diff --git a/internal/web/actions/actionutils/parent_action.go b/internal/web/actions/actionutils/parent_action.go index e3f2cdbf..2438b2c1 100644 --- a/internal/web/actions/actionutils/parent_action.go +++ b/internal/web/actions/actionutils/parent_action.go @@ -9,6 +9,7 @@ import ( "github.com/TeaOSLab/EdgeAdmin/internal/oplogs" "github.com/TeaOSLab/EdgeAdmin/internal/rpc" "github.com/TeaOSLab/EdgeAdmin/internal/utils" + "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils" "github.com/TeaOSLab/EdgeCommon/pkg/langs" "github.com/TeaOSLab/EdgeCommon/pkg/langs/codes" "github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao" @@ -106,7 +107,7 @@ func (this *ParentAction) CreateLog(level string, messageCode langs.MessageCode, } } } - err := dao.SharedLogDAO.CreateAdminLog(this.AdminContext(), level, this.Request.URL.Path, desc, this.RequestRemoteIP(), messageCode, args) + err := dao.SharedLogDAO.CreateAdminLog(this.AdminContext(), level, this.Request.URL.Path, desc, loginutils.RemoteIP(&this.ActionObject), messageCode, args) if err != nil { utils.PrintError(err) } diff --git a/internal/web/actions/default/index/index.go b/internal/web/actions/default/index/index.go index 931d86be..1a51243e 100644 --- a/internal/web/actions/default/index/index.go +++ b/internal/web/actions/default/index/index.go @@ -175,7 +175,7 @@ func (this *IndexAction) RunPost(params struct { }) if err != nil { - err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelError, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSystemError, err.Error()), this.RequestRemoteIP(), codes.AdminLogin_LogSystemError, []any{err.Error()}) + err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelError, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSystemError, err.Error()), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogSystemError, []any{err.Error()}) if err != nil { utils.PrintError(err) } @@ -185,7 +185,7 @@ func (this *IndexAction) RunPost(params struct { } if !resp.IsOk { - err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelWarn, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogFailed, params.Username), this.RequestRemoteIP(), codes.AdminLogin_LogFailed, []any{params.Username}) + err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelWarn, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogFailed, params.Username), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogFailed, []any{params.Username}) if err != nil { utils.PrintError(err) } @@ -225,7 +225,7 @@ func (this *IndexAction) RunPost(params struct { params.Auth.StoreAdmin(adminId, params.Remember) // 记录日志 - err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSuccess, params.Username), this.RequestRemoteIP(), codes.AdminLogin_LogSuccess, []any{params.Username}) + err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSuccess, params.Username), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogSuccess, []any{params.Username}) if err != nil { utils.PrintError(err) } @@ -235,7 +235,7 @@ func (this *IndexAction) RunPost(params struct { // 检查登录区域 func (this *IndexAction) checkRegion() bool { - var ip = this.RequestRemoteIP() + var ip = loginutils.RemoteIP(&this.ActionObject) var result = iplibrary.LookupIP(ip) if result != nil && result.IsOk() && result.CountryId() > 0 && lists.ContainsInt64([]int64{9, 10}, result.CountryId()) { return false diff --git a/internal/web/actions/default/index/loginutils/utils.go b/internal/web/actions/default/index/loginutils/utils.go index 8675f964..bc36ba32 100644 --- a/internal/web/actions/default/index/loginutils/utils.go +++ b/internal/web/actions/default/index/loginutils/utils.go @@ -3,12 +3,15 @@ package loginutils import ( + "github.com/TeaOSLab/EdgeAdmin/internal/configloaders" teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const" "github.com/TeaOSLab/EdgeCommon/pkg/iplibrary" "github.com/iwind/TeaGo/actions" stringutil "github.com/iwind/TeaGo/utils/string" "net" "net/http" + "regexp" + "strings" ) // CalculateClientFingerprint 计算客户端指纹 @@ -17,8 +20,26 @@ func CalculateClientFingerprint(action *actions.ActionObject) string { } // RemoteIP 获取客户端IP -// TODO 将来增加是否使用代理设置(即从X-Real-IP中获取IP) func RemoteIP(action *actions.ActionObject) string { + securityConfig, _ := configloaders.LoadSecurityConfig() + + if securityConfig != nil { + if len(securityConfig.ClientIPHeaderNames) > 0 { + var headerNames = regexp.MustCompile(`[,;\s,、;]`).Split(securityConfig.ClientIPHeaderNames, -1) + for _, headerName := range headerNames { + headerName = http.CanonicalHeaderKey(strings.TrimSpace(headerName)) + if len(headerName) == 0 { + continue + } + + var ipValue = action.Request.Header.Get(headerName) + if