fix(install): detect architecture instead of hardcoding amd64 (#227 )

install.sh always downloaded the linux_amd64 binary, so arm64/386/mips machines got a binary that does not run. Detect the architecture via uname and pick the matching release artifact; releases already ship those builds.
ci(release): build cross-platform binaries in parallel via matrix (#226 )
2026-06-11 15:28:50 +00:00 · 2026-06-07 17:45:46 +08:00 · 2026-06-05 11:10:47 +08:00 · 2026-06-02 14:38:02 +08:00 · 2026-06-02 14:32:22 +08:00 · 2026-05-31 03:47:09 -07:00
6 changed files with 186 additions and 18 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -5,11 +5,28 @@ on:
  pull_request:

 name: Release
+
 jobs:
-        
+
  Build:
    if: startsWith(github.ref, 'refs/tags/v')
    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { goos: darwin,  goarch: amd64 }
+          - { goos: darwin,  goarch: arm64 }
+          - { goos: linux,   goarch: '386' }
+          - { goos: linux,   goarch: amd64 }
+          - { goos: linux,   goarch: arm64 }
+          - { goos: linux,   goarch: mips }
+          - { goos: openbsd, goarch: amd64 }
+          - { goos: openbsd, goarch: arm64 }
+          - { goos: freebsd, goarch: amd64 }
+          - { goos: freebsd, goarch: arm64 }
+          - { goos: windows, goarch: '386' }
+          - { goos: windows, goarch: amd64 }
    steps:
      - uses: actions/checkout@v4

@ -17,12 +34,40 @@ jobs:
        with:
          go-version: "1.24.2"

-      - run: bash .cross_compile.sh
+      - name: Build
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: "0"
+        run: |
+          mkdir -p dist
+          BINARY="dist/deeplx_${GOOS}_${GOARCH}"
+          if [ "${GOOS}" = "windows" ]; then
+            BINARY="${BINARY}.exe"
+          fi
+          go build -trimpath -ldflags "-w -s" -o "${BINARY}" .
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: deeplx_${{ matrix.goos }}_${{ matrix.goarch }}
+          path: dist/*
+          if-no-files-found: error
+
+  Release:
+    needs: Build
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist
+          merge-multiple: true

      - name: Release
        uses: softprops/action-gh-release@v1
        with:
          draft: false
          generate_release_notes: true
-          files: |
-            dist/*
+          files: dist/*
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,4 @@
-DeepLX
+DeepLX
+
+# macOS Finder metadata
+.DS_Store
--- a/7
+++ b/7
@ -6,5 +6,8 @@ RUN CGO_ENABLED=0 go build -a -installsuffix cgo -o deeplx .

 FROM alpine:latest
 WORKDIR /app
-COPY --from=builder /go/src/github.com/OwO-Network/DeepLX/deeplx /app/deeplx
-CMD ["/app/deeplx"]
+RUN addgroup -S deeplx && adduser -h /app -G deeplx -SH deeplx
+USER deeplx:deeplx
+COPY --from=builder --chown=deeplx:deeplx /go/src/github.com/OwO-Network/DeepLX/deeplx /app/deeplx
+EXPOSE 1188
+ENTRYPOINT ["/app/deeplx"]
--- a/install.sh
+++ b/install.sh
@ -16,7 +16,20 @@ install_deeplx(){
        exit 1
    fi
    echo -e "DeepLX latest version: ${last_version}, Start install..."
-    wget -q -N --no-check-certificate -O /usr/bin/deeplx https://github.com/OwO-Network/DeepLX/releases/download/${last_version}/deeplx_linux_amd64
+
+    arch=$(uname -m)
+    case "${arch}" in
+        x86_64 | amd64) file_arch="amd64" ;;
+        aarch64 | arm64) file_arch="arm64" ;;
+        i386 | i686) file_arch="386" ;;
+        mips) file_arch="mips" ;;
+        *)
+            echo -e "${red}Unsupported architecture: ${arch}${plain}"
+            exit 1
+            ;;
+    esac
+
+    wget -q -N --no-check-certificate -O /usr/bin/deeplx https://github.com/OwO-Network/DeepLX/releases/download/${last_version}/deeplx_linux_${file_arch}

