feat: optimize IP whitelist validation logic

zhengkunwang223 · zhengkunwang223 · commit dafb9a52a68f · 2025-11-27T15:02:49.000+08:00
diff --git a/core/init/router/router.go b/core/init/router/router.go
@@ -66,7 +66,7 @@ func setWebStatic(rootRouter *gin.RouterGroup) {
 }
 
 func Routers() *gin.Engine {
-	Router = gin.Default()
+	Router = gin.New()
 	Router.Use(i18n.UseI18n())
 	Router.Use(middleware.WhiteAllow())
 	Router.Use(middleware.BindDomain())
diff --git a/core/middleware/ip_limit.go b/core/middleware/ip_limit.go
@@ -2,22 +2,43 @@ package middleware
 
 import (
 	"github.com/1Panel-dev/1Panel/core/utils/common"
+	"net"
 	"strings"
 
 	"github.com/1Panel-dev/1Panel/core/app/api/v2/helper"
 	"github.com/1Panel-dev/1Panel/core/app/repo"
 	"github.com/gin-gonic/gin"
 )
 
+func getRealClientIP(c *gin.Context) string {
+	addr := c.Request.RemoteAddr
+	if ip, _, err := net.SplitHostPort(addr); err == nil {
+		return ip
+	}
+	return addr
+}
+
+func IsPrivateIP(ipStr string) bool {
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return false
+	}
+	return ip.IsPrivate() || ip.IsLoopback()
+}
+
 func WhiteAllow() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		tokenString := c.GetHeader("X-Panel-Local-Token")
-		clientIP := c.ClientIP()
+		clientIP := getRealClientIP(c)
 		if clientIP == "127.0.0.1" && tokenString != "" && c.Request.URL.Path == "/api/v2/core/xpack/sync/ssl" {
 			c.Set("LOCAL_REQUEST", true)
 			c.Next()
 			return
 		}
+		if IsPrivateIP(clientIP) {
+			c.Next()
+			return
+		}
 
 		settingRepo := repo.NewISettingRepo()
 		status, err := settingRepo.Get(repo.WithByKey("AllowIPs"))

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func setWebStatic(rootRouter *gin.RouterGroup) {`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`func Routers() *gin.Engine {`
`69`		`- Router = gin.Default()`
	`69`	`+ Router = gin.New()`
`70`	`70`	`Router.Use(i18n.UseI18n())`
`71`	`71`	`Router.Use(middleware.WhiteAllow())`
`72`	`72`	`Router.Use(middleware.BindDomain())`