diff --git a/common/ip.go b/common/ip.go
new file mode 100644
index 000000000..bfb64ee7f
--- /dev/null
+++ b/common/ip.go
@@ -0,0 +1,22 @@
+package common
+
+import "net"
+
+func IsPrivateIP(ip net.IP) bool {
+ if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+ return true
+ }
+
+ private := []net.IPNet{
+ {IP: net.IPv4(10, 0, 0, 0), Mask: net.CIDRMask(8, 32)},
+ {IP: net.IPv4(172, 16, 0, 0), Mask: net.CIDRMask(12, 32)},
+ {IP: net.IPv4(192, 168, 0, 0), Mask: net.CIDRMask(16, 32)},
+ }
+
+ for _, privateNet := range private {
+ if privateNet.Contains(ip) {
+ return true
+ }
+ }
+ return false
+}
diff --git a/common/ssrf_protection.go b/common/ssrf_protection.go
new file mode 100644
index 000000000..6f7d289f1
--- /dev/null
+++ b/common/ssrf_protection.go
@@ -0,0 +1,327 @@
+package common
+
+import (
+ "fmt"
+ "net"
+ "net/url"
+ "strconv"
+ "strings"
+)
+
+// SSRFProtection SSRF防护配置
+type SSRFProtection struct {
+ AllowPrivateIp bool
+ DomainFilterMode bool // true: 白名单, false: 黑名单
+ DomainList []string // domain format, e.g. example.com, *.example.com
+ IpFilterMode bool // true: 白名单, false: 黑名单
+ IpList []string // CIDR or single IP
+ AllowedPorts []int // 允许的端口范围
+ ApplyIPFilterForDomain bool // 对域名启用IP过滤
+}
+
+// DefaultSSRFProtection 默认SSRF防护配置
+var DefaultSSRFProtection = &SSRFProtection{
+ AllowPrivateIp: false,
+ DomainFilterMode: true,
+ DomainList: []string{},
+ IpFilterMode: true,
+ IpList: []string{},
+ AllowedPorts: []int{},
+}
+
+// isPrivateIP 检查IP是否为私有地址
+func isPrivateIP(ip net.IP) bool {
+ if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+ return true
+ }
+
+ // 检查私有网段
+ private := []net.IPNet{
+ {IP: net.IPv4(10, 0, 0, 0), Mask: net.CIDRMask(8, 32)}, // 10.0.0.0/8
+ {IP: net.IPv4(172, 16, 0, 0), Mask: net.CIDRMask(12, 32)}, // 172.16.0.0/12
+ {IP: net.IPv4(192, 168, 0, 0), Mask: net.CIDRMask(16, 32)}, // 192.168.0.0/16
+ {IP: net.IPv4(127, 0, 0, 0), Mask: net.CIDRMask(8, 32)}, // 127.0.0.0/8
+ {IP: net.IPv4(169, 254, 0, 0), Mask: net.CIDRMask(16, 32)}, // 169.254.0.0/16 (链路本地)
+ {IP: net.IPv4(224, 0, 0, 0), Mask: net.CIDRMask(4, 32)}, // 224.0.0.0/4 (组播)
+ {IP: net.IPv4(240, 0, 0, 0), Mask: net.CIDRMask(4, 32)}, // 240.0.0.0/4 (保留)
+ }
+
+ for _, privateNet := range private {
+ if privateNet.Contains(ip) {
+ return true
+ }
+ }
+
+ // 检查IPv6私有地址
+ if ip.To4() == nil {
+ // IPv6 loopback
+ if ip.Equal(net.IPv6loopback) {
+ return true
+ }
+ // IPv6 link-local
+ if strings.HasPrefix(ip.String(), "fe80:") {
+ return true
+ }
+ // IPv6 unique local
+ if strings.HasPrefix(ip.String(), "fc") || strings.HasPrefix(ip.String(), "fd") {
+ return true
+ }
+ }
+
+ return false
+}
+
+// parsePortRanges 解析端口范围配置
+// 支持格式: "80", "443", "8000-9000"
+func parsePortRanges(portConfigs []string) ([]int, error) {
+ var ports []int
+
+ for _, config := range portConfigs {
+ config = strings.TrimSpace(config)
+ if config == "" {
+ continue
+ }
+
+ if strings.Contains(config, "-") {
+ // 处理端口范围 "8000-9000"
+ parts := strings.Split(config, "-")
+ if len(parts) != 2 {
+ return nil, fmt.Errorf("invalid port range format: %s", config)
+ }
+
+ startPort, err := strconv.Atoi(strings.TrimSpace(parts[0]))
+ if err != nil {
+ return nil, fmt.Errorf("invalid start port in range %s: %v", config, err)
+ }
+
+ endPort, err := strconv.Atoi(strings.TrimSpace(parts[1]))
