修复X-Forwarded-For ip地址伪造 安全问题

bonus-api/bonus-api-system/src/main/java/com/bonus/system/api/domain/SysLogsVo.java

@@ -164,7 +164,7 @@ public class SysLogsVo {
         try{
             String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase();
             vo.setLogId(uuid);
-            String ip = IpUtils.getIpAddr();
+            String ip = loginUser.getIpaddr();
             vo.setIp(ip);
             // 设置方法名称
             String className = joinPoint.getTarget().getClass().getName();

bonus-auth/src/main/java/com/bonus/auth/service/PasswordValidatorService.java

@@ -238,7 +238,8 @@ public class PasswordValidatorService {
         long startTime = System.currentTimeMillis();
         try {
             String blackStr = Convert.toStr(redisService.getCacheObject(CacheConstants.SYS_LOGIN_BLACKIPLIST));
-            if (IpUtils.isMatchedIp(blackStr, IpUtils.getIpAddr())) {
+            String ip = IpUtils.getIpAddr(systemConfig.getTrustedProxyIps());
+            if (IpUtils.isMatchedIp(blackStr,ip )) {
                 logAndThrowError(username, "访问IP已被列入系统黑名单", "访问IP已被列入系统黑名单");
             }
         } catch (Exception e) {
@@ -269,7 +270,7 @@ public class PasswordValidatorService {
      */
     public void handleIpValidation(String username, SysUser user) {
         try {
-            String nowIp = IpUtils.getIpAddr();
+            String nowIp = IpUtils.getIpAddr(systemConfig.getTrustedProxyIps());
             String hisIp = redisService.getCacheObject("IP:" + user.getUserId());
             if (!nowIp.equals(hisIp)) {
                 recordLogService.saveErrorLogs(username, System.currentTimeMillis(), user.getUserId().toString(),"用户连续两次在不同IP登录");
@@ -285,7 +286,7 @@ public class PasswordValidatorService {
         List<Map<String, Object>> cacheList = redisService.getCacheObject(CacheConstants.SYS_LOGIN_BLACKIPLIST);
 
         // 获取客户端的 IP 地址
-        String ip = IpUtils.getIpAddr();
+        String ip = IpUtils.getIpAddr(systemConfig.getTrustedProxyIps());
 
         // 遍历黑名单
         for (Map<String, Object> map : cacheList) {

bonus-auth/src/main/java/com/bonus/auth/service/SysRecordLogService.java

@@ -5,6 +5,7 @@ import com.bonus.common.core.utils.DateUtils;
 import com.bonus.common.core.utils.global.SystemGlobal;
 import com.bonus.common.log.enums.OperaResult;
 import com.bonus.common.log.enums.OperaType;
+import com.bonus.config.SystemConfig;
 import com.bonus.system.api.domain.SysLogsVo;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -15,6 +16,7 @@ import com.bonus.common.core.utils.StringUtils;
 import com.bonus.common.core.utils.ip.IpUtils;
 import com.bonus.system.api.RemoteLogService;
 import com.bonus.system.api.domain.SysLogininfor;
+import org.springframework.util.ObjectUtils;
 
 import java.util.UUID;
 
@@ -29,6 +31,8 @@ public class SysRecordLogService
 {
     @Autowired
     private RemoteLogService remoteLogService;
+    @Autowired
+    private SystemConfig systemConfig;
 
