Merge upstream/master and resolve conflicts

2026-05-06 05:38:50 +00:00 · 2026-04-16 11:58:30 +08:00
parent 0eb104a2d6 50dc8e6603
commit 2ad62df7b3
52 changed files with 4612 additions and 419 deletions
@@ -73,9 +73,11 @@ func routers(r *gin.Engine, frontendDist fs.FS) {
 	optionalAuth.GET("/server-group", commonHandler(listServerGroup))

 	optionalAuth.GET("/service", commonHandler(showService))
-	optionalAuth.GET("/service/:id", commonHandler(listServiceHistory))
 	optionalAuth.GET("/service/server", commonHandler(listServerWithServices))
 	optionalAuth.GET("/domains", commonHandler(GetDomainList))
+	optionalAuth.GET("/service/:id/history", commonHandler(getServiceHistory))
+	optionalAuth.GET("/server/:id/service", commonHandler(listServerServices))
+	optionalAuth.GET("/server/:id/metrics", commonHandler(getServerMetrics))

 	auth := api.Group("", authMw)

@@ -151,6 +153,7 @@ func routers(r *gin.Engine, frontendDist fs.FS) {
 	auth.POST("/online-user/batch-block", adminHandler(batchBlockOnlineUser))

 	auth.PATCH("/setting", adminHandler(updateConfig))
+	auth.POST("/maintenance", adminHandler(runMaintenance))

 	auth.POST("/domains", commonHandler(AddDomain))
 	auth.POST("/domains/:id/verify", commonHandler(VerifyDomain))
@@ -50,10 +50,8 @@ func initParams() *jwt.GinJWTMiddleware {

 func payloadFunc() func(data any) jwt.MapClaims {
 	return func(data any) jwt.MapClaims {
-		if v, ok := data.(string); ok {
-			return jwt.MapClaims{
-				model.CtxKeyAuthorizedUser: v,
-			}
+		if v, ok := data.(map[string]interface{}); ok {
+			return v
 		}
 		return jwt.MapClaims{}
 	}
@@ -62,7 +60,25 @@ func payloadFunc() func(data any) jwt.MapClaims {
 func identityHandler() func(c *gin.Context) any {
 	return func(c *gin.Context) any {
 		claims := jwt.ExtractClaims(c)
-		userId := claims[model.CtxKeyAuthorizedUser].(string)
+
+		userId, ok := claims["user_id"].(string)
+		if !ok {
+			return nil
+		}
+
+		tokenIP, ok := claims["ip"].(string)
+		if !ok {
+			return nil
+		}
+
+		currentIP := c.GetString(model.CtxKeyRealIPStr)
+
+		if tokenIP != currentIP {
+			// IP地址不匹配，token无效
+			c.Set(model.CtxKeyIsIPMismatch, true)
+			return nil
+		}
+
 		var user model.User
 		if err := singleton.DB.First(&user, userId).Error; err != nil {
 			return nil
@@ -109,7 +125,12 @@ func authenticator() func(c *gin.Context) (any, error) {

 		model.UnblockIP(singleton.DB, realip, model.BlockIDUnknownUser)
 		model.UnblockIP(singleton.DB, realip, int64(user.ID))
-		return utils.Itoa(user.ID), nil
+
+		// 返回用户ID和IP地址的组合，用于在payloadFunc中设置JWT claims
+		return map[string]interface{}{
+			"user_id": utils.Itoa(user.ID),
+			"ip":      realip,
+		}, nil
 	}
 }

@@ -174,15 +195,18 @@ func fallbackAuthMiddleware(mw *jwt.GinJWTMiddleware) func(c *gin.Context) {
 			return
 		}

+		realIP := c.GetString(model.CtxKeyRealIPStr)
+
 		c.Set("JWT_PAYLOAD", claims)
 		identity := mw.IdentityHandler(c)

