and security by using immutable image references	2025-12-31 22:40:38 +08:00
yyhuni	8dfffdf802	fix：认证	2025-12-31 22:21:40 +08:00
github-actions[bot]	b8cb85ce0b	chore: bump version to v1.2.9-dev	2025-12-31 13:48:44 +00:00