+ if err != nil {
+ return nil, fmt.Errorf("invalid end port in range %s: %v", config, err)
+ }
+
+ if startPort > endPort {
+ return nil, fmt.Errorf("invalid port range %s: start port cannot be greater than end port", config)
+ }
+
+ if startPort < 1 || startPort > 65535 || endPort < 1 || endPort > 65535 {
+ return nil, fmt.Errorf("port range %s contains invalid port numbers (must be 1-65535)", config)
+ }
+
+ // 添加范围内的所有端口
+ for port := startPort; port <= endPort; port++ {
+ ports = append(ports, port)
+ }
+ } else {
+ // 处理单个端口 "80"
+ port, err := strconv.Atoi(config)
+ if err != nil {
+ return nil, fmt.Errorf("invalid port number: %s", config)
+ }
+
+ if port < 1 || port > 65535 {
+ return nil, fmt.Errorf("invalid port number %d (must be 1-65535)", port)
+ }
+
+ ports = append(ports, port)
+ }
+ }
+
+ return ports, nil
+}
+
+// isAllowedPort 检查端口是否被允许
+func (p *SSRFProtection) isAllowedPort(port int) bool {
+ if len(p.AllowedPorts) == 0 {
+ return true // 如果没有配置端口限制,则允许所有端口
+ }
+
+ for _, allowedPort := range p.AllowedPorts {
+ if port == allowedPort {
+ return true
+ }
+ }
+ return false
+}
+
+// isDomainWhitelisted 检查域名是否在白名单中
+func isDomainListed(domain string, list []string) bool {
+ if len(list) == 0 {
+ return false
+ }
+
+ domain = strings.ToLower(domain)
+ for _, item := range list {
+ item = strings.ToLower(strings.TrimSpace(item))
+ if item == "" {
+ continue
+ }
+ // 精确匹配
+ if domain == item {
+ return true
+ }
+ // 通配符匹配 (*.example.com)
+ if strings.HasPrefix(item, "*.") {
+ suffix := strings.TrimPrefix(item, "*.")
+ if strings.HasSuffix(domain, "."+suffix) || domain == suffix {
+ return true
+ }
+ }
+ }
+ return false
+}
+
+func (p *SSRFProtection) isDomainAllowed(domain string) bool {
+ listed := isDomainListed(domain, p.DomainList)
+ if p.DomainFilterMode { // 白名单
+ return listed
+ }
+ // 黑名单
+ return !listed
+}
+
+// isIPWhitelisted 检查IP是否在白名单中
+
+func isIPListed(ip net.IP, list []string) bool {
+ if len(list) == 0 {
+ return false
+ }
+
+ for _, whitelistCIDR := range list {
+ _, network, err := net.ParseCIDR(whitelistCIDR)
+ if err != nil {
+ // 尝试作为单个IP处理
+ if whitelistIP := net.ParseIP(whitelistCIDR); whitelistIP != nil {
+ if ip.Equal(whitelistIP) {
+ return true
+ }
+ }
+ continue
+ }
+
+ if network.Contains(ip) {
+ return true
+ }
+ }
+ return false
+}
+
+// IsIPAccessAllowed 检查IP是否允许访问
+func (p *SSRFProtection) IsIPAccessAllowed(ip net.IP) bool {
+ // 私有IP限制
+ if isPrivateIP(ip) && !p.AllowPrivateIp {
+ return false
+ }
+
+ listed := isIPListed(ip, p.IpList)
+ if p.IpFilterMode { // 白名单
+ return listed
+ }
+ // 黑名单
+ return !listed
+}
+
+// ValidateURL 验证URL是否安全
+func (p *SSRFProtection) ValidateURL(urlStr string) error {
+ // 解析URL
+ u, err := url.Parse(urlStr)
+ if err != nil {
+ return fmt.Errorf("invalid URL format: %v", err)
+ }
+
+ // 只允许HTTP/HTTPS协议
+ if u.Scheme != "http" && u.Scheme != "https" {
+ return fmt.Errorf("unsupported protocol: %s (only http/https allowed)", u.Scheme)
+ }
+
+ // 解析主机和端口
+ host, portStr, err := net.SplitHostPort(u.Host)
+ if err != nil {
+ // 没有端口,使用默认端口
+ host = u.Hostname()
+ if u.Scheme == "https" {
+ portStr = "443"
+ } else {
+ portStr = "80"
+ }
+ }
+
+ // 验证端口
+ port, err := strconv.Atoi(portStr)
+ if err != nil {
+ return fmt.Errorf("invalid port: %s", portStr)
+ }
+
+ if !p.isAllowedPort(port) {