 		if identity != nil {
-			model.UnblockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.BlockIDToken)
+			model.UnblockIP(singleton.DB, realIP, model.BlockIDToken)
 			c.Set(mw.IdentityKey, identity)
 		} else {
-			if err := model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeBruteForceToken, model.BlockIDToken); err != nil {
-				waf.ShowBlockPage(c, err)
+			isIpMismatch := c.GetBool(model.CtxKeyIsIPMismatch)
+			if !isIpMismatch {
+				waf.ShowBlockPage(c, model.BlockIP(singleton.DB, realIP, model.WAFBlockReasonTypeBruteForceToken, model.BlockIDToken))
 				return
 			}
 		}
@@ -0,0 +1,79 @@
+package controller
+
+import (
+	"testing"
+	"time"
+
+	jwt "github.com/appleboy/gin-jwt/v2"
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPayloadFunc(t *testing.T) {
+	payloadFn := payloadFunc()
+
+	// 测试包含IP的格式
+	t.Run("format with IP", func(t *testing.T) {
+		data := map[string]interface{}{
+			"user_id": "123",
+			"ip":      "192.168.1.1",
+		}
+		claims := payloadFn(data)
+		assert.Equal(t, "123", claims["user_id"])
+		assert.Equal(t, "192.168.1.1", claims["ip"])
+	})
+
+	// 测试不包含IP的格式
+	t.Run("format without IP", func(t *testing.T) {
+		data := map[string]interface{}{
+			"user_id": "123",
+		}
+		claims := payloadFn(data)
+		assert.Equal(t, "123", claims["user_id"])
+		assert.Nil(t, claims["ip"])
+	})
+
+	// 测试无效数据格式
+	t.Run("invalid data format", func(t *testing.T) {
+		claims := payloadFn("123") // 字符串类型不再支持
+		assert.Empty(t, claims)
+	})
+
+	// 测试空的map
+	t.Run("empty map", func(t *testing.T) {
+		data := map[string]interface{}{}
+		claims := payloadFn(data)
+		assert.Empty(t, claims)
+	})
+}
+
+func TestIPBinding(t *testing.T) {
+	// 创建测试用的gin context
+	gin.SetMode(gin.TestMode)
+
+	t.Run("IP mismatch should invalidate token", func(t *testing.T) {
+		// 模拟JWT claims包含IP绑定
+		claims := jwt.MapClaims{
+			"user_id": "123",
+			"ip":      "192.168.1.1",
+			"exp":     float64(time.Now().Add(time.Hour).Unix()),
+		}
+
+		// 这里需要实际的数据库和用户设置来完全测试
+		// 但可以测试claims的基本结构
+		assert.Equal(t, "123", claims["user_id"])
+		assert.Equal(t, "192.168.1.1", claims["ip"])
+	})
+
+	t.Run("no IP in token should deny access", func(t *testing.T) {
+		// 没有IP绑定的token应该被拒绝
+		claims := jwt.MapClaims{
+			"user_id": "123",
+			"exp":     float64(time.Now().Add(time.Hour).Unix()),
+		}
+
+		// 验证token结构
+		assert.Equal(t, "123", claims["user_id"])
+		assert.Nil(t, claims["ip"])
+	})
+}
@@ -59,6 +59,8 @@ func createNotification(c *gin.Context) (uint64, error) {
 	n.URL = nf.URL
 	verifyTLS := nf.VerifyTLS
 	n.VerifyTLS = &verifyTLS
+	formatMetricUnits := nf.FormatMetricUnits
+	n.FormatMetricUnits = &formatMetricUnits

 	ns := model.NotificationServerBundle{
 		Notification: &n,
@@ -120,6 +122,8 @@ func updateNotification(c *gin.Context) (any, error) {
 	n.URL = nf.URL
 	verifyTLS := nf.VerifyTLS
 	n.VerifyTLS = &verifyTLS
+	formatMetricUnits := nf.FormatMetricUnits
+	n.FormatMetricUnits = &formatMetricUnits

 	ns := model.NotificationServerBundle{
 		Notification: &n,
@@ -66,7 +66,8 @@ func oauth2redirect(c *gin.Context) (*model.Oauth2LoginResponse, error) {
 	}, cache.DefaultExpiration)

 	url := o2conf.AuthCodeURL(state, oauth2.AccessTypeOnline)
-	c.SetCookie("nz-o2s", stateKey, 60*5, "", "", false, false)
+	// CodeQL go/cookie-secure-not-set: 根据请求协议动态设置 Secure 属性，避免 HTTP 环境下 Cookie 无法使用
+	c.SetCookie("nz-o2s", stateKey, 60*5, "", "", c.Request.URL.Scheme == "https" || c.Request.TLS != nil, false)

 	return &model.Oauth2LoginResponse{Redirect: url}, nil
 }
@@ -177,7 +178,10 @@ func oauth2callback(jwtConfig *jwt.GinJWTMiddleware) func(c *gin.Context) (any,
 			}
 		}

-		tokenString, _, err := jwtConfig.TokenGenerator(fmt.Sprintf("%d", bind.UserID))
+		tokenString, _, err := jwtConfig.TokenGenerator(map[string]interface{}{
+			"user_id": fmt.Sprintf("%d", bind.UserID),
+			"ip":      realip,
+		})
 		if err != nil {
 			return nil, err
 		}
@@ -12,6 +12,7 @@ import (
 	"gorm.io/gorm"

