diff --git a/internal/configloaders/security_config.go b/internal/configloaders/security_config.go
index 6861ad2b..8b33f55c 100644
--- a/internal/configloaders/security_config.go
+++ b/internal/configloaders/security_config.go
@@ -52,6 +52,10 @@ func UpdateSecurityConfig(securityConfig *systemconfigs.SecurityConfig) error {
 	if err != nil {
 		return err
 	}
+	err = securityConfig.Init()
+	if err != nil {
+		return err
+	}
 	sharedSecurityConfig = securityConfig
 
 	// 通知更新
@@ -86,6 +90,10 @@ func loadSecurityConfig() (*systemconfigs.SecurityConfig, error) {
 		sharedSecurityConfig = defaultSecurityConfig()
 		return sharedSecurityConfig, nil
 	}
+	err = config.Init()
+	if err != nil {
+		return nil, err
+	}
 	sharedSecurityConfig = config
 	return sharedSecurityConfig, nil
 }
diff --git a/internal/web/actions/default/settings/security/index.go b/internal/web/actions/default/settings/security/index.go
index ae96eb0e..20cec226 100644
--- a/internal/web/actions/default/settings/security/index.go
+++ b/internal/web/actions/default/settings/security/index.go
@@ -5,6 +5,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/maps"
 )
@@ -23,6 +24,9 @@ func (this *IndexAction) RunGet(params struct{}) {
 		this.ErrorPage(err)
 		return
 	}
+	if config.AllowIPs == nil {
+		config.AllowIPs = []string{}
+	}
 
 	// 国家和地区
 	countryMaps := []maps.Map{}
@@ -69,6 +73,7 @@ func (this *IndexAction) RunPost(params struct {
 	CountryIdsJSON  []byte
 	ProvinceIdsJSON []byte
 	AllowLocal      bool
+	AllowIPs        []string
 
 	Must *actions.Must
 	CSRF *actionutils.CSRF
@@ -106,6 +111,19 @@ func (this *IndexAction) RunPost(params struct {
 	}
 	config.AllowProvinceIds = provinceIds
 
+	// 允许的IP
+	if len(params.AllowIPs) > 0 {
+		for _, ip := range params.AllowIPs {
+			_, err := shared.ParseIPRange(ip)
+			if err != nil {
+				this.Fail("允许访问的IP '" + ip + "' 格式错误：" + err.Error())
+			}
+		}
+		config.AllowIPs = params.AllowIPs
+	} else {
+		config.AllowIPs = []string{}
+	}
+
 	// 允许本地
 	config.AllowLocal = params.AllowLocal
 
diff --git a/internal/web/helpers/utils.go b/internal/web/helpers/utils.go
index 42faf67f..3a4979fa 100644
--- a/internal/web/helpers/utils.go
+++ b/internal/web/helpers/utils.go
@@ -89,6 +89,16 @@ func checkIPWithoutCache(config *systemconfigs.SecurityConfig, ipAddr string) bo
 		}
 	}
 
+	// 检查单独允许的IP
+	if len(config.AllowIPRanges()) > 0 {
+		for _, r := range config.AllowIPRanges() {
+			if r.Contains(ipAddr) {
+				return true
+			}
+		}
+		return false
+	}
+
 	return true
 }
 
diff --git a/web/views/@default/settings/security/index.html b/web/views/@default/settings/security/index.html
index 756c4f0e..ed9459c9 100644
--- a/web/views/@default/settings/security/index.html
+++ b/web/views/@default/settings/security/index.html
@@ -29,6 +29,13 @@
 				<p class="comment">设置后，只有这些省份才能访问管理界面，如果不设置表示没有限制。</p>
 			</td>
 		</tr>
+        <tr>
+            <td>允许访问的IP</td>
+            <td>
+                <values-box name="allowIPs" placeholder="IP或者CIDR IP段" :values="config.allowIPs"></values-box>
+                <p class="comment">如果不为空，则<strong>仅仅允许</strong>这些IP访问，其他的IP访问时会被拒绝。</p>
+            </td>
+        </tr>
 		<tr>
 			<td>允许局域网访问</td>
 			<td>