安全设置增加“检查客户端指纹"和"检查客户端区域"选项

2025-11-14 20:30:25 +08:00 · 2023-04-19 18:25:10 +08:00
parent a31f9ed9c5
commit c9fb3153eb
9 changed files with 129 additions and 11 deletions
--- a/internal/configloaders/security_config.go
+++ b/internal/configloaders/security_config.go
@@ -29,7 +29,7 @@ func LoadSecurityConfig() (*systemconfigs.SecurityConfig, error) {
 		return nil, err
 	}

-	v := reflect.Indirect(reflect.ValueOf(config)).Interface().(systemconfigs.SecurityConfig)
+	var v = reflect.Indirect(reflect.ValueOf(config)).Interface().(systemconfigs.SecurityConfig)
 	return &v, nil
 }

@@ -83,7 +83,12 @@ func loadSecurityConfig() (*systemconfigs.SecurityConfig, error) {
 		return sharedSecurityConfig, nil
 	}

-	config := &systemconfigs.SecurityConfig{}
+	var config = &systemconfigs.SecurityConfig{
+		Frame:                  FrameSameOrigin,
+		AllowLocal:             true,
+		CheckClientFingerprint: false,
+		CheckClientRegion:      true,
+	}
 	err = json.Unmarshal(resp.ValueJSON, config)
 	if err != nil {
 		logs.Println("[SECURITY_MANAGER]" + err.Error())
@@ -102,5 +107,7 @@ func defaultSecurityConfig() *systemconfigs.SecurityConfig {
 	return &systemconfigs.SecurityConfig{
 		Frame:                  FrameSameOrigin,
 		AllowLocal:             true,
+		CheckClientFingerprint: false,
+		CheckClientRegion:      true,
 	}
 }
--- a/internal/nodes/admin_node.go
+++ b/internal/nodes/admin_node.go
@@ -85,6 +85,9 @@ func (this *AdminNode) Run() {
 	// 启动API节点
 	this.startAPINode()

+	// 启动IP库
+	this.startIPLibrary()
+
 	// 启动Web服务
 	sessionManager, err := NewSessionManager()
 	if err != nil {
--- a/internal/nodes/admin_node_ext.go
+++ b/internal/nodes/admin_node_ext.go
@@ -0,0 +1,18 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !plus
+
+package nodes
+
+import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
+	"github.com/iwind/TeaGo/logs"
+)
+
+// 启动IP库
+func (this *AdminNode) startIPLibrary() {
+	logs.Println("NODE", "initializing ip library ...")
+	err := iplibrary.InitDefault()
+	if err != nil {
+		logs.Println("NODE", "initialize ip library failed: "+err.Error())
+	}
+}
--- a/internal/rpc/rpc_utils.go
+++ b/internal/rpc/rpc_utils.go
@@ -2,6 +2,9 @@ package rpc

 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/configs"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"strings"
 	"sync"
 )

@@ -28,3 +31,23 @@ func SharedRPC() (*RPCClient, error) {
 	sharedRPC = client
 	return sharedRPC, nil
 }
+
+// IsConnError 是否为连接错误
+func IsConnError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	// 检查是否为连接错误
+	statusErr, ok := status.FromError(err)
+	if ok {
+		var errorCode = statusErr.Code()
+		return errorCode == codes.Unavailable || errorCode == codes.Canceled
+	}
+
+	if strings.Contains(err.Error(), "code = Canceled") {
+		return true
+	}
+
+	return false
+}
--- a/internal/web/actions/default/index/loginutils/utils.go
+++ b/internal/web/actions/default/index/loginutils/utils.go
@@ -4,16 +4,41 @@ package loginutils

 import (
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
 	"github.com/iwind/TeaGo/actions"
 	stringutil "github.com/iwind/TeaGo/utils/string"
+	"net"
 	"net/http"
 )

 // CalculateClientFingerprint 计算客户端指纹
 func CalculateClientFingerprint(action *actions.ActionObject) string {
-	return stringutil.Md5(action.RequestRemoteIP() + "@" + action.Request.UserAgent())
+	return stringutil.Md5(RemoteIP(action) + "@" + action.Request.UserAgent())
 }

