xiaji
|
d1bf5ea2df
|
fix(auth): Caddy 显式写入 X-Forwarded-For + uvicorn 信任 docker 网络
根因(在 smoke test 中定位):
- Caddy reverse_proxy 默认会覆盖客户端的 X-Forwarded-For 头,
写入它自己识别的 client IP(防伪造)
- uvicorn --forwarded-allow-ips 默认只信任 127.0.0.1,
docker 网络 172.18.0.x 不在白名单
- 结果: api 端读 X-Forwarded-For 时,看到的是 Caddy 替换后的值
(Caddy 识别的真实 client IP),不是客户端伪造的值 — 这其实是正确的!
但 uvicorn 不会用这个值更新 client scope
修法:
- Caddyfile: header_up X-Forwarded-For {remote_host}
显式让 Caddy 把自己识别的 client IP 写入 X-Forwarded-For
- docker-compose api command: 加 --forwarded-allow-ips 172.18.0.0/16
信任 docker 网络(让 uvicorn 采用 X-Forwarded-For 的值)
- api 端 get_client_ip 不变,读 X-Forwarded-For 拿真实 client IP
效果: X-Forwarded-For 在代理链中始终代表真实 client IP,
不再被任何中间件覆盖或丢弃
|
2026-06-13 19:47:11 +08:00 |
|
Mavis
|
60b062daf2
|
feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose
- backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic
- 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin
- models: User/Source/Article/Bookmark/Subscription/ApiToken
- services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback
- workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate)
- seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW)
- frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router
- pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources
- deploy: docker-compose (postgres/redis/api/worker/frontend/caddy)
- docs: README, DEPLOY, architecture, acceptance
|
2026-06-07 21:51:01 +08:00 |
|