    chmod +x /usr/bin/deeplx
    wget -q -N --no-check-certificate -O /etc/systemd/system/deeplx.service https://raw.githubusercontent.com/OwO-Network/DeepLX/main/deeplx.service
--- a/service/service.go
+++ b/service/service.go
@ -108,7 +108,13 @@ func Router(cfg *Config) *gin.Engine {
 	// Free API endpoint, No Pro Account required
 	r.POST("/translate", authMiddleware(cfg), func(c *gin.Context) {
 		req := PayloadFree{}
-		c.BindJSON(&req)
+		if err := c.BindJSON(&req); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{
+				"code":    http.StatusBadRequest,
+				"message": "Invalid request payload",
+			})
+			return
+		}

 		sourceLang := req.SourceLang
 		targetLang := req.TargetLang
@ -127,7 +133,12 @@ func Router(cfg *Config) *gin.Engine {

 		result, err := translate.TranslateByDeepLX(sourceLang, targetLang, translateText, tagHandling, proxyURL, "")
 		if err != nil {
-			log.Fatalf("Translation failed: %s", err)
+			log.Printf("Translation failed: %s", err)
+			c.JSON(http.StatusInternalServerError, gin.H{
+				"code":    http.StatusInternalServerError,
+				"message": "Translation failed",
+			})
+			return
 		}

 		if result.Code == http.StatusOK {
@ -152,7 +163,13 @@ func Router(cfg *Config) *gin.Engine {
 	// Pro API endpoint, Pro Account required
 	r.POST("/v1/translate", authMiddleware(cfg), func(c *gin.Context) {
 		req := PayloadFree{}
-		c.BindJSON(&req)
+		if err := c.BindJSON(&req); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{
+				"code":    http.StatusBadRequest,
+				"message": "Invalid request payload",
+			})
+			return
+		}

 		sourceLang := req.SourceLang
 		targetLang := req.TargetLang
@ -191,7 +208,12 @@ func Router(cfg *Config) *gin.Engine {

 		result, err := translate.TranslateByDeepLX(sourceLang, targetLang, translateText, tagHandling, proxyURL, dlSession)
 		if err != nil {
-			log.Fatalf("Translation failed: %s", err)
+			log.Printf("Translation failed: %s", err)
+			c.JSON(http.StatusInternalServerError, gin.H{
+				"code":    http.StatusInternalServerError,
+				"message": "Translation failed",
+			})
+			return
 		}

 		if result.Code == http.StatusOK {
@ -243,7 +265,12 @@ func Router(cfg *Config) *gin.Engine {

 		result, err := translate.TranslateByDeepLX("", targetLang, translateText, "", proxyURL, "")
 		if err != nil {
-			log.Fatalf("Translation failed: %s", err)
+			log.Printf("Translation failed: %s", err)
+			c.JSON(http.StatusInternalServerError, gin.H{
+				"code":    http.StatusInternalServerError,
+				"message": "Translation failed",
+			})
+			return
 		}

 		if result.Code == http.StatusOK {
--- a/translate/translate.go
+++ b/translate/translate.go
@ -15,9 +15,11 @@ package translate
 import (
 	"compress/flate"
 	"compress/gzip"
+	"context"
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@ -27,6 +29,7 @@ import (
 	"strings"
 	"sync"
 	"time"
+	"unicode/utf8"