     /**
      * 记录登录信息
@@ -42,7 +46,7 @@ public class SysRecordLogService
     {
         SysLogininfor logininfor = new SysLogininfor();
         logininfor.setUserName(username);
-        logininfor.setIpaddr(IpUtils.getIpAddr());
+        logininfor.setIpaddr(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         logininfor.setMsg(message);
         // 日志状态
         if (StringUtils.equalsAny(status, Constants.LOGIN_SUCCESS, Constants.LOGOUT, Constants.REGISTER))
@@ -70,7 +74,7 @@ public class SysRecordLogService
         String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase();
         sysLogsVo.setLogId(uuid);
         sysLogsVo.setOperaUserName(username);
-        sysLogsVo.setIp(IpUtils.getIpAddr());
+        sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         sysLogsVo.setModel("系统认证模块");
         sysLogsVo.setOperTime(DateUtils.getTime());
         sysLogsVo.setMethodType(SystemGlobal.POST);
@@ -119,6 +123,7 @@ public class SysRecordLogService
         if (StringUtils.isNotEmpty(userId)){
             sysLogsVo.setUserId(userId);
         }
+        sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         sysLogsVo.setResultData("用户登录成功");
         sysLogsVo.setTitle("系统登录");
         sysLogsVo.setModel("系统认证模块");
@@ -127,7 +132,7 @@ public class SysRecordLogService
         sysLogsVo.setMethod("login()");
         sysLogsVo.setLogId(uuid);
         sysLogsVo.setOperaUserName(username);
-        sysLogsVo.setIp(IpUtils.getIpAddr());
+        sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         sysLogsVo.setParams("{\"username\":\""+username+"\"}");
         sysLogsVo.setOperateDetail("用户登录系统");
         sysLogsVo.setErrType(errMessage);
@@ -154,7 +159,7 @@ public class SysRecordLogService
         String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase();
         sysLogsVo.setLogId(uuid);
         sysLogsVo.setOperaUserName(username);
-        sysLogsVo.setIp(IpUtils.getIpAddr());
+        sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         sysLogsVo.setModel("系统认证模块");
         sysLogsVo.setLogType(0);
         if (StringUtils.isNotEmpty(userId)){
@@ -195,7 +200,7 @@ public class SysRecordLogService
         String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase();
         sysLogsVo.setLogId(uuid);
         sysLogsVo.setOperaUserName(username);
-        sysLogsVo.setIp(IpUtils.getIpAddr());
+        sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         sysLogsVo.setModel("系统认证模块");
         sysLogsVo.setLogType(0);
         if (StringUtils.isNotEmpty(userId)){
@@ -228,7 +233,7 @@ public class SysRecordLogService
         String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase();
         sysLogsVo.setLogId(uuid);
         sysLogsVo.setOperaUserName(username);
-        sysLogsVo.setIp(IpUtils.getIpAddr());
+        sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         sysLogsVo.setModel("系统认证模块");
         sysLogsVo.setLogType(0);
         if (StringUtils.isNotEmpty(userId)){

bonus-common/bonus-common-config/src/main/java/com/bonus/config/SystemConfig.java

@@ -49,6 +49,12 @@ public class SystemConfig  {
      * websocketUrl
      */
     private String websocketurl;
+
+    /**
+     * 信任的代理ip list
+     */
+    private List<String> trustedProxyIps;
+
     
     @Data
     @RefreshScope

bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/utils/ip/IpUtils.java

@@ -2,9 +2,11 @@ package com.bonus.common.core.utils.ip;
 
 import java.net.InetAddress;
 import java.net.UnknownHostException;
+import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import com.bonus.common.core.utils.ServletUtils;
 import com.bonus.common.core.utils.StringUtils;
+import org.springframework.util.ObjectUtils;
 
 /**
  * 获取IP方法
@@ -35,9 +37,9 @@ public class IpUtils
      * 
      * @return IP地址
      */
-    public static String getIpAddr()
+    public static String getIpAddr(List<String> trustedProxy)
     {
-        return getIpAddr(ServletUtils.getRequest());
+        return getIpAddr(ServletUtils.getRequest(), trustedProxy);
     }
 
     /**
@@ -46,7 +48,7 @@ public class IpUtils
      * @param request 请求对象
      * @return IP地址
      */
-    public static String getIpAddr(HttpServletRequest request)
+    public static String getIpAddr(HttpServletRequest request,List<String> trustedProxy)
     {
         if (request == null)
         {
@@ -70,12 +72,21 @@ public class IpUtils
             ip = request.getHeader("X-Real-IP");
         }
 
