用户使用反向代理访问系统时主动引导用户设置“自定义客户端IP报头“

2025-11-04 13:10:26 +08:00 · 2024-04-08 11:07:51 +08:00
parent 33a5c86beb
commit 3fa1cf5a2c
8 changed files with 59 additions and 3 deletions
--- a/internal/web/actions/default/settings/security/dismissXFFPrompt.go
+++ b/internal/web/actions/default/settings/security/dismissXFFPrompt.go
@@ -0,0 +1,18 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package security
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
+)
+
+type DismissXFFPromptAction struct {
+	actionutils.ParentAction
+}
+
+func (this *DismissXFFPromptAction) RunPost(params struct{}) {
+	helpers.DisableXFFPrompt()
+
+	this.Success()
+}
--- a/internal/web/actions/default/settings/security/index.go
+++ b/internal/web/actions/default/settings/security/index.go
@@ -19,7 +19,11 @@ func (this *IndexAction) Init() {
 	this.Nav("", "", "")
 }

-func (this *IndexAction) RunGet(params struct{}) {
+func (this *IndexAction) RunGet(params struct {
+	ShowAll bool
+}) {
+	this.Data["showAll"] = params.ShowAll
+
 	config, err := configloaders.LoadSecurityConfig()
 	if err != nil {
 		this.ErrorPage(err)
@@ -66,6 +70,7 @@ func (this *IndexAction) RunGet(params struct{}) {
 	this.Data["provinces"] = provinceMaps

 	this.Data["config"] = config
+
 	this.Show()
 }

--- a/internal/web/actions/default/settings/security/init.go
+++ b/internal/web/actions/default/settings/security/init.go
@@ -14,6 +14,7 @@ func init() {
 			Helper(settingutils.NewHelper("security")).
 			Prefix("/settings/security").
 			GetPost("", new(IndexAction)).
+			Post("/dismissXFFPrompt", new(DismissXFFPromptAction)).
 			EndAll()
 	})
 }
--- a/internal/web/helpers/user_must_auth.go
+++ b/internal/web/helpers/user_must_auth.go
@@ -49,6 +49,9 @@ var nodeLogsType = ""
 // IP名单
 var countUnreadIPItems int64 = 0

+// 安全相关
+var securityXFFPromptDisabled = false
+
 func init() {
 	events.On(events.EventStart, func() {
 		// 节点日志数量
@@ -220,6 +223,15 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 		}
 	}

+	// 是否正在使用反向代理模式
+	action.Data["teaXFFPrompt"] = false
+	if !securityXFFPromptDisabled &&
+		(len(action.Header("X-Forwarded-For")) > 0 || len(action.Header("X-Real-Ip")) > 0 || len(action.Header("Cf-Connecting-Ip")) > 0) &&
+		securityConfig != nil &&
+		len(securityConfig.ClientIPHeaderNames) == 0 {
+		action.Data["teaXFFPrompt"] = true
+	}
+
 	// 检查用户是否存在
 	if !configloaders.CheckAdmin(adminId) {
 		loginutils.UnsetCookie(action)
--- a/internal/web/helpers/utils.go
+++ b/internal/web/helpers/utils.go
@@ -29,6 +29,11 @@ func init() {
 	})
 }

+// DisableXFFPrompt 停用XFF提示
+func DisableXFFPrompt() {
+	securityXFFPromptDisabled = true
+}
+
 // 检查用户IP并支持缓存
 func checkIP(config *systemconfigs.SecurityConfig, ipAddr string) bool {
 	ipCacheLocker.Lock()
--- a/web/views/@default/dashboard/index.html
+++ b/web/views/@default/dashboard/index.html
@@ -8,6 +8,13 @@
    </div>
 </div>

+<!-- XFF设置提示 -->
+<div class="ui message warning" v-if="teaXFFPrompt">
+    检测到你正在使用反向代理访问当前系统，如果你的系统确定在一个反向代理服务的上游，为了系统的正常运行，请在安全设置中设置“自定义客户端IP报头”。
+    <a href="/settings/security?showAll=1#client-header-names">[去设置]</a> &nbsp; &nbsp;
+    <a href="" @click.prevent="dismissXFFPrompt">[关闭提示]</a>
+</div>
+
 <!-- 没有节点提醒 -->
 <div class="ui icon message warning" v-if="!isLoading && dashboard.defaultClusterId > 0 && dashboard.countNodes == 0">
    <i class="icon warning circle"></i>
--- a/web/views/@default/dashboard/index.js
+++ b/web/views/@default/dashboard/index.js
@@ -222,4 +222,12 @@ Tea.context(function () {
 				this.localLowerVersionAPINode.isRestarting = false
 			})
 	}
+
+	// 关闭XFF提示
+	this.dismissXFFPrompt = function () {
+		this.$post("/settings/security/dismissXFFPrompt")
+			.success(function () {
+				teaweb.reload()
+			})
+	}
 })
--- a/web/views/@default/settings/security/index.html
+++ b/web/views/@default/settings/security/index.html
@@ -56,12 +56,12 @@
                <more-options-indicator></more-options-indicator>
            </td>
        </tr>
-        <tbody v-show="moreOptionsVisible">
+        <tbody v-show="moreOptionsVisible || showAll">
            <tr>
                <td>自定义客户端IP报头</td>
                <td>
                    <input type="text" name="clientIPHeaderNames" v-model="config.clientIPHeaderNames"/>
-                    <p class="comment">可以通过此报头获取客户端IP，类似于<code-label>X-Forwarded-For X-Real-IP True-Client-IP Client-IP</code-label>&nbsp;<a href=""><span class="small" @click.prevent="addDefaultClientIPHeaderNames('X-Forwarded-For X-Real-IP True-Client-IP Client-IP')">[填入]</span></a>，用于使用反向代理访问管理系统的情形；如果有多个报头可以使用空格隔开。</p>
+                    <p class="comment"><a id="client-header-names"></a>可以通过此报头获取客户端IP，类似于<code-label>X-Forwarded-For X-Real-IP True-Client-IP Client-IP</code-label>&nbsp;<a href=""><span class="small" @click.prevent="addDefaultClientIPHeaderNames('X-Forwarded-For X-Real-IP True-Client-IP Client-IP')">[填入]</span></a>，用于使用反向代理访问管理系统的情形；如果有多个报头可以使用空格隔开。</p>
                </td>
            </tr>
            <tr>