i/Aether
1
0
Fork 0
mirror of https://github.com/fawney19/Aether.git synced 2026-01-10 11:42:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

refactor: nginx 透传外层代理 IP 头并禁用审计日志页面的审计记录

Browse Source 
- Dockerfile.app/local: 使用 map 指令智能处理 X-Real-IP 和 X-Forwarded-For,
  有外层代理头则透传,否则使用 remote_addr
- audit.py: 查看审计日志不再产生审计记录,避免刷新页面时产生大量无意义日志
This commit is contained in:
fawney19
2026-01-06 17:23:08 +08:00
parent 2395093394
commit 835be3d329
3 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
Dockerfile.app
View File

@@ -39,7 +39,18 @@ COPY alembic.ini ./
COPY alembic/ ./alembic/ COPY alembic/ ./alembic/
# Nginx 配置模板 # Nginx 配置模板
# 智能处理 IP有外层代理头就透传没有就用直连 IP
RUN printf '%s\n' \ RUN printf '%s\n' \
'map $http_x_real_ip $real_ip {' \
' default $http_x_real_ip;' \
' "" $remote_addr;' \
'}' \
'' \
'map $http_x_forwarded_for $forwarded_for {' \
' default $http_x_forwarded_for;' \
' "" $remote_addr;' \
'}' \
'' \
'server {' \ 'server {' \
' listen 80;' \ ' listen 80;' \
' server_name _;' \ ' server_name _;' \
@@ -70,8 +81,8 @@ RUN printf '%s\n' \
' proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \ ' proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \
' proxy_http_version 1.1;' \ ' proxy_http_version 1.1;' \
' proxy_set_header Host $host;' \ ' proxy_set_header Host $host;' \
' proxy_set_header X-Real-IP $remote_addr;' \ ' proxy_set_header X-Real-IP $real_ip;' \
' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \ ' proxy_set_header X-Forwarded-For $forwarded_for;' \
' proxy_set_header X-Forwarded-Proto $scheme;' \ ' proxy_set_header X-Forwarded-Proto $scheme;' \
' proxy_set_header Connection "";' \ ' proxy_set_header Connection "";' \
' proxy_set_header Accept $http_accept;' \ ' proxy_set_header Accept $http_accept;' \

15
Dockerfile.app.local
View File

@@ -40,7 +40,18 @@ COPY alembic.ini ./
COPY alembic/ ./alembic/ COPY alembic/ ./alembic/
# Nginx 配置模板 # Nginx 配置模板
# 智能处理 IP有外层代理头就透传没有就用直连 IP
RUN printf '%s\n' \ RUN printf '%s\n' \
'map $http_x_real_ip $real_ip {' \
' default $http_x_real_ip;' \
' "" $remote_addr;' \
'}' \
'' \
'map $http_x_forwarded_for $forwarded_for {' \
' default $http_x_forwarded_for;' \
' "" $remote_addr;' \
'}' \
'' \
'server {' \ 'server {' \
' listen 80;' \ ' listen 80;' \
' server_name _;' \ ' server_name _;' \
@@ -71,8 +82,8 @@ RUN printf '%s\n' \
' proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \ ' proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \
' proxy_http_version 1.1;' \ ' proxy_http_version 1.1;' \
' proxy_set_header Host $host;' \ ' proxy_set_header Host $host;' \
' proxy_set_header X-Real-IP $remote_addr;' \ ' proxy_set_header X-Real-IP $real_ip;' \
' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \ ' proxy_set_header X-Forwarded-For $forwarded_for;' \
' proxy_set_header X-Forwarded-Proto $scheme;' \ ' proxy_set_header X-Forwarded-Proto $scheme;' \
' proxy_set_header Connection "";' \ ' proxy_set_header Connection "";' \
' proxy_set_header Accept $http_accept;' \ ' proxy_set_header Accept $http_accept;' \

3
src/api/admin/monitoring/audit.py
View File

@@ -107,6 +107,9 @@ class AdminGetAuditLogsAdapter(AdminApiAdapter):
limit: int limit: int
offset: int offset: int
# 查看审计日志本身不应该产生审计记录,避免刷新页面时产生大量无意义的日志
audit_log_enabled: bool = False
async def handle(self, context): # type: ignore[override] async def handle(self, context): # type: ignore[override]
db = context.db db = context.db
cutoff_time = datetime.now(timezone.utc) - timedelta(days=self.days) cutoff_time = datetime.now(timezone.utc) - timedelta(days=self.days)