 	"github.com/andybalholm/brotli"
 	"github.com/imroc/req/v3"
@ -57,6 +60,26 @@ const (
 	impersonatedChromeMajor = "120"
 	chromeExtensionVersion  = "1.86.0"
 	chromeExtensionID       = "cofdbpoegempjloogbagkncekinflcnj"
+
+	// oneshot enforces a 1500-character hard cap on the total length of
+	// the `text` array (sum across all items). Source: the extension's
+	// own `G.notLoggedIn = 1500` constant in background.js. The server
+	// returns 400 `{"errors":{"text":["text exceeds maximum length"]}}`
+	// past this; bail early to spare the upstream and give the caller a
+	// faster, less ambiguous error.
+	maxFreeTextLength = 1500
+
+	// oneshotTimeout caps how long we wait on a single translate request.
+	// Without an explicit timeout, a hung upstream connection would
+	// dangle indefinitely and the caller (e.g. browser extension) would
+	// sit on a spinner forever — observed in the field.
+	oneshotTimeout = 20 * time.Second
+
+	// warmupTimeout caps the initial GET to www.deepl.com that seeds the
+	// cookie jar. Shorter than oneshotTimeout because warmup typically
+	// completes in well under a second; we'd rather skip a slow warmup
+	// (cookies are best-effort anyway) than block the first translation.
+	warmupTimeout = 5 * time.Second
 )

 // instanceID mirrors the UUID the extension persists in chrome.storage on
@ -76,6 +99,14 @@ var (
 	cookieWarmer  sync.Once
 )

+// oneshotClients caches one req.Client per proxy URL so all translate
+// calls share the underlying TCP / TLS / HTTP/2 connection pool.
+// Creating a fresh req.Client per request meant a brand-new TLS
+// handshake every time (~200-400ms of overhead on top of DeepL's own
+// ~1.5s processing latency). Reusing the client lets keep-alive +
+// session tickets cut that to near zero on the warm path.
+var oneshotClients sync.Map // map[string]*req.Client
+
 func sharedCookieJar() http.CookieJar {
 	cookieJarOnce.Do(func() {
 		j, _ := cookiejar.New(nil)
@ -87,10 +118,15 @@ func sharedCookieJar() http.CookieJar {
 // warmCookies primes the shared jar by GETting www.deepl.com once.
 // The Set-Cookie response (userCountry / verifiedBot) lands on .deepl.com,
 // which is the eTLD+1 of oneshot-free.www.deepl.com, so subsequent POSTs
-// to the oneshot endpoint will carry those cookies automatically.
+// to the oneshot endpoint will carry those cookies automatically. The
+// same request doubles as a TLS-handshake warmup: it leaves a live
+// HTTP/2 connection to www.deepl.com in the client pool, which the
+// first oneshot POST then resumes via TLS session tickets.
 func warmCookies(client *req.Client) {
 	cookieWarmer.Do(func() {
-		_, _ = client.R().Get("https://www.deepl.com/translator")
+		ctx, cancel := context.WithTimeout(context.Background(), warmupTimeout)
+		defer cancel()
+		_, _ = client.R().SetContext(ctx).Get("https://www.deepl.com/translator")
 	})
 }

@ -239,8 +275,33 @@ type oneshotRequest struct {
 // headers (pragma, cache-control, upgrade-insecure-requests, sec-fetch-user)
 // that a fetch() never emits — wipe those so the WAF cannot tell us apart
 // on that axis.
+// getOneshotClient returns a process-wide cached client for the given
+// proxy URL, creating it on first use. Sharing the client across
+// requests is the single biggest latency win we have on the warm path:
+// it keeps the TLS / HTTP/2 connection in the pool so subsequent
+// requests skip the handshake entirely. Kicks off cookie-jar warmup
+// in the background on first creation so that the first real translate
+// call lands on an already-established connection.
+func getOneshotClient(proxyURL string) (*req.Client, error) {
+	if c, ok := oneshotClients.Load(proxyURL); ok {
+		return c.(*req.Client), nil
+	}
+	c, err := newOneshotClient(proxyURL)
+	if err != nil {
+		return nil, err
+	}
+	if actual, loaded := oneshotClients.LoadOrStore(proxyURL, c); loaded {
+		return actual.(*req.Client), nil
+	}
+	// First time we've seen this proxy. Kick warmup off in the
+	// background so the very first translate call can run in parallel
+	// with the TLS handshake to www.deepl.com.
+	go warmCookies(c)
+	return c, nil
+}
+
 func newOneshotClient(proxyURL string) (*req.Client, error) {
-	client := req.C().ImpersonateChrome().SetCookieJar(sharedCookieJar())
+	client := req.C().ImpersonateChrome().SetCookieJar(sharedCookieJar()).SetTimeout(oneshotTimeout)
 	for _, h := range []string{
 		"Pragma",
 		"Cache-Control",
@ -270,11 +331,10 @@ func newOneshotClient(proxyURL string) (*req.Client, error) {
 // exactly. Omitting that header instead would put the request on a
 // different server-side auth branch.
 func callOneshot(endpoint string, body []byte, bearerToken, proxyURL string) (gjson.Result, int, error) {
-	client, err := newOneshotClient(proxyURL)
+	client, err := getOneshotClient(proxyURL)
 	if err != nil {
 		return gjson.Result{}, 0, err
 	}
-	warmCookies(client) // no-op after the first translation in the process