 	"github.com/nezhahq/nezha/model"
+	"github.com/nezhahq/nezha/pkg/tsdb"
 	pb "github.com/nezhahq/nezha/proto"
 	"github.com/nezhahq/nezha/service/singleton"
 )
@@ -342,7 +343,7 @@ func batchMoveServer(c *gin.Context) (any, error) {
 	}

 	err := singleton.DB.Transaction(func(tx *gorm.DB) error {
-		if err := tx.Model(&model.Server{}).Where("id in (?)", moveForm.ToUser).Update("user_id", moveForm.ToUser).Error; err != nil {
+		if err := tx.Model(&model.Server{}).Where("id in (?)", moveForm.Ids).Update("user_id", moveForm.ToUser).Error; err != nil {
 			return err
 		}
 		return nil
@@ -357,13 +358,98 @@ func batchMoveServer(c *gin.Context) (any, error) {
 		idsMap[id] = true
 	}

-	singleton.ServerShared.Range(func(_ uint64, s *model.Server) bool {
+	for _, s := range singleton.ServerShared.Range {
 		if s == nil || !idsMap[s.ID] {
-			return true
+			continue
 		}
 		s.UserID = moveForm.ToUser
-		return true
-	})
+	}

 	return nil, nil
 }
+
+var serverMetricMap = map[string]tsdb.MetricType{
+	"cpu":              tsdb.MetricServerCPU,
+	"memory":           tsdb.MetricServerMemory,
+	"swap":             tsdb.MetricServerSwap,
+	"disk":             tsdb.MetricServerDisk,
+	"net_in_speed":     tsdb.MetricServerNetInSpeed,
+	"net_out_speed":    tsdb.MetricServerNetOutSpeed,
+	"net_in_transfer":  tsdb.MetricServerNetInTransfer,
+	"net_out_transfer": tsdb.MetricServerNetOutTransfer,
+	"load1":            tsdb.MetricServerLoad1,
+	"load5":            tsdb.MetricServerLoad5,
+	"load15":           tsdb.MetricServerLoad15,
+	"tcp_conn":         tsdb.MetricServerTCPConn,
+	"udp_conn":         tsdb.MetricServerUDPConn,
+	"process_count":    tsdb.MetricServerProcessCount,
+	"temperature":      tsdb.MetricServerTemperature,
+	"uptime":           tsdb.MetricServerUptime,
+	"gpu":              tsdb.MetricServerGPU,
+}
+
+// Get server metrics history
+// @Summary Get server metrics history
+// @Security BearerAuth
+// @Schemes
+// @Description Get server metrics history for a specific server
+// @Tags common
+// @param id path uint true "Server ID"
+// @param metric query string true "Metric name: cpu, memory, swap, disk, net_in_speed, net_out_speed, net_in_transfer, net_out_transfer, load1, load5, load15, tcp_conn, udp_conn, process_count, temperature, uptime, gpu"
+// @param period query string false "Time period: 1d, 7d, 30d (default: 1d)"
+// @Produce json
+// @Success 200 {object} model.CommonResponse[model.ServerMetricsResponse]
+// @Router /server/{id}/metrics [get]
+func getServerMetrics(c *gin.Context) (*model.ServerMetricsResponse, error) {
+	idStr := c.Param("id")
+	serverID, err := strconv.ParseUint(idStr, 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	server, ok := singleton.ServerShared.Get(serverID)
+	if !ok {
+		return nil, singleton.Localizer.ErrorT("server not found")
+	}
+
+	_, isMember := c.Get(model.CtxKeyAuthorizedUser)
+	if server.HideForGuest && !isMember {
+		return nil, singleton.Localizer.ErrorT("unauthorized")
+	}
+
+	metricName := c.Query("metric")
+	metricType, ok := serverMetricMap[metricName]
+	if !ok {
+		return nil, singleton.Localizer.ErrorT("invalid metric name")
+	}
+
+	periodStr := c.DefaultQuery("period", "1d")
+	period, err := tsdb.ParseQueryPeriod(periodStr)
+	if err != nil {
+		return nil, err
+	}
+
+	if !isMember && period != tsdb.Period1Day {
+		return nil, singleton.Localizer.ErrorT("unauthorized: only 1d data available for guests")
+	}
+
+	response := &model.ServerMetricsResponse{
+		ServerID:   serverID,
+		ServerName: server.Name,
+		Metric:     metricName,
+		DataPoints: make([]model.ServerMetricsDataPoint, 0),
+	}
+
+	if !singleton.TSDBEnabled() {
+		return response, nil
+	}
+
+	points, err := singleton.TSDBShared.QueryServerMetrics(serverID, metricType, period)
+	if err != nil {
+		return nil, err
+	}
+
+	response.DataPoints = points
+
+	return response, nil
+}
@@ -26,12 +26,27 @@ func listServerGroup(c *gin.Context) ([]*model.ServerGroupResponseItem, error) {
 		return nil, err
 	}