+ return fmt.Errorf("port %d is not allowed", port)
+ }
+
+ // 如果 host 是 IP,则跳过域名检查
+ if ip := net.ParseIP(host); ip != nil {
+ if !p.IsIPAccessAllowed(ip) {
+ if isPrivateIP(ip) {
+ return fmt.Errorf("private IP address not allowed: %s", ip.String())
+ }
+ if p.IpFilterMode {
+ return fmt.Errorf("ip not in whitelist: %s", ip.String())
+ }
+ return fmt.Errorf("ip in blacklist: %s", ip.String())
+ }
+ return nil
+ }
+
+ // 先进行域名过滤
+ if !p.isDomainAllowed(host) {
+ if p.DomainFilterMode {
+ return fmt.Errorf("domain not in whitelist: %s", host)
+ }
+ return fmt.Errorf("domain in blacklist: %s", host)
+ }
+
+ // 若未启用对域名应用IP过滤,则到此通过
+ if !p.ApplyIPFilterForDomain {
+ return nil
+ }
+
+ // 解析域名对应IP并检查
+ ips, err := net.LookupIP(host)
+ if err != nil {
+ return fmt.Errorf("DNS resolution failed for %s: %v", host, err)
+ }
+ for _, ip := range ips {
+ if !p.IsIPAccessAllowed(ip) {
+ if isPrivateIP(ip) && !p.AllowPrivateIp {
+ return fmt.Errorf("private IP address not allowed: %s resolves to %s", host, ip.String())
+ }
+ if p.IpFilterMode {
+ return fmt.Errorf("ip not in whitelist: %s resolves to %s", host, ip.String())
+ }
+ return fmt.Errorf("ip in blacklist: %s resolves to %s", host, ip.String())
+ }
+ }
+ return nil
+}
+
+// ValidateURLWithFetchSetting 使用FetchSetting配置验证URL
+func ValidateURLWithFetchSetting(urlStr string, enableSSRFProtection, allowPrivateIp bool, domainFilterMode bool, ipFilterMode bool, domainList, ipList, allowedPorts []string, applyIPFilterForDomain bool) error {
+ // 如果SSRF防护被禁用,直接返回成功
+ if !enableSSRFProtection {
+ return nil
+ }
+
+ // 解析端口范围配置
+ allowedPortInts, err := parsePortRanges(allowedPorts)
+ if err != nil {
+ return fmt.Errorf("request reject - invalid port configuration: %v", err)
+ }
+
+ protection := &SSRFProtection{
+ AllowPrivateIp: allowPrivateIp,
+ DomainFilterMode: domainFilterMode,
+ DomainList: domainList,
+ IpFilterMode: ipFilterMode,
+ IpList: ipList,
+ AllowedPorts: allowedPortInts,
+ ApplyIPFilterForDomain: applyIPFilterForDomain,
+ }
+ return protection.ValidateURL(urlStr)
+}
diff --git a/service/cf_worker.go b/service/download.go
similarity index 59%
rename from service/cf_worker.go
rename to service/download.go
index d60b6fad5..036c43af8 100644
--- a/service/cf_worker.go
+++ b/service/download.go
@@ -28,6 +28,12 @@ func DoWorkerRequest(req *WorkerRequest) (*http.Response, error) {
return nil, fmt.Errorf("only support https url")
}
+ // SSRF防护:验证请求URL
+ fetchSetting := system_setting.GetFetchSetting()
+ if err := common.ValidateURLWithFetchSetting(req.URL, fetchSetting.EnableSSRFProtection, fetchSetting.AllowPrivateIp, fetchSetting.DomainFilterMode, fetchSetting.IpFilterMode, fetchSetting.DomainList, fetchSetting.IpList, fetchSetting.AllowedPorts, fetchSetting.ApplyIPFilterForDomain); err != nil {
+ return nil, fmt.Errorf("request reject: %v", err)
+ }
+
workerUrl := system_setting.WorkerUrl
if !strings.HasSuffix(workerUrl, "/") {
workerUrl += "/"
@@ -51,7 +57,13 @@ func DoDownloadRequest(originUrl string, reason ...string) (resp *http.Response,
}
return DoWorkerRequest(req)
} else {
- common.SysLog(fmt.Sprintf("downloading from origin with worker: %s, reason: %s", originUrl, strings.Join(reason, ", ")))
+ // SSRF防护:验证请求URL(非Worker模式)
+ fetchSetting := system_setting.GetFetchSetting()