 	authValue := "None"
 	if bearerToken != "" {
@ -349,6 +409,13 @@ func TranslateByDeepLX(sourceLang, targetLang, text string, tagHandling string,
 		}, nil
 	}

+	if n := utf8.RuneCountInString(text); n > maxFreeTextLength {
+		return DeepLXTranslationResult{
+			Code:    http.StatusRequestEntityTooLarge,
+			Message: fmt.Sprintf("text exceeds maximum length: %d characters (anonymous oneshot limit is %d)", n, maxFreeTextLength),
+		}, nil
+	}
+
 	reqStruct := oneshotRequest{
 		Text:       []string{text},
 		TargetLang: resolvedTarget,
@ -372,6 +439,16 @@ func TranslateByDeepLX(sourceLang, targetLang, text string, tagHandling string,
 	id := time.Now().UnixMilli()
 	result, status, err := callOneshot(endpoint, bodyBytes, dlSession, proxyURL)
 	if err != nil {
+		// Map upstream timeouts to 504 so callers can distinguish "DeepL
+		// took too long" from other 503 failure modes (DNS, TLS, etc.).
+		var ue *url.Error
+		if errors.Is(err, context.DeadlineExceeded) || (errors.As(err, &ue) && ue.Timeout()) {
+			return DeepLXTranslationResult{
+				ID:      id,
+				Code:    http.StatusGatewayTimeout,
+				Message: fmt.Sprintf("upstream DeepL request timed out after %s", oneshotTimeout),
+			}, nil
+		}
 		return DeepLXTranslationResult{
 			ID:      id,
 			Code:    http.StatusServiceUnavailable,
Author	SHA1	Message	Date
Bonny Lin	88a00874c8	fix(install): detect architecture instead of hardcoding amd64 (#227 ) install.sh always downloaded the linux_amd64 binary, so arm64/386/mips machines got a binary that does not run. Detect the architecture via uname and pick the matching release artifact; releases already ship those builds.	2026-06-07 17:45:46 +08:00
Bonny Lin	231393c669	ci(release): build cross-platform binaries in parallel via matrix (#226 ) The release job ran .cross_compile.sh, which builds all 12 targets sequentially in a single runner. Split the build into a matrix so each GOOS/GOARCH pair builds concurrently on its own runner, then a dependent Release job collects the artifacts and publishes them in one release. Output filenames are unchanged.	2026-06-05 11:10:47 +08:00
Vincent Young	9d6b294a61	fix(service): log translation errors and hide internals from clients Return a generic "Translation failed" message instead of echoing err.Error() in the HTTP response, and log the underlying error server-side via log.Printf. Avoids leaking internal details (proxy address, upstream URL, etc.) to API clients while keeping the 500 behavior introduced in #224.	2026-06-02 14:38:02 +08:00
Bonny Lin	d19a3902df	fix(service): validate request body on /translate and /v1/translate (#225 ) The two handlers ignored the error from c.BindJSON, so a malformed JSON body was silently processed as an empty payload. Check the error and return 400, consistent with /v2/translate.	2026-06-02 14:32:22 +08:00
Bonny Lin	3f099d187c	fix(service): return 500 instead of crashing on translation error (#224 ) The /translate, /v1/translate and /v2/translate handlers called log.Fatalf when TranslateByDeepLX returned an error. log.Fatalf calls os.Exit, so a single failed translation would tear down the whole server process. Return a 500 JSON response and keep serving instead.	2026-05-31 03:47:09 -07:00
趙子賢	1b88e428ae	feat(docker): non-root user + ENTRYPOINT (#222 ) Closes #221. - Run as non-root using an Alpine system account (UID auto-assigned from the 100-999 system range, referenced by name to avoid hard-coding). - Replace CMD with ENTRYPOINT so args passed to `docker run` flow through to the deeplx binary. - EXPOSE 1188 for documentation.	2026-05-24 01:30:05 +08:00