+// RemoteIP 获取客户端IP
+// TODO 将来增加是否使用代理设置（即从X-Real-IP中获取IP）
+func RemoteIP(action *actions.ActionObject) string {
+	ip, _, _ := net.SplitHostPort(action.Request.RemoteAddr)
+	return ip
+}
+
+// LookupIPRegion 查找登录区域
+func LookupIPRegion(ip string) string {
+	if len(ip) == 0 {
+		return ""
+	}
+
+	var result = iplibrary.LookupIP(ip)
+	if result != nil && result.IsOk() {
+		// 这里不需要网络运营商信息
+		return result.CountryName() + "@" + result.ProvinceName() + "@" + result.CityName() + "@" + result.TownName()
+	}
+
+	return ""
+}
+
+// SetCookie 设置Cookie
 func SetCookie(action *actions.ActionObject, remember bool) {
 	if remember {
 		var cookie = &http.Cookie{
@@ -44,6 +69,7 @@ func SetCookie(action *actions.ActionObject, remember bool) {
 	}
 }

+// UnsetCookie 重置Cookie
 func UnsetCookie(action *actions.ActionObject) {
 	cookie := &http.Cookie{
 		Name:     teaconst.CookieSID,
--- a/internal/web/actions/default/settings/security/index.go
+++ b/internal/web/actions/default/settings/security/index.go
@@ -79,6 +79,9 @@ func (this *IndexAction) RunPost(params struct {
 	DenySearchEngines bool
 	DenySpiders       bool

+	CheckClientFingerprint bool
+	CheckClientRegion      bool
+
 	DomainsJSON []byte

 	Must *actions.Must
@@ -150,6 +153,10 @@ func (this *IndexAction) RunPost(params struct {
 	// 允许记住登录
 	config.AllowRememberLogin = params.AllowRememberLogin

+	// Cookie检查
+	config.CheckClientFingerprint = params.CheckClientFingerprint
+	config.CheckClientRegion = params.CheckClientRegion
+
 	err = configloaders.UpdateSecurityConfig(config)
 	if err != nil {
 		this.ErrorPage(err)
--- a/internal/web/helpers/user_must_auth.go
+++ b/internal/web/helpers/user_must_auth.go
@@ -175,6 +175,7 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 	}

 	// 检查指纹
+	if securityConfig != nil && securityConfig.CheckClientFingerprint {
 		var clientFingerprint = session.GetString("@fingerprint")
 		if len(clientFingerprint) > 0 && clientFingerprint != loginutils.CalculateClientFingerprint(action) {
 			loginutils.UnsetCookie(action)
@@ -183,6 +184,24 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 			this.login(action)
 			return false
 		}
+	}
+
+	// 检查区域
+	if securityConfig != nil && securityConfig.CheckClientRegion {
+		var oldClientIP = session.GetString("@ip")
+		var currentClientIP = loginutils.RemoteIP(action)
+		if len(oldClientIP) > 0 && len(currentClientIP) > 0 && oldClientIP != currentClientIP {
+			var oldRegion = loginutils.LookupIPRegion(oldClientIP)
+			var newRegion = loginutils.LookupIPRegion(currentClientIP)
+			if newRegion != oldRegion {
+				loginutils.UnsetCookie(action)
+				session.Delete()
+
+				this.login(action)
+				return false
+			}
+		}
+	}

 	// 检查用户是否存在
 	if !configloaders.CheckAdmin(adminId) {
--- a/internal/web/helpers/user_should_auth.go
+++ b/internal/web/helpers/user_should_auth.go
@@ -58,6 +58,7 @@ func (this *UserShouldAuth) StoreAdmin(adminId int64, remember bool) {
 	var session = this.action.Session()
 	session.Write("adminId", numberutils.FormatInt64(adminId))
 	session.Write("@fingerprint", loginutils.CalculateClientFingerprint(this.action))
+	session.Write("@ip", loginutils.RemoteIP(this.action))
 }

 func (this *UserShouldAuth) IsUser() bool {
--- a/web/views/@default/settings/security/index.html
+++ b/web/views/@default/settings/security/index.html
@@ -77,6 +77,20 @@
                    <p class="comment">只允许通过这些域名（或者IP作为主机地址）访问当前管理系统，不填表示没有限制。</p>
                </td>
            </tr>
+            <tr>
+                <td>检查客户端指纹</td>
+                <td>
+                    <checkbox name="checkClientFingerprint" v-model="config.checkClientFingerprint"></checkbox>
+                    <p class="comment">选中后，表示每次访问时都检查客户端相关信息是否跟登录时一致。</p>
+                </td>
+            </tr>
+            <tr>
+                <td>检查客户端区域</td>
+                <td>
+                    <checkbox name="checkClientRegion" v-model="config.checkClientRegion"></checkbox>
+                    <p class="comment">选中后，表示每次访问时都检查客户端所在地理区域是否和登录时一致。</p>
+                </td>
+            </tr>
        </tbody>
 	</table>
 	<submit-btn></submit-btn>