feat(proxy): enhance IP concurrency limit with custom headers and standard error formatting

Roberta001 · jyxjjj · commit 82d4f3ed217a · 2026-04-27T10:55:22.000+08:00
diff --git a/internal/bootstrap/data/setting.go b/internal/bootstrap/data/setting.go
@@ -238,7 +238,8 @@ func InitialSettings() []model.SettingItem {
 		{Key: conf.TaskCopyThreadsNum, Value: strconv.Itoa(conf.Conf.Tasks.Copy.Workers), Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
 		{Key: conf.TaskDecompressDownloadThreadsNum, Value: strconv.Itoa(conf.Conf.Tasks.Decompress.Workers), Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
 		{Key: conf.TaskDecompressUploadThreadsNum, Value: strconv.Itoa(conf.Conf.Tasks.DecompressUpload.Workers), Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
-		{Key: conf.ProxyMaxConcurrentRequestsPerIP, Value: "-1", Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
+		{Key: conf.ProxyMaxConcurrentRequestsPerIP, Value: "-1", Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE, Help: "Limit the maximum number of concurrent proxy requests per IP. -1 means unlimited, 0 means disabled. NOTE: This limit relies on the client IP address. To prevent IP spoofing via headers, ensure your reverse proxy correctly overwrites X-Forwarded-For and X-Real-IP headers. Also, these counts are per-process; in multi-instance deployments, the effective limit is limit * N instances."},
+		{Key: conf.ProxyClientIPHeader, Value: "", Type: conf.TypeString, Group: model.TRAFFIC, Flag: model.PRIVATE, Help: "Custom HTTP header to extract the client IP for proxy limits (e.g., 'X-Forwarded-For', 'CF-Connecting-IP'). Leave empty to use strict strict remote address (c.Request.RemoteAddr) which prevents IP spoofing but breaks behind reverse proxies without transparent IP capabilities."},
 		{Key: conf.StreamMaxClientDownloadSpeed, Value: "-1", Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
 		{Key: conf.StreamMaxClientUploadSpeed, Value: "-1", Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
 		{Key: conf.StreamMaxServerDownloadSpeed, Value: "-1", Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
diff --git a/internal/conf/const.go b/internal/conf/const.go
@@ -158,6 +158,7 @@ const (
 	TaskDecompressDownloadThreadsNum      = "decompress_download_task_threads_num"
 	TaskDecompressUploadThreadsNum        = "decompress_upload_task_threads_num"
 	ProxyMaxConcurrentRequestsPerIP       = "proxy_max_concurrent_requests_per_ip"
+	ProxyClientIPHeader                   = "proxy_client_ip_header"
 	StreamMaxClientDownloadSpeed          = "max_client_download_speed"
 	StreamMaxClientUploadSpeed            = "max_client_upload_speed"
 	StreamMaxServerDownloadSpeed          = "max_server_download_speed"
diff --git a/server/middlewares/ip_limit.go b/server/middlewares/ip_limit.go
@@ -1,14 +1,19 @@
 package middlewares
 
 import (
+	"errors"
+	"net"
 	"net/http"
+	"strings"
 	"sync"
 
 	"github.com/OpenListTeam/OpenList/v4/internal/conf"
 	"github.com/OpenListTeam/OpenList/v4/internal/setting"
+	"github.com/OpenListTeam/OpenList/v4/server/common"
 	"github.com/gin-gonic/gin"
 )
 
+// NOTE: Counts are per-process; in multi-instance deployments the effective limit is limit * N.
 var (
 	proxyIPCounts   = make(map[string]int)
 	proxyIPCountsMu sync.Mutex
@@ -27,25 +32,35 @@ func ProxyIPConcurrencyLimit() gin.HandlerFunc {
 
 		if limit == 0 {
 			// 0 means completely disabled
-			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
-				"code":    http.StatusForbidden,
-				"message": "Proxy is disabled",
-				"data":    nil,
-			})
+			common.ErrorPage(c, errors.New("Proxy is disabled"), http.StatusForbidden)
 			return
 		}
 
-		ip := c.ClientIP()
+		ipHeader := setting.GetStr(conf.ProxyClientIPHeader)
+		var ip string
+
+		// Extract IP based on user configuration to prevent spoofing
+		if ipHeader != "" {
+			ip = c.Request.Header.Get(ipHeader)
+			if idx := strings.Index(ip, ","); idx != -1 {
+				ip = ip[:idx]
+			}
+			ip = strings.TrimSpace(ip)
+		}
+
+		// Fallback to strict remote address if missing or not configured
+		if ip == "" {
+			ip = c.Request.RemoteAddr
+			if host, _, err := net.SplitHostPort(ip); err == nil {
+				ip = host
+			}
+		}
 
 		proxyIPCountsMu.Lock()
 		count := proxyIPCounts[ip]
 		if count >= limit {
 			proxyIPCountsMu.Unlock()
-			c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{
-				"code":    http.StatusTooManyRequests,
-				"message": "Too Many Proxy Requests from this IP",
-				"data":    nil,
-			})
+			common.ErrorPage(c, errors.New("Too Many Proxy Requests from this IP"), http.StatusTooManyRequests)
 			return
 		}
 		proxyIPCounts[ip] = count + 1
diff --git a/server/router.go b/server/router.go
@@ -46,12 +46,12 @@ func Init(e *gin.Engine) {
 	proxyConcurrencyLimiter := middlewares.ProxyIPConcurrencyLimit()
 	signCheck := middlewares.Down(sign.Verify)
 	g.GET("/d/*path", middlewares.PathParse, signCheck, downloadLimiter, handles.Down)
-	g.GET("/p/*path", middlewares.PathParse, signCheck, downloadLimiter, proxyConcurrencyLimiter, handles.Proxy)
+	g.GET("/p/*path", middlewares.PathParse, signCheck, proxyConcurrencyLimiter, downloadLimiter, handles.Proxy)
 	g.HEAD("/d/*path", middlewares.PathParse, signCheck, handles.Down)
 	g.HEAD("/p/*path", middlewares.PathParse, signCheck, proxyConcurrencyLimiter, handles.Proxy)
 	archiveSignCheck := middlewares.Down(sign.VerifyArchive)
 	g.GET("/ad/*path", middlewares.PathParse, archiveSignCheck, downloadLimiter, handles.ArchiveDown)
-	g.GET("/ap/*path", middlewares.PathParse, archiveSignCheck, downloadLimiter, proxyConcurrencyLimiter, handles.ArchiveProxy)
+	g.GET("/ap/*path", middlewares.PathParse, archiveSignCheck, proxyConcurrencyLimiter, downloadLimiter, handles.ArchiveProxy)
 	g.GET("/ae/*path", middlewares.PathParse, archiveSignCheck, downloadLimiter, handles.ArchiveInternalExtract)
 	g.HEAD("/ad/*path", middlewares.PathParse, archiveSignCheck, handles.ArchiveDown)
 	g.HEAD("/ap/*path", middlewares.PathParse, archiveSignCheck, proxyConcurrencyLimiter, handles.ArchiveProxy)