+	_, isMember := c.Get(model.CtxKeyAuthorizedUser)
+	authorized := isMember
+
+	visibleServerIDs := make(map[uint64]struct{})
+	if !authorized {
+		for _, server := range singleton.ServerShared.GetSortedListForGuest() {
+			visibleServerIDs[server.ID] = struct{}{}
+		}
+	}
+
 	groupServers := make(map[uint64][]uint64, 0)
 	var sgs []model.ServerGroupServer
 	if err := singleton.DB.Find(&sgs).Error; err != nil {
 		return nil, err
 	}
 	for _, s := range sgs {
+		if !authorized {
+			if _, ok := visibleServerIDs[s.ServerId]; !ok {
+				continue
+			}
+		}
 		if _, ok := groupServers[s.ServerGroupId]; !ok {
 			groupServers[s.ServerGroupId] = make([]uint64, 0)
 		}
@@ -9,11 +9,11 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/jinzhu/copier"
+	"gorm.io/gorm"

 	"github.com/nezhahq/nezha/model"
-	"github.com/nezhahq/nezha/pkg/utils"
+	"github.com/nezhahq/nezha/pkg/tsdb"
 	"github.com/nezhahq/nezha/service/singleton"
-	"gorm.io/gorm"
 )

 // Show service
@@ -55,7 +55,7 @@ func showService(c *gin.Context) (*model.ServiceResponse, error) {
 // @Param id query uint false "Resource ID"
 // @Produce json
 // @Success 200 {object} model.CommonResponse[[]model.Service]
-// @Router /service [get]
+// @Router /service/list [get]
 func listService(c *gin.Context) ([]*model.Service, error) {
 	var ss []*model.Service
 	ssl := singleton.ServiceSentinelShared.GetSortedList()
@@ -66,96 +66,321 @@ func listService(c *gin.Context) ([]*model.Service, error) {
 	return ss, nil
 }

