管理系统安全设置增加“自定义客户端IP报头”

2025-11-03 20:40:26 +08:00 · 2023-12-10 10:46:35 +08:00
parent 18857fd801
commit 26972dce37
9 changed files with 47 additions and 23 deletions
--- a/internal/web/actions/default/index/index.go
+++ b/internal/web/actions/default/index/index.go
@@ -175,7 +175,7 @@ func (this *IndexAction) RunPost(params struct {
 	})

 	if err != nil {
-		err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelError, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSystemError, err.Error()), this.RequestRemoteIP(), codes.AdminLogin_LogSystemError, []any{err.Error()})
+		err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelError, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSystemError, err.Error()), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogSystemError, []any{err.Error()})
 		if err != nil {
 			utils.PrintError(err)
 		}
@@ -185,7 +185,7 @@ func (this *IndexAction) RunPost(params struct {
 	}

 	if !resp.IsOk {
-		err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelWarn, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogFailed, params.Username), this.RequestRemoteIP(), codes.AdminLogin_LogFailed, []any{params.Username})
+		err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelWarn, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogFailed, params.Username), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogFailed, []any{params.Username})
 		if err != nil {
 			utils.PrintError(err)
 		}
@@ -225,7 +225,7 @@ func (this *IndexAction) RunPost(params struct {
 	params.Auth.StoreAdmin(adminId, params.Remember)

 	// 记录日志
-	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSuccess, params.Username), this.RequestRemoteIP(), codes.AdminLogin_LogSuccess, []any{params.Username})
+	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSuccess, params.Username), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogSuccess, []any{params.Username})
 	if err != nil {
 		utils.PrintError(err)
 	}
@@ -235,7 +235,7 @@ func (this *IndexAction) RunPost(params struct {

 // 检查登录区域
 func (this *IndexAction) checkRegion() bool {
-	var ip = this.RequestRemoteIP()
+	var ip = loginutils.RemoteIP(&this.ActionObject)
 	var result = iplibrary.LookupIP(ip)
 	if result != nil && result.IsOk() && result.CountryId() > 0 && lists.ContainsInt64([]int64{9, 10}, result.CountryId()) {
 		return false
--- a/internal/web/actions/default/index/loginutils/utils.go
+++ b/internal/web/actions/default/index/loginutils/utils.go
@@ -3,12 +3,15 @@
 package loginutils

 import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
 	"github.com/iwind/TeaGo/actions"
 	stringutil "github.com/iwind/TeaGo/utils/string"
 	"net"
 	"net/http"
+	"regexp"
+	"strings"
 )

 // CalculateClientFingerprint 计算客户端指纹
@@ -17,8 +20,26 @@ func CalculateClientFingerprint(action *actions.ActionObject) string {
 }

 // RemoteIP 获取客户端IP
-// TODO 将来增加是否使用代理设置（即从X-Real-IP中获取IP）
 func RemoteIP(action *actions.ActionObject) string {
+	securityConfig, _ := configloaders.LoadSecurityConfig()
+
+	if securityConfig != nil {
+		if len(securityConfig.ClientIPHeaderNames) > 0 {
+			var headerNames = regexp.MustCompile(`[,;\s，、；]`).Split(securityConfig.ClientIPHeaderNames, -1)
+			for _, headerName := range headerNames {
+				headerName = http.CanonicalHeaderKey(strings.TrimSpace(headerName))
+				if len(headerName) == 0 {
+					continue
+				}
+
+				var ipValue = action.Request.Header.Get(headerName)
+				if net.ParseIP(ipValue) != nil {
+					return ipValue
+				}
+			}
+		}
+	}
+
 	ip, _, _ := net.SplitHostPort(action.Request.RemoteAddr)
 	return ip
 }
--- a/internal/web/actions/default/index/otp.go
+++ b/internal/web/actions/default/index/otp.go
@@ -12,6 +12,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
 	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
@@ -146,7 +147,7 @@ func (this *OtpAction) RunPost(params struct {
 		this.ErrorPage(err)
 		return
 	}
-	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, this.Lang(codes.AdminLogin_LogOtpVerifiedSuccess), this.RequestRemoteIP(), codes.AdminLogin_LogOtpVerifiedSuccess, nil)
+	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, this.Lang(codes.AdminLogin_LogOtpVerifiedSuccess), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogOtpVerifiedSuccess, nil)
 	if err != nil {
 		utils.PrintError(err)
 	}
--- a/internal/web/actions/default/settings/security/index.go
+++ b/internal/web/actions/default/settings/security/index.go
@@ -77,6 +77,8 @@ func (this *IndexAction) RunPost(params struct {
 	AllowIPs           []string
 	AllowRememberLogin bool

+	ClientIPHeaderNames string
+
 	DenySearchEngines bool
 	DenySpiders       bool

@@ -137,6 +139,9 @@ func (this *IndexAction) RunPost(params struct {
 	// 允许本地
 	config.AllowLocal = params.AllowLocal

+	// 客户端IP获取方式
+	config.ClientIPHeaderNames = params.ClientIPHeaderNames
+
 	// 禁止搜索引擎和爬虫
 	config.DenySearchEngines = params.DenySearchEngines
 	config.DenySpiders = params.DenySpiders