支持指定获取客户端IP的Header名称，防止IP伪造。

common/src/main/java/com/jeesite/common/network/IpUtils.java

@@ -2,7 +2,8 @@ package com.jeesite.common.network;
 
 import javax.servlet.http.HttpServletRequest;
 
-import com.jeesite.common.lang.ObjectUtils;
+import com.jeesite.common.codec.EncodeUtils;
+import com.jeesite.common.io.PropertiesUtils;
 import com.jeesite.common.lang.StringUtils;
 
 public class IpUtils {
@@ -16,20 +17,23 @@ public class IpUtils {
 		if (request == null) {
 			return "unknown";
 		}
-		String ip = request.getHeader("X-Forwarded-For");
-		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
-			ip = request.getHeader("Proxy-Client-IP");
+		String ip = null;
+		String xffName = PropertiesUtils.getInstance()
+				.getProperty("shiro.remoteAddrHeaderName");
+		if (StringUtils.isNotBlank(xffName)){
+			ip = request.getHeader(xffName);
 		}
-		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
-			ip = request.getHeader("WL-Proxy-Client-IP");
-		}
-		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
-			ip = request.getHeader("X-Real-IP");
-		}
-		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
+		if (StringUtils.isBlank(ip) || "unknown".equalsIgnoreCase(ip)) {
 			ip = request.getRemoteAddr();
 		}
-		return StringUtils.split(ObjectUtils.toString(ip), ",")[0];
+		if (StringUtils.isNotBlank(ip)){
+			ip = EncodeUtils.xssFilter(ip);
+			ip = StringUtils.split(ip, ",")[0];
+		}
+		if (StringUtils.isBlank(ip)){
+			ip = "unknown";
+		}
+		return ip;
 	}
 	
 	/**

modules/core/src/main/resources/config/jeesite-core.yml

@@ -243,6 +243,9 @@ shiro:
     # 登录提交信息安全Key，加密用户名、密码、验证码，后再提交（key设置为3个，用逗号分隔）
     secretKey: thinkgem,jeesite,com
 
+  # 指定获取客户端IP的Header名称，防止IP伪造。指定为空，则使用原生方法获取IP。
+  remoteAddrHeaderName: X-Forwarded-For
+
   # 允许的请求方法设定，解决安全审计问题
   allowRequestMethods: GET,POST
   

web/src/main/resources/config/jeesite.yml

@@ -266,6 +266,9 @@ jdbc:
 #    # 登录提交信息安全Key，加密用户名、密码、验证码，后再提交（key设置为3个，用逗号分隔）
 #    secretKey: thinkgem,jeesite,com
 #
+#  # 指定获取客户端IP的Header名称，防止IP伪造。指定为空，则使用原生方法获取IP。
+#  remoteAddrHeaderName: X-Forwarded-For
+#  
 #  # 允许的请求方法设定，解决安全审计问题
 #  allowRequestMethods: GET,POST
 #