-// List service histories by server id
+// Get service history
+// @Summary Get service history by service ID
+// @Security BearerAuth
+// @Schemes
+// @Description Get service monitoring history for a specific service
+// @Tags common
+// @param id path uint true "Service ID"
+// @param period query string false "Time period: 1d, 7d, 30d (default: 1d)"
+// @Produce json
+// @Success 200 {object} model.CommonResponse[model.ServiceHistoryResponse]
+// @Router /service/{id}/history [get]
+func getServiceHistory(c *gin.Context) (*model.ServiceHistoryResponse, error) {
+	idStr := c.Param("id")
+	serviceID, err := strconv.ParseUint(idStr, 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	// 检查服务是否存在
+	service, ok := singleton.ServiceSentinelShared.Get(serviceID)
+	if !ok || service == nil {
+		return nil, singleton.Localizer.ErrorT("service not found")
+	}
+
+	// 解析时间范围
+	periodStr := c.DefaultQuery("period", "1d")
+	period, err := tsdb.ParseQueryPeriod(periodStr)
+	if err != nil {
+		return nil, err
+	}
+
+	// 权限检查：未登录用户只能查看 1d 数据
+	_, isMember := c.Get(model.CtxKeyAuthorizedUser)
+	if !isMember && period != tsdb.Period1Day {
+		return nil, singleton.Localizer.ErrorT("unauthorized: only 1d data available for guests")
+	}
+
+	response := &model.ServiceHistoryResponse{
+		ServiceID:   serviceID,
+		ServiceName: service.Name,
+		Servers:     make([]model.ServerServiceStats, 0),
+	}
+
+	if !singleton.TSDBEnabled() {
+		return queryServiceHistoryFromDB(serviceID, period, response)
+	}
+
+	result, err := singleton.TSDBShared.QueryServiceHistory(serviceID, period)
+	if err != nil {
+		return nil, err
+	}
+
+	serverMap := singleton.ServerShared.GetList()
+
+	for i := range result.Servers {
+		if server, ok := serverMap[result.Servers[i].ServerID]; ok {
+			result.Servers[i].ServerName = server.Name
+		}
+	}
+	response.Servers = result.Servers
+
+	return response, nil
+}
+
+func queryServiceHistoryFromDB(serviceID uint64, period tsdb.QueryPeriod, response *model.ServiceHistoryResponse) (*model.ServiceHistoryResponse, error) {
+	since := time.Now().Add(-period.Duration())
+
+	var histories []model.ServiceHistory
+	if err := singleton.DB.Where("service_id = ? AND server_id != 0 AND created_at >= ?", serviceID, since).
+		Order("server_id, created_at").Find(&histories).Error; err != nil {
+		return nil, err
+	}
+
+	serverMap := singleton.ServerShared.GetList()
+	grouped := make(map[uint64][]model.ServiceHistory)
+	for _, h := range histories {
+		grouped[h.ServerID] = append(grouped[h.ServerID], h)
+	}
+
+	for serverID, records := range grouped {
+		stats := model.ServerServiceStats{
+			ServerID: serverID,
+		}
+		if server, ok := serverMap[serverID]; ok {
+			stats.ServerName = server.Name
+		}
+
+		var totalDelay float64
+		var totalUp, totalDown uint64
+		dps := make([]model.DataPoint, 0, len(records))
+		for _, r := range records {
+			status := uint8(1)
+			if r.Down > 0 && r.Up == 0 {
+				status = 0
+			}
+			dps = append(dps, model.DataPoint{
+				Timestamp: r.CreatedAt.Unix() * 1000,
+				Delay:     r.AvgDelay,
+				Status:    status,
+			})
+			totalDelay += r.AvgDelay
+			totalUp += r.Up
+			totalDown += r.Down
+		}
+
+		var avgDelay float64
+		if len(records) > 0 {
+			avgDelay = totalDelay / float64(len(records))
+		}
+		var upPercent float32
+		if totalUp+totalDown > 0 {
+			upPercent = float32(totalUp) / float32(totalUp+totalDown) * 100
+		}
+		stats.Stats = model.ServiceHistorySummary{
+			AvgDelay:   avgDelay,
+			UpPercent:  upPercent,
+			TotalUp:    totalUp,
+			TotalDown:  totalDown,
+			DataPoints: dps,
+		}
+		response.Servers = append(response.Servers, stats)
+	}
+
+	return response, nil
+}
+
+// List server services
 // @Summary List service histories by server id
 // @Security BearerAuth
 // @Schemes
-// @Description List service histories by server id
+// @Description List service histories for a specific server
 // @Tags common
 // @param id path uint true "Server ID"
+// @param period query string false "Time period: 1d, 7d, 30d (default: 1d)"
 // @Produce json
 // @Success 200 {object} model.CommonResponse[[]model.ServiceInfos]
-// @Router /service/{id} [get]
-func listServiceHistory(c *gin.Context) ([]*model.ServiceInfos, error) {
+// @Router /server/{id}/service [get]
+func listServerServices(c *gin.Context) ([]*model.ServiceInfos, error) {
 	idStr := c.Param("id")
-	id, err := strconv.ParseUint(idStr, 10, 64)
+	serverID, err := strconv.ParseUint(idStr, 10, 64)
 	if err != nil {
 		return nil, err
 	}

 	m := singleton.ServerShared.GetList()
-	server, ok := m[id]
+	server, ok := m[serverID]
 	if !ok || server == nil {
 		return nil, singleton.Localizer.ErrorT("server not found")
 	}

 	_, isMember := c.Get(model.CtxKeyAuthorizedUser)
-	authorized := isMember // TODO || isViewPasswordVerfied
+	authorized := isMember

 	if server.HideForGuest && !authorized {
 		return nil, singleton.Localizer.ErrorT("unauthorized")
 	}

-	var serviceHistories []*model.ServiceHistory
-	if err := singleton.DB.Model(&model.ServiceHistory{}).Select("service_id, created_at, server_id, avg_delay").
-		Where("server_id = ?", id).Where("created_at >= ?", time.Now().Add(-24*time.Hour)).Order("service_id, created_at").
-		Scan(&serviceHistories).Error; err != nil {
+	// 解析时间范围
+	periodStr := c.DefaultQuery("period", "1d")
+	period, err := tsdb.ParseQueryPeriod(periodStr)
+	if err != nil {
 		return nil, err
 	}

