iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(saas): add trusted_proxies config for reverse proxy rate limiting

Browse Source 
- Add trusted_proxies field to ServerConfig (Vec<String>, serde default)
- Default value is empty vector (no proxy trust until explicitly configured)
- Development config: trust localhost IPs (127.0.0.1, ::1)
- Production config: placeholder localhost IPs with comment to replace
This commit is contained in:
iven
2026-03-31 16:14:57 +08:00
parent 9905a8d0d5
commit a3bdf11d9a
3 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/saas-development.toml
View File

@@ -5,6 +5,7 @@
host = "0.0.0.0" host = "0.0.0.0"
port = 8080 port = 8080
cors_origins = [] # 空 = 开发模式允许所有来源 cors_origins = [] # 空 = 开发模式允许所有来源
trusted_proxies = ["127.0.0.1", "::1"]
[database] [database]
url = "postgres://postgres:123123@localhost:5432/zclaw" url = "postgres://postgres:123123@localhost:5432/zclaw"

1
config/saas-production.toml
View File

@@ -6,6 +6,7 @@ host = "0.0.0.0"
port = 8080 port = 8080
# 生产环境必须配置 CORS 白名单 # 生产环境必须配置 CORS 白名单
cors_origins = ["https://admin.zclaw.ai", "https://zclaw.ai"] cors_origins = ["https://admin.zclaw.ai", "https://zclaw.ai"]
trusted_proxies = ["127.0.0.1", "::1"] # 替换为实际代理 IP
[database] [database]
# 生产环境通过 ZCLAW_DATABASE_URL 环境变量覆盖,此处为占位 # 生产环境通过 ZCLAW_DATABASE_URL 环境变量覆盖,此处为占位

5
crates/zclaw-saas/src/config.rs
View File

@@ -59,6 +59,10 @@ pub struct ServerConfig {
pub port: u16, pub port: u16,
#[serde(default)] #[serde(default)]
pub cors_origins: Vec<String>, pub cors_origins: Vec<String>,
/// 可信反向代理 IP 列表。仅对来自这些 IP 的请求解析 X-Forwarded-For 头。
/// 生产环境应为 Nginx/Caddy 的实际 IP如 ["127.0.0.1", "10.0.0.1"]
#[serde(default)]
pub trusted_proxies: Vec<String>,
} }
/// 数据库配置 /// 数据库配置
@@ -151,6 +155,7 @@ impl Default for ServerConfig {
host: default_host(), host: default_host(),
port: default_port(), port: default_port(),
cors_origins: Vec::new(), cors_origins: Vec::new(),
trusted_proxies: vec![],
} }
} }
} }