net.ParseIP(ipValue) != nil { + return ipValue + } + } + } + } + ip, _, _ := net.SplitHostPort(action.Request.RemoteAddr) return ip } diff --git a/internal/web/actions/default/index/otp.go b/internal/web/actions/default/index/otp.go index c91cdd2c..aa0ecb26 100644 --- a/internal/web/actions/default/index/otp.go +++ b/internal/web/actions/default/index/otp.go @@ -12,6 +12,7 @@ import ( "github.com/TeaOSLab/EdgeAdmin/internal/setup" "github.com/TeaOSLab/EdgeAdmin/internal/utils" "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils" + "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils" "github.com/TeaOSLab/EdgeAdmin/internal/web/helpers" "github.com/TeaOSLab/EdgeCommon/pkg/langs/codes" "github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao" @@ -146,7 +147,7 @@ func (this *OtpAction) RunPost(params struct { this.ErrorPage(err) return } - err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, this.Lang(codes.AdminLogin_LogOtpVerifiedSuccess), this.RequestRemoteIP(), codes.AdminLogin_LogOtpVerifiedSuccess, nil) + err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, this.Lang(codes.AdminLogin_LogOtpVerifiedSuccess), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogOtpVerifiedSuccess, nil) if err != nil { utils.PrintError(err) } diff --git a/internal/web/actions/default/settings/security/index.go b/internal/web/actions/default/settings/security/index.go index 1835b2f4..f4c34f48 100644 --- a/internal/web/actions/default/settings/security/index.go +++ b/internal/web/actions/default/settings/security/index.go @@ -77,6 +77,8 @@ func (this *IndexAction) RunPost(params struct { AllowIPs []string AllowRememberLogin bool + ClientIPHeaderNames string + DenySearchEngines bool DenySpiders bool @@ -137,6 +139,9 @@ func (this *IndexAction) RunPost(params struct { // 允许本地 config.AllowLocal = params.AllowLocal + // 客户端IP获取方式 + config.ClientIPHeaderNames = params.ClientIPHeaderNames + // 禁止搜索引擎和爬虫 config.DenySearchEngines = params.DenySearchEngines config.DenySpiders = params.DenySpiders diff --git a/internal/web/helpers/user_must_auth.go b/internal/web/helpers/user_must_auth.go index 88422fd5..a15f15e6 100644 --- a/internal/web/helpers/user_must_auth.go +++ b/internal/web/helpers/user_must_auth.go @@ -17,7 +17,6 @@ import ( "github.com/iwind/TeaGo/lists" "github.com/iwind/TeaGo/logs" "github.com/iwind/TeaGo/maps" - "net" "net/http" "net/url" "reflect" @@ -145,12 +144,7 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'") // 检查IP - if !checkIP(securityConfig, action.RequestRemoteIP()) { - action.ResponseWriter.WriteHeader(http.StatusForbidden) - return false - } - remoteAddr, _, _ := net.SplitHostPort(action.Request.RemoteAddr) - if len(remoteAddr) > 0 && remoteAddr != action.RequestRemoteIP() && !checkIP(securityConfig, remoteAddr) { + if !checkIP(securityConfig, loginutils.RemoteIP(action)) { action.ResponseWriter.WriteHeader(http.StatusForbidden) return false } diff --git a/internal/web/helpers/user_should_auth.go b/internal/web/helpers/user_should_auth.go index e9cfd4c9..a0ef4680 100644 --- a/internal/web/helpers/user_should_auth.go +++ b/internal/web/helpers/user_should_auth.go @@ -6,7 +6,6 @@ import ( "github.com/TeaOSLab/EdgeAdmin/internal/utils/numberutils" "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils" "github.com/iwind/TeaGo/actions" - "net" "net/http" ) @@ -33,12 +32,7 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN action.AddHeader("Content-Security-Policy", "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'") // 检查IP - if !checkIP(securityConfig, action.RequestRemoteIP()) { - action.ResponseWriter.WriteHeader(http.StatusForbidden) - return false - } - remoteAddr, _, _ := net.SplitHostPort(action.Request.RemoteAddr) - if len(remoteAddr) > 0 && remoteAddr != action.RequestRemoteIP() && !checkIP(securityConfig, remoteAddr) { + if !checkIP(securityConfig, loginutils.RemoteIP(action)) { action.ResponseWriter.WriteHeader(http.StatusForbidden) return false } diff --git a/web/views/@default/settings/security/index.html b/web/views/@default/settings/security/index.html index ec0b7356..5efad90d 100644 --- a/web/views/@default/settings/security/index.html +++ b/web/views/@default/settings/security/index.html @@ -1,6 +1,7 @@ {$layout}
+

当前安全设置只适用于管理系统,对用户网站没有任何影响。

@@ -56,6 +57,13 @@ + + + + - + - +
自定义客户端IP报头 + +

可以通过此报头获取客户端IP,类似于Client-IP,用于使用反向代理访问管理系统的情形;如果有多个报头可以使用空格隔开。

+
禁止搜索引擎 diff --git a/web/views/@default/settings/ui/index.html b/web/views/@default/settings/ui/index.html index 207987bf..622b1043 100644 --- a/web/views/@default/settings/ui/index.html +++ b/web/views/@default/settings/ui/index.html @@ -19,13 +19,13 @@
是否显示底部开源信息显示底部开源信息
是否显示版本号显示版本号

选中后,在界面中显示系统版本号。