diff --git a/common/src/main/java/com/jeesite/common/network/IpUtils.java b/common/src/main/java/com/jeesite/common/network/IpUtils.java index 9b608708..4c9cdb4f 100644 --- a/common/src/main/java/com/jeesite/common/network/IpUtils.java +++ b/common/src/main/java/com/jeesite/common/network/IpUtils.java @@ -2,7 +2,8 @@ package com.jeesite.common.network; import javax.servlet.http.HttpServletRequest; -import com.jeesite.common.lang.ObjectUtils; +import com.jeesite.common.codec.EncodeUtils; +import com.jeesite.common.io.PropertiesUtils; import com.jeesite.common.lang.StringUtils; public class IpUtils { @@ -16,20 +17,23 @@ public class IpUtils { if (request == null) { return "unknown"; } - String ip = request.getHeader("X-Forwarded-For"); - if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { - ip = request.getHeader("Proxy-Client-IP"); + String ip = null; + String xffName = PropertiesUtils.getInstance() + .getProperty("shiro.remoteAddrHeaderName"); + if (StringUtils.isNotBlank(xffName)){ + ip = request.getHeader(xffName); } - if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { - ip = request.getHeader("WL-Proxy-Client-IP"); - } - if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { - ip = request.getHeader("X-Real-IP"); - } - if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { + if (StringUtils.isBlank(ip) || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } - return StringUtils.split(ObjectUtils.toString(ip), ",")[0]; + if (StringUtils.isNotBlank(ip)){ + ip = EncodeUtils.xssFilter(ip); + ip = StringUtils.split(ip, ",")[0]; + } + if (StringUtils.isBlank(ip)){ + ip = "unknown"; + } + return ip; } /** diff --git a/modules/core/src/main/resources/config/jeesite-core.yml b/modules/core/src/main/resources/config/jeesite-core.yml index 1df565b9..e6fc29f3 100644 --- a/modules/core/src/main/resources/config/jeesite-core.yml +++ b/modules/core/src/main/resources/config/jeesite-core.yml @@ -243,6 +243,9 @@ shiro: # 登录提交信息安全Key,加密用户名、密码、验证码,后再提交(key设置为3个,用逗号分隔) secretKey: thinkgem,jeesite,com + # 指定获取客户端IP的Header名称,防止IP伪造。指定为空,则使用原生方法获取IP。 + remoteAddrHeaderName: X-Forwarded-For + # 允许的请求方法设定,解决安全审计问题 allowRequestMethods: GET,POST diff --git a/web/src/main/resources/config/jeesite.yml b/web/src/main/resources/config/jeesite.yml index 16f9a4ff..c758ff97 100644 --- a/web/src/main/resources/config/jeesite.yml +++ b/web/src/main/resources/config/jeesite.yml @@ -266,6 +266,9 @@ jdbc: # # 登录提交信息安全Key,加密用户名、密码、验证码,后再提交(key设置为3个,用逗号分隔) # secretKey: thinkgem,jeesite,com # +# # 指定获取客户端IP的Header名称,防止IP伪造。指定为空,则使用原生方法获取IP。 +# remoteAddrHeaderName: X-Forwarded-For +# # # 允许的请求方法设定,解决安全审计问题 # allowRequestMethods: GET,POST #