-        if (ip == null || ip.length() == 0 || IP_UNKNOWN.equalsIgnoreCase(ip))
+
-        {
+        if (ip == null || ip.length() == 0 || IP_UNKNOWN.equalsIgnoreCase(ip)){
             ip = request.getRemoteAddr();
         }
-
+        String remoteAddr = request.getRemoteAddr();
-        return "0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : getMultistageReverseProxyIp(ip);
+        if (!StringUtils.isEmpty(ip) && !StringUtils.isEmpty(remoteAddr) && !ObjectUtils.isEmpty(trustedProxy)) {
+            //使用代理的情况下确定代理是可信的
+            if (trustedProxy.contains(remoteAddr)) {
+                return "0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : getMultistageReverseProxyIp(ip);
+            }
+        }
+        if (!StringUtils.isEmpty(remoteAddr)) {
+            return "0:0:0:0:0:0:0:1".equals(remoteAddr) ? "127.0.0.1" : getMultistageReverseProxyIp(remoteAddr);
+        }
+        return IP_UNKNOWN;
     }
 
     /**

bonus-common/bonus-common-log/src/main/java/com/bonus/common/log/aspect/LogAspect.java

@@ -3,13 +3,16 @@ package com.bonus.common.log.aspect;
 import java.util.Collection;
 import java.util.Map;
 import java.util.UUID;
+import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import com.alibaba.fastjson2.JSONObject;
 import com.bonus.common.core.utils.DateUtils;
+import com.bonus.common.core.utils.SpringUtils;
 import com.bonus.common.core.utils.global.SystemGlobal;
 import com.bonus.common.log.annotation.SysLog;
+import com.bonus.config.SystemConfig;
 import com.bonus.system.api.domain.SysLogsVo;
 import org.apache.commons.lang3.ArrayUtils;
 import org.aspectj.lang.JoinPoint;
@@ -23,6 +26,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.NamedThreadLocal;
 import org.springframework.http.HttpMethod;
 import org.springframework.stereotype.Component;
+import org.springframework.util.ObjectUtils;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.multipart.MultipartFile;
 import com.alibaba.fastjson2.JSON;
@@ -53,6 +57,9 @@ public class LogAspect
     @Autowired
     private AsyncLogService asyncLogService;
 
+    @Resource
+    private SystemConfig systemConfig;
+
     /**
      * 处理请求前执行
      */
@@ -118,7 +125,7 @@ public class LogAspect
                 sysLogsVo.setOperateDetail(controllerLog.details());
             }
 
-            sysLogsVo.setIp(IpUtils.getIpAddr());
+            sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
             // 设置方法名称
             String className = joinPoint.getTarget().getClass().getName();
             String methodName = joinPoint.getSignature().getName();

bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/auth/AuthLogic.java

@@ -6,7 +6,9 @@ import cn.hutool.json.JSONObject;
 import com.bonus.common.core.constant.SecurityConstants;
 import com.bonus.common.core.domain.R;
 import com.bonus.common.core.utils.DateUtils;
+import com.bonus.common.core.utils.ip.IpUtils;
 import com.bonus.common.security.utils.LogsUtils;
+import com.bonus.config.SystemConfig;
 import com.bonus.system.api.RemoteLogService;
 import com.bonus.system.api.domain.SysLogsVo;
 import org.aspectj.lang.ProceedingJoinPoint;
@@ -42,6 +44,8 @@ public class AuthLogic
 
 
     public RemoteLogService logService = SpringUtils.getBean(RemoteLogService.class);
+
+    public SystemConfig systemConfig = SpringUtils.getBean(SystemConfig.class);
     /**
      * 会话注销
      */
@@ -180,6 +184,7 @@ public class AuthLogic
     public void addErrorLogs(ProceedingJoinPoint joinPoint,RequiresPermissions requiresPermissions){
         try{
             LoginUser loginUser = getLoginUser();
+            loginUser.setIpaddr(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
             SysLogsVo vo=SysLogsVo.getExceedAuthorithSysLogsVo(loginUser,joinPoint);
             LogsUtils.setRequestValue(joinPoint,vo,null);
             SysLogsVo sysLogsVo=new SysLogsVo();

bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/feign/FeignRequestInterceptor.java