Vincent Yang	432c0a223c	fix(translate): enforce 1500-char text limit + add request timeout (#220 ) * fix(translate): enforce 1500-char limit upfront and add request timeout Two related stability issues hit during real-world use: 1. Hung requests — without an explicit timeout the upstream HTTP call could dangle indefinitely on a stuck connection. Browser extensions calling /translate would sit on a spinner forever with no error to surface to the user (reported in the field). 2. No-feedback on oversized input — the oneshot endpoint caps the total text length at 1500 characters (matches the extension's own \`G.notLoggedIn = 1500\` constant). We were forwarding the request anyway and letting DeepL 400 it, which a) wasted an upstream round trip and b) the caller had no way to distinguish from other 400s. Changes: - Pre-validate \`text\` length in characters (utf8.RuneCountInString, not byte length — verified the cap is rune-based: 1500 Chinese characters / 4500 bytes is accepted, 1501 is rejected). Return HTTP 413 Payload Too Large with a clear message naming both the observed length and the limit. - Set a 20s timeout on the oneshot HTTP client (req.SetTimeout). On timeout return HTTP 504 Gateway Timeout — distinguishes a slow DeepL from other 503 failure modes (DNS, TLS, etc.). The check catches both context.DeadlineExceeded and url.Error{Timeout()=true}. - Set a separate 5s timeout on the cookie-jar warmup GET to www.deepl.com. Warmup is best-effort; we'd rather a slow warmup (cookies still seed eventually next time) than block the very first translation behind a hung GET. Behaviour verified against the live oneshot endpoint: - 1500 ASCII chars → 200 - 1501 ASCII chars → 413 (upstream not contacted) - 1500 Chinese chars (4500 bytes) → 200 - 1501 Chinese chars → 413 - Pathological "your"1500 → 504 at 20s (was hanging without timeout) - Realistic 245-char Chinese → 200 in ~13s perf(translate): share oneshot req.Client across requests + eager warmup Each TranslateByDeepLX call was building a brand-new req.Client via newOneshotClient(), which meant a fresh TLS handshake + HTTP/2 SETTINGS negotiation per request — ~200-400ms of pure overhead on top of DeepL's own ~1.5s processing latency. Share one client per proxy URL (sync.Map) so subsequent requests reuse the kept-alive HTTP/2 connection in the underlying http.Transport's pool. Also flip the cookie-jar warmup from synchronous-on-first-call to fire-and-forget at first client creation. Same sync.Once semantics (runs exactly once per process), but in a background goroutine so the first translate request runs in parallel with the TLS handshake to www.deepl.com rather than serially behind it. Measured against the live oneshot endpoint (Tokyo → Frankfurt): before, 5 sequential requests: 3.19s, 2.05s, 2.07s, 2.89s, 2.22s after, 5 sequential requests: 2.20s, 1.27s, 1.26s, 1.42s, 1.34s └─ first └────────── warm path ─────┘ The warm-path 1.3s is also faster than a bare \`curl\` to oneshot (~1.9s, every call doing its own TLS handshake) — proof the connection-pool reuse is now actually paying off.	2026-05-22 13:03:15 +08:00
Vincent Yang	1a06baec6f	chore: ignore .DS_Store (#219 ) macOS Finder writes .DS_Store sidecar files into every directory it touches; they should never be tracked.	2026-05-22 12:23:11 +08:00