refactor: nginx 透传外层代理 IP 头并禁用审计日志页面的审计记录

- Dockerfile.app/local: 使用 map 指令智能处理 X-Real-IP 和 X-Forwarded-For，有外层代理头则透传，否则使用 remote_addr - audit.py: 查看审计日志不再产生审计记录，避免刷新页面时产生大量无意义日志
2026-01-08 10:42:29 +08:00 · 2026-01-06 17:23:08 +08:00
parent 2395093394
commit 835be3d329
3 changed files with 29 additions and 4 deletions
--- a/Dockerfile.app
+++ b/Dockerfile.app
@@ -39,7 +39,18 @@ COPY alembic.ini ./
 COPY alembic/ ./alembic/

 # Nginx 配置模板
+# 智能处理 IP：有外层代理头就透传，没有就用直连 IP
 RUN printf '%s\n' \
+'map $http_x_real_ip $real_ip {' \
+'    default $http_x_real_ip;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
+'map $http_x_forwarded_for $forwarded_for {' \
+'    default $http_x_forwarded_for;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
 'server {' \
 '    listen 80;' \
 '    server_name _;' \
@@ -70,8 +81,8 @@ RUN printf '%s\n' \
 '        proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \
 '        proxy_http_version 1.1;' \
 '        proxy_set_header Host $host;' \
-'        proxy_set_header X-Real-IP $remote_addr;' \
-'        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
+'        proxy_set_header X-Real-IP $real_ip;' \
+'        proxy_set_header X-Forwarded-For $forwarded_for;' \
 '        proxy_set_header X-Forwarded-Proto $scheme;' \
 '        proxy_set_header Connection "";' \
 '        proxy_set_header Accept $http_accept;' \
--- a/Dockerfile.app.local
+++ b/Dockerfile.app.local
@@ -40,7 +40,18 @@ COPY alembic.ini ./
 COPY alembic/ ./alembic/

 # Nginx 配置模板
+# 智能处理 IP：有外层代理头就透传，没有就用直连 IP
 RUN printf '%s\n' \
+'map $http_x_real_ip $real_ip {' \
+'    default $http_x_real_ip;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
+'map $http_x_forwarded_for $forwarded_for {' \
+'    default $http_x_forwarded_for;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
 'server {' \
 '    listen 80;' \
 '    server_name _;' \
@@ -71,8 +82,8 @@ RUN printf '%s\n' \
 '        proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \
 '        proxy_http_version 1.1;' \
 '        proxy_set_header Host $host;' \
-'        proxy_set_header X-Real-IP $remote_addr;' \
-'        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
+'        proxy_set_header X-Real-IP $real_ip;' \
+'        proxy_set_header X-Forwarded-For $forwarded_for;' \
 '        proxy_set_header X-Forwarded-Proto $scheme;' \
 '        proxy_set_header Connection "";' \
 '        proxy_set_header Accept $http_accept;' \
--- a/src/api/admin/monitoring/audit.py
+++ b/src/api/admin/monitoring/audit.py
@@ -107,6 +107,9 @@ class AdminGetAuditLogsAdapter(AdminApiAdapter):
    limit: int
    offset: int

+    # 查看审计日志本身不应该产生审计记录，避免刷新页面时产生大量无意义的日志
+    audit_log_enabled: bool = False
+
    async def handle(self, context):  # type: ignore[override]
        db = context.db
        cutoff_time = datetime.now(timezone.utc) - timedelta(days=self.days)