@@ -2,6 +2,9 @@ package com.bonus.common.security.feign;
 
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
+
+import com.bonus.common.core.utils.SpringUtils;
+import com.bonus.config.SystemConfig;
 import org.springframework.stereotype.Component;
 import com.bonus.common.core.constant.SecurityConstants;
 import com.bonus.common.core.utils.ServletUtils;
@@ -18,6 +21,8 @@ import feign.RequestTemplate;
 @Component
 public class FeignRequestInterceptor implements RequestInterceptor
 {
+    public SystemConfig systemConfig = SpringUtils.getBean(SystemConfig.class);
+
     @Override
     public void apply(RequestTemplate requestTemplate)
     {
@@ -48,7 +53,7 @@ public class FeignRequestInterceptor implements RequestInterceptor
             }
 
             // 配置客户端IP
-            requestTemplate.header("X-Forwarded-For", IpUtils.getIpAddr());
+            requestTemplate.header("X-Forwarded-For", IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         }
     }
 }

bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/service/TokenService.java

@@ -20,6 +20,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.util.ObjectUtils;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
@@ -71,7 +72,7 @@ public class TokenService {
         loginUser.setToken(token);
         loginUser.setUserid(userId);
         loginUser.setUsername(userName);
-        loginUser.setIpaddr(IpUtils.getIpAddr());
+        loginUser.setIpaddr(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()));
         refreshToken(loginUser);
         // Jwt存储信息
         Map<String, Object> claimsMap = new HashMap<String, Object>(16);

bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysUserController.java

@@ -76,7 +76,7 @@ public class SysUserController extends BaseController {
     @RequiresPermissionsOrInnerAuth(innerAuth = @InnerAuth, requiresPermissions = @RequiresPermissions("system:user:list"))
     @GetMapping("/list")
     @PreventRepeatSubmit
-    //  @SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表")
+    @SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表")
     public TableDataInfo list(SysUser user) {
         try {
             startPage();

bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysLogServiceImpl.java

@@ -1,5 +1,6 @@
 package com.bonus.system.service.impl;
 
+import com.bonus.config.SystemConfig;
 import com.bonus.system.warning.SysWarning;
 import com.bonus.system.warning.WaringLogEvent;
 import com.google.common.collect.Maps;
@@ -25,6 +26,7 @@ import org.springframework.scheduling.annotation.Async;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.transaction.interceptor.TransactionAspectSupport;
+import org.springframework.util.ObjectUtils;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
@@ -47,6 +49,8 @@ public class SysLogServiceImpl implements ISysLogService {
 
     @Autowired
     private ApplicationEventPublisher eventPublisher;
+    @Autowired
+    private SystemConfig systemConfig;
 
     @Override
     @Transactional(rollbackFor = Exception.class)
@@ -82,9 +86,9 @@ public class SysLogServiceImpl implements ISysLogService {
     public void saveLogs(SysLogsVo sysLog, HttpServletRequest request) {
             try{
                 String loginUuid = IdUtils.fastUUID();
-                String ip = IpUtils.getIpAddr(request);
+                String ip = IpUtils.getIpAddr(request, systemConfig.getTrustedProxyIps());
-                sysLog.setLogId(loginUuid);
                 sysLog.setIp(ip);
+                sysLog.setLogId(loginUuid);
                 sysLog.setGrade("高");
                 sysLog.setErrType("越权访问");
                 sysLog.setFailureReason("页面未授权");