From b0d63c0d5b1a056d78e462cc8a3091b8587bbf14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Mon, 8 Apr 2024 11:21:56 +0800
Subject: [PATCH] =?UTF-8?q?=E7=B3=BB=E7=BB=9F=E5=AE=89=E5=85=A8=E8=AE=BE?=
 =?UTF-8?q?=E7=BD=AE=E4=B8=AD=E5=A2=9E=E5=8A=A0=E2=80=9C=E4=BB=85=E4=BB=8E?=
 =?UTF-8?q?=E8=87=AA=E5=AE=9A=E4=B9=89=E6=8A=A5=E5=A4=B4=E4=B8=AD=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96IP=E2=80=9D=E9=80=89=E9=A1=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/web/actions/default/index/loginutils/utils.go  | 4 ++++
 internal/web/actions/default/settings/security/index.go | 2 ++
 web/views/@default/settings/security/index.html         | 9 ++++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/internal/web/actions/default/index/loginutils/utils.go b/internal/web/actions/default/index/loginutils/utils.go
index bc36ba32..592565b4 100644
--- a/internal/web/actions/default/index/loginutils/utils.go
+++ b/internal/web/actions/default/index/loginutils/utils.go
@@ -37,6 +37,10 @@ func RemoteIP(action *actions.ActionObject) string {
 					return ipValue
 				}
 			}
+
+			if securityConfig.ClientIPHeaderOnly {
+				return ""
+			}
 		}
 	}
 
diff --git a/internal/web/actions/default/settings/security/index.go b/internal/web/actions/default/settings/security/index.go
index 279d6ad5..1b032fe9 100644
--- a/internal/web/actions/default/settings/security/index.go
+++ b/internal/web/actions/default/settings/security/index.go
@@ -83,6 +83,7 @@ func (this *IndexAction) RunPost(params struct {
 	AllowRememberLogin bool
 
 	ClientIPHeaderNames string
+	ClientIPHeaderOnly  bool
 
 	DenySearchEngines bool
 	DenySpiders       bool
@@ -146,6 +147,7 @@ func (this *IndexAction) RunPost(params struct {
 
 	// 客户端IP获取方式
 	config.ClientIPHeaderNames = params.ClientIPHeaderNames
+	config.ClientIPHeaderOnly = params.ClientIPHeaderOnly
 
 	// 禁止搜索引擎和爬虫
 	config.DenySearchEngines = params.DenySearchEngines
diff --git a/web/views/@default/settings/security/index.html b/web/views/@default/settings/security/index.html
index 84400186..36a85c34 100644
--- a/web/views/@default/settings/security/index.html
+++ b/web/views/@default/settings/security/index.html
@@ -58,12 +58,19 @@
         </tr>
         <tbody v-show="moreOptionsVisible || showAll">
             <tr>
-                <td>自定义客户端IP报头</td>
+                <td class="color-border">自定义客户端IP报头</td>
                 <td>
                     <input type="text" name="clientIPHeaderNames" v-model="config.clientIPHeaderNames"/>
                     <p class="comment"><a id="client-header-names"></a>可以通过此报头获取客户端IP，类似于<code-label>X-Forwarded-For X-Real-IP True-Client-IP Client-IP</code-label>&nbsp;<a href=""><span class="small" @click.prevent="addDefaultClientIPHeaderNames('X-Forwarded-For X-Real-IP True-Client-IP Client-IP')">[填入]</span></a>，用于使用反向代理访问管理系统的情形；如果有多个报头可以使用空格隔开。</p>
                 </td>
             </tr>
+            <tr v-show="config.clientIPHeaderNames.length > 0">
+                <td class="color-border">仅从自定义报头中获取IP</td>
+                <td>
+                    <checkbox name="clientIPHeaderOnly" v-model="config.clientIPHeaderOnly"></checkbox>
+                    <p class="comment">选中后，表示仅从自定义报头中获取IP，意味着客户端必须使用反向代理访问当前系统，不允许直接访问。</p>
+                </td>
+            </tr>
             <tr>
                 <td>禁止搜索引擎</td>
                 <td>