-	var sortedServiceIDs []uint64
-	resultMap := make(map[uint64]*model.ServiceInfos)
-	for _, history := range serviceHistories {
-		infos, ok := resultMap[history.ServiceID]
-		service, _ := singleton.ServiceSentinelShared.Get(history.ServiceID)
-		if !ok {
-			infos = &model.ServiceInfos{
-				ServiceID:   history.ServiceID,
-				ServerID:    history.ServerID,
-				ServiceName: service.Name,
-				ServerName:  m[history.ServerID].Name,
+	// 权限检查：未登录用户只能查看 1d 数据
+	if !isMember && period != tsdb.Period1Day {
+		return nil, singleton.Localizer.ErrorT("unauthorized: only 1d data available for guests")
+	}
+
+	services := singleton.ServiceSentinelShared.GetSortedList()
+
+	var result []*model.ServiceInfos
+
+	if !singleton.TSDBEnabled() {
+		return queryServerServicesFromDB(serverID, server.Name, period, services)
+	}
+
+	historyResults, err := singleton.TSDBShared.QueryServiceHistoryByServerID(serverID, period)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, service := range services {
+		if service.Cover == model.ServiceCoverAll {
+			if service.SkipServers[serverID] {
+				continue
+			}
+		} else {
+			if !service.SkipServers[serverID] {
+				continue
 			}
-			resultMap[history.ServiceID] = infos
-			sortedServiceIDs = append(sortedServiceIDs, history.ServiceID)
 		}
-		infos.CreatedAt = append(infos.CreatedAt, history.CreatedAt.Truncate(time.Minute).Unix()*1000)
-		infos.AvgDelay = append(infos.AvgDelay, history.AvgDelay)
+
+		historyResult, ok := historyResults[service.ID]
+		if !ok || len(historyResult.Servers) == 0 {
+			continue
+		}
+
+		serverStats := historyResult.Servers[0]
+
+		infos := &model.ServiceInfos{
+			ServiceID:    service.ID,
+			ServerID:     serverID,
+			ServiceName:  service.Name,
+			ServerName:   server.Name,
+			DisplayIndex: service.DisplayIndex,
+			CreatedAt:    make([]int64, len(serverStats.Stats.DataPoints)),
+			AvgDelay:     make([]float64, len(serverStats.Stats.DataPoints)),
+		}
+
+		for i, dp := range serverStats.Stats.DataPoints {
+			infos.CreatedAt[i] = dp.Timestamp
+			infos.AvgDelay[i] = dp.Delay
+		}
+
+		result = append(result, infos)
 	}

-	ret := make([]*model.ServiceInfos, 0, len(sortedServiceIDs))
-	for _, id := range sortedServiceIDs {
-		ret = append(ret, resultMap[id])
+	return result, nil
+}
+
+func queryServerServicesFromDB(serverID uint64, serverName string, period tsdb.QueryPeriod, services []*model.Service) ([]*model.ServiceInfos, error) {
+	since := time.Now().Add(-period.Duration())
+
+	var histories []model.ServiceHistory
+	if err := singleton.DB.Where("server_id = ? AND created_at >= ?", serverID, since).
+		Order("service_id, created_at").Find(&histories).Error; err != nil {
+		return nil, err
 	}

-	return ret, nil
+	grouped := make(map[uint64][]model.ServiceHistory)
+	for _, h := range histories {
+		grouped[h.ServiceID] = append(grouped[h.ServiceID], h)
+	}
+
+	var result []*model.ServiceInfos
+	for _, service := range services {
+		if service.Cover == model.ServiceCoverAll {
+			if service.SkipServers[serverID] {
+				continue
+			}
+		} else {
+			if !service.SkipServers[serverID] {
+				continue
+			}
+		}
+
+		records, ok := grouped[service.ID]
+		if !ok {
+			continue
+		}
+
+		infos := &model.ServiceInfos{
+			ServiceID:    service.ID,
+			ServerID:     serverID,
+			ServiceName:  service.Name,
+			ServerName:   serverName,
+			DisplayIndex: service.DisplayIndex,
+			CreatedAt:    make([]int64, 0, len(records)),
+			AvgDelay:     make([]float64, 0, len(records)),
+		}
+
+		for _, r := range records {
+			infos.CreatedAt = append(infos.CreatedAt, r.CreatedAt.Truncate(time.Minute).Unix()*1000)
+			infos.AvgDelay = append(infos.AvgDelay, r.AvgDelay)
+		}
+
+		result = append(result, infos)
+	}
+
+	return result, nil
 }

