From 835be3d329f7f78c0ecdb4432e17cb9975c271d9 Mon Sep 17 00:00:00 2001
From: fawney19 <elky0401@gmail.com>
Date: Tue, 6 Jan 2026 17:23:08 +0800
Subject: [PATCH] =?UTF-8?q?refactor:=20nginx=20=E9=80=8F=E4=BC=A0=E5=A4=96?=
 =?UTF-8?q?=E5=B1=82=E4=BB=A3=E7=90=86=20IP=20=E5=A4=B4=E5=B9=B6=E7=A6=81?=
 =?UTF-8?q?=E7=94=A8=E5=AE=A1=E8=AE=A1=E6=97=A5=E5=BF=97=E9=A1=B5=E9=9D=A2?=
 =?UTF-8?q?=E7=9A=84=E5=AE=A1=E8=AE=A1=E8=AE=B0=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Dockerfile.app/local: 使用 map 指令智能处理 X-Real-IP 和 X-Forwarded-For，
  有外层代理头则透传，否则使用 remote_addr
- audit.py: 查看审计日志不再产生审计记录，避免刷新页面时产生大量无意义日志
---
 Dockerfile.app                    | 15 +++++++++++++--
 Dockerfile.app.local              | 15 +++++++++++++--
 src/api/admin/monitoring/audit.py |  3 +++
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/Dockerfile.app b/Dockerfile.app
index 7061b2e..728c519 100644
--- a/Dockerfile.app
+++ b/Dockerfile.app
@@ -39,7 +39,18 @@ COPY alembic.ini ./
 COPY alembic/ ./alembic/
 
 # Nginx 配置模板
+# 智能处理 IP：有外层代理头就透传，没有就用直连 IP
 RUN printf '%s\n' \
+'map $http_x_real_ip $real_ip {' \
+'    default $http_x_real_ip;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
+'map $http_x_forwarded_for $forwarded_for {' \
+'    default $http_x_forwarded_for;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
 'server {' \
 '    listen 80;' \
 '    server_name _;' \
@@ -70,8 +81,8 @@ RUN printf '%s\n' \
 '        proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \
 '        proxy_http_version 1.1;' \
 '        proxy_set_header Host $host;' \
-'        proxy_set_header X-Real-IP $remote_addr;' \
-'        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
+'        proxy_set_header X-Real-IP $real_ip;' \
+'        proxy_set_header X-Forwarded-For $forwarded_for;' \
 '        proxy_set_header X-Forwarded-Proto $scheme;' \
 '        proxy_set_header Connection "";' \
 '        proxy_set_header Accept $http_accept;' \
diff --git a/Dockerfile.app.local b/Dockerfile.app.local
index 79d0734..ed48553 100644
--- a/Dockerfile.app.local
+++ b/Dockerfile.app.local
@@ -40,7 +40,18 @@ COPY alembic.ini ./
 COPY alembic/ ./alembic/
 
 # Nginx 配置模板
+# 智能处理 IP：有外层代理头就透传，没有就用直连 IP
 RUN printf '%s\n' \
+'map $http_x_real_ip $real_ip {' \
+'    default $http_x_real_ip;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
+'map $http_x_forwarded_for $forwarded_for {' \
+'    default $http_x_forwarded_for;' \
+'    ""      $remote_addr;' \
+'}' \
+'' \
 'server {' \
 '    listen 80;' \
 '    server_name _;' \
@@ -71,8 +82,8 @@ RUN printf '%s\n' \
 '        proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \
 '        proxy_http_version 1.1;' \
 '        proxy_set_header Host $host;' \
-'        proxy_set_header X-Real-IP $remote_addr;' \
-'        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
+'        proxy_set_header X-Real-IP $real_ip;' \
+'        proxy_set_header X-Forwarded-For $forwarded_for;' \
 '        proxy_set_header X-Forwarded-Proto $scheme;' \
 '        proxy_set_header Connection "";' \
 '        proxy_set_header Accept $http_accept;' \
diff --git a/src/api/admin/monitoring/audit.py b/src/api/admin/monitoring/audit.py
index 396f7f9..3257df3 100644
--- a/src/api/admin/monitoring/audit.py
+++ b/src/api/admin/monitoring/audit.py
@@ -107,6 +107,9 @@ class AdminGetAuditLogsAdapter(AdminApiAdapter):
     limit: int
     offset: int
 
+    # 查看审计日志本身不应该产生审计记录，避免刷新页面时产生大量无意义的日志
+    audit_log_enabled: bool = False
+
     async def handle(self, context):  # type: ignore[override]
         db = context.db
         cutoff_time = datetime.now(timezone.utc) - timedelta(days=self.days)