feat: optimize IP whitelist validation logic

Author: zhengkunwang223

core/init/router/router.go

@@ -66,7 +66,7 @@ func setWebStatic(rootRouter *gin.RouterGroup) {
 }
 
 func Routers() *gin.Engine {
-	Router = gin.Default()
+	Router = gin.New()
 	Router.Use(i18n.UseI18n())
 	Router.Use(middleware.WhiteAllow())
 	Router.Use(middleware.BindDomain())

core/middleware/ip_limit.go

@@ -12,12 +12,16 @@ import (
 func WhiteAllow() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		tokenString := c.GetHeader("X-Panel-Local-Token")
-		clientIP := c.ClientIP()
+		clientIP := common.GetRealClientIP(c)
 		if clientIP == "127.0.0.1" && tokenString != "" && c.Request.URL.Path == "/api/v2/core/xpack/sync/ssl" {
 			c.Set("LOCAL_REQUEST", true)
 			c.Next()
 			return
 		}
+		if common.IsPrivateIP(clientIP) {
+			c.Next()
+			return
+		}
 
 		settingRepo := repo.NewISettingRepo()
 		status, err := settingRepo.Get(repo.WithByKey("AllowIPs"))

core/utils/common/common.go

@@ -245,3 +245,19 @@ func LoadParams(param string) string {
 	}
 	return info
 }
+
+func GetRealClientIP(c *gin.Context) string {
+	addr := c.Request.RemoteAddr
+	if ip, _, err := net.SplitHostPort(addr); err == nil {
+		return ip
+	}
+	return addr
+}
+
+func IsPrivateIP(ipStr string) bool {
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return false
+	}
+	return ip.IsPrivate() || ip.IsLoopback()
+}

core/utils/security/security.go

@@ -163,7 +163,11 @@ func checkIPLimit(c *gin.Context) bool {
 	if len(status.Value) == 0 {
 		return true
 	}
-	clientIP := c.ClientIP()
+	clientIP := common.GetRealClientIP(c)
+	if common.IsPrivateIP(clientIP) {
+		return true
+	}
+
 	for _, ip := range strings.Split(status.Value, ",") {
 		if len(ip) == 0 {
 			continue