 // List server with service
 // @Summary List server with service
 // @Security BearerAuth
 // @Schemes
-// @Description List server with service
+// @Description List servers that have service monitoring data
 // @Tags common
 // @Produce json
 // @Success 200 {object} model.CommonResponse[[]uint64]
 // @Router /service/server [get]
 func listServerWithServices(c *gin.Context) ([]uint64, error) {
-	var serverIdsWithService []uint64
-	if err := singleton.DB.Model(&model.ServiceHistory{}).
-		Select("distinct(server_id)").
-		Where("server_id != 0").
-		Find(&serverIdsWithService).Error; err != nil {
-		return nil, newGormError("%v", err)
+	// 从内存中获取有服务监控配置的服务器列表
+	services := singleton.ServiceSentinelShared.GetList()
+	serverMap := singleton.ServerShared.GetList()
+
+	serverIDSet := make(map[uint64]bool)
+
+	for _, service := range services {
+		if service.Cover == model.ServiceCoverAll {
+			// 除了跳过的服务器，其他都包含
+			for serverID := range serverMap {
+				if !service.SkipServers[serverID] {
+					serverIDSet[serverID] = true
+				}
+			}
+		} else {
+			// 只包含指定的服务器
+			for serverID, enabled := range service.SkipServers {
+				if enabled {
+					serverIDSet[serverID] = true
+				}
+			}
+		}
 	}

 	_, isMember := c.Get(model.CtxKeyAuthorizedUser)
-	authorized := isMember // TODO || isViewPasswordVerfied
+	authorized := isMember

 	var ret []uint64
-	for _, id := range serverIdsWithService {
-		server, ok := singleton.ServerShared.Get(id)
+	for id := range serverIDSet {
+		server, ok := serverMap[id]
 		if !ok || server == nil {
-			return nil, singleton.Localizer.ErrorT("server not found")
+			continue
 		}
 		if !server.HideForGuest || authorized {
 			ret = append(ret, id)
@@ -191,6 +416,7 @@ func createService(c *gin.Context) (uint64, error) {
 	m.Type = mf.Type
 	m.SkipServers = mf.SkipServers
 	m.Cover = mf.Cover
+	m.DisplayIndex = mf.DisplayIndex
 	m.Notify = mf.Notify
 	m.NotificationGroupID = mf.NotificationGroupID
 	m.Duration = mf.Duration
@@ -210,21 +436,6 @@ func createService(c *gin.Context) (uint64, error) {
 		return 0, newGormError("%v", err)
 	}

-	var skipServers []uint64
-	for k := range m.SkipServers {
-		skipServers = append(skipServers, k)
-	}
-
-	var err error
-	if m.Cover == 0 {
-		err = singleton.DB.Unscoped().Delete(&model.ServiceHistory{}, "service_id = ? and server_id in (?)", m.ID, skipServers).Error
-	} else {
-		err = singleton.DB.Unscoped().Delete(&model.ServiceHistory{}, "service_id = ? and server_id not in (?)", m.ID, skipServers).Error
-	}
-	if err != nil {
-		return 0, err
-	}
-
 	if err := singleton.ServiceSentinelShared.Update(&m); err != nil {
 		return 0, err
 	}
@@ -269,6 +480,7 @@ func updateService(c *gin.Context) (any, error) {
 	m.Type = mf.Type
 	m.SkipServers = mf.SkipServers
 	m.Cover = mf.Cover
+	m.DisplayIndex = mf.DisplayIndex
 	m.Notify = mf.Notify
 	m.NotificationGroupID = mf.NotificationGroupID
 	m.Duration = mf.Duration
@@ -288,17 +500,6 @@ func updateService(c *gin.Context) (any, error) {
 		return nil, newGormError("%v", err)
 	}

-	skipServers := utils.MapKeysToSlice(mf.SkipServers)
-
-	if m.Cover == model.ServiceCoverAll {
-		err = singleton.DB.Unscoped().Delete(&model.ServiceHistory{}, "service_id = ? and server_id in (?)", m.ID, skipServers).Error
-	} else {
-		err = singleton.DB.Unscoped().Delete(&model.ServiceHistory{}, "service_id = ? and server_id not in (?) and server_id > 0", m.ID, skipServers).Error
-	}
-	if err != nil {
-		return nil, err
-	}
-
 	if err := singleton.ServiceSentinelShared.Update(&m); err != nil {
 		return nil, err
 	}
@@ -329,10 +530,7 @@ func batchDeleteService(c *gin.Context) (any, error) {
 	}

 	err := singleton.DB.Transaction(func(tx *gorm.DB) error {
-		if err := tx.Unscoped().Delete(&model.Service{}, "id in (?)", ids).Error; err != nil {
-			return err
-		}
-		return tx.Unscoped().Delete(&model.ServiceHistory{}, "service_id in (?)", ids).Error
+		return tx.Unscoped().Delete(&model.Service{}, "id in (?)", ids).Error
 	})
 	if err != nil {
 		return nil, err
@@ -39,6 +39,7 @@ func listConfig(c *gin.Context) (*model.SettingResponse, error) {
 		},
 		Version:           singleton.Version,
 		FrontendTemplates: singleton.FrontendTemplates,
+		TSDBEnabled:       singleton.TSDBEnabled(),
 	}

 	if !authorized || !isAdmin {
@@ -54,6 +55,7 @@ func listConfig(c *gin.Context) (*model.SettingResponse, error) {
 				ConfigDashboard: configDashboard,
 				Oauth2Providers: config.Oauth2Providers,
 			},
+			TSDBEnabled: singleton.TSDBEnabled(),
 		}
 	}

@@ -113,3 +115,17 @@ func updateConfig(c *gin.Context) (any, error) {
 	singleton.OnUpdateLang(singleton.Conf.Language)
 	return nil, nil
 }
+
+// Perform maintenance
+// @Summary Perform maintenance
+// @Security BearerAuth
+// @Schemes
+// @Description Perform system maintenance (SQLite VACUUM and TSDB maintenance)
+// @Tags admin required
+// @Produce json
+// @Success 200 {object} model.CommonResponse[any]
+// @Router /maintenance [post]
+func runMaintenance(c *gin.Context) (any, error) {
+	singleton.PerformMaintenance()
+	return nil, nil
+}
@@ -50,8 +50,14 @@ func Waf(c *gin.Context) {
 }

 func ShowBlockPage(c *gin.Context, err error) {
+	var errMsg string
+	if err != nil {
+		errMsg = err.Error()
+	} else {
+		errMsg = "you were blocked by nezha WAF"
+	}
 	c.Writer.WriteHeader(http.StatusForbidden)
 	c.Header("Content-Type", "text/html; charset=utf-8")
-	c.Writer.WriteString(strings.Replace(errorPageTemplate, "{error}", err.Error(), 1))
+	c.Writer.WriteString(strings.Replace(errorPageTemplate, "{error}", errMsg, 1))
 	c.Abort()
 }
@@ -11,6 +11,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"runtime/debug"
 	"strings"
 	"time"
 	_ "time/tzdata"
@@ -65,8 +66,8 @@ func initSystem(bus chan<- *model.Service) error {
 		return err
 	}

-	// 每天的3:30 对 监控记录 和 流量记录 进行清理
-	if _, err := singleton.CronShared.AddFunc("0 30 3 * * *", singleton.CleanServiceHistory); err != nil {
+	// 每天的3:30 对流量记录进行清理
+	if _, err := singleton.CronShared.AddFunc("0 30 3 * * *", singleton.CleanMonitorHistory); err != nil {
 		return err
 	}

@@ -109,12 +110,19 @@ func main() {
 		os.Exit(0)
 	}

-	serviceSentinelDispatchBus := make(chan *model.Service) // 用于传递服务监控任务信息的channel
-	// 初始化 dao 包
+	serviceSentinelDispatchBus := make(chan *model.Service)
 	if err := utils.FirstError(singleton.InitFrontendTemplates,
 		func() error { return singleton.InitConfigFromPath(dashboardCliParam.ConfigFile) },
 		singleton.InitTimezoneAndCache,
+		func() error {
+			if singleton.Conf.Memory.GoMemLimitMB > 0 {
+				debug.SetMemoryLimit(singleton.Conf.Memory.GoMemLimitMB * 1024 * 1024)
+				log.Printf("NEZHA>> Go memory limit set to %d MB", singleton.Conf.Memory.GoMemLimitMB)
+			}
+			return nil
+		},
 		func() error { return singleton.InitDBFromPath(dashboardCliParam.DatabaseLocation) },
+		singleton.InitTSDB,
 		func() error { return initSystem(serviceSentinelDispatchBus) }); err != nil {
 		log.Fatal(err)
 	}
@@ -124,7 +132,7 @@ func main() {
 		log.Fatal(err)
 	}

-	singleton.CleanServiceHistory()
+	singleton.CleanMonitorHistory()
 	rpc.DispatchKeepalive()
 	go rpc.DispatchTask(serviceSentinelDispatchBus)
 	go singleton.AlertSentinelStart()
@@ -172,6 +180,7 @@ func main() {
 	}, func(c context.Context) error {
 		log.Println("NEZHA>> Graceful::START")
 		singleton.RecordTransferHourlyUsage()
+		singleton.CloseTSDB()
 		log.Println("NEZHA>> Graceful::END")
 		var err error
 		if muxServerHTTPS != nil {