+ if err := common.ValidateURLWithFetchSetting(originUrl, fetchSetting.EnableSSRFProtection, fetchSetting.AllowPrivateIp, fetchSetting.DomainFilterMode, fetchSetting.IpFilterMode, fetchSetting.DomainList, fetchSetting.IpList, fetchSetting.AllowedPorts, fetchSetting.ApplyIPFilterForDomain); err != nil {
+ return nil, fmt.Errorf("request reject: %v", err)
+ }
+
+ common.SysLog(fmt.Sprintf("downloading from origin: %s, reason: %s", common.MaskSensitiveInfo(originUrl), strings.Join(reason, ", ")))
return http.Get(originUrl)
}
}
diff --git a/service/user_notify.go b/service/user_notify.go
index 972ca655c..fba12d9db 100644
--- a/service/user_notify.go
+++ b/service/user_notify.go
@@ -113,6 +113,12 @@ func sendBarkNotify(barkURL string, data dto.Notify) error {
return fmt.Errorf("bark request failed with status code: %d", resp.StatusCode)
}
} else {
+ // SSRF防护:验证Bark URL(非Worker模式)
+ fetchSetting := system_setting.GetFetchSetting()
+ if err := common.ValidateURLWithFetchSetting(finalURL, fetchSetting.EnableSSRFProtection, fetchSetting.AllowPrivateIp, fetchSetting.DomainFilterMode, fetchSetting.IpFilterMode, fetchSetting.DomainList, fetchSetting.IpList, fetchSetting.AllowedPorts, fetchSetting.ApplyIPFilterForDomain); err != nil {
+ return fmt.Errorf("request reject: %v", err)
+ }
+
// 直接发送请求
req, err = http.NewRequest(http.MethodGet, finalURL, nil)
if err != nil {
diff --git a/service/webhook.go b/service/webhook.go
index 9c6ec8102..c678b8634 100644
--- a/service/webhook.go
+++ b/service/webhook.go
@@ -8,6 +8,7 @@ import (
"encoding/json"
"fmt"
"net/http"
+ "one-api/common"
"one-api/dto"
"one-api/setting/system_setting"
"time"
@@ -86,6 +87,12 @@ func SendWebhookNotify(webhookURL string, secret string, data dto.Notify) error
return fmt.Errorf("webhook request failed with status code: %d", resp.StatusCode)
}
} else {
+ // SSRF防护:验证Webhook URL(非Worker模式)
+ fetchSetting := system_setting.GetFetchSetting()
+ if err := common.ValidateURLWithFetchSetting(webhookURL, fetchSetting.EnableSSRFProtection, fetchSetting.AllowPrivateIp, fetchSetting.DomainFilterMode, fetchSetting.IpFilterMode, fetchSetting.DomainList, fetchSetting.IpList, fetchSetting.AllowedPorts, fetchSetting.ApplyIPFilterForDomain); err != nil {
+ return fmt.Errorf("request reject: %v", err)
+ }
+
req, err = http.NewRequest(http.MethodPost, webhookURL, bytes.NewBuffer(payloadBytes))
if err != nil {
return fmt.Errorf("failed to create webhook request: %v", err)
diff --git a/setting/system_setting/fetch_setting.go b/setting/system_setting/fetch_setting.go
new file mode 100644
index 000000000..c41b930af
--- /dev/null
+++ b/setting/system_setting/fetch_setting.go
@@ -0,0 +1,34 @@
+package system_setting
+
+import "one-api/setting/config"
+
+type FetchSetting struct {
+ EnableSSRFProtection bool `json:"enable_ssrf_protection"` // 是否启用SSRF防护
+ AllowPrivateIp bool `json:"allow_private_ip"`
+ DomainFilterMode bool `json:"domain_filter_mode"` // 域名过滤模式,true: 白名单模式,false: 黑名单模式
+ IpFilterMode bool `json:"ip_filter_mode"` // IP过滤模式,true: 白名单模式,false: 黑名单模式
+ DomainList []string `json:"domain_list"` // domain format, e.g. example.com, *.example.com
+ IpList []string `json:"ip_list"` // CIDR format
+ AllowedPorts []string `json:"allowed_ports"` // port range format, e.g. 80, 443, 8000-9000
+ ApplyIPFilterForDomain bool `json:"apply_ip_filter_for_domain"` // 对域名启用IP过滤(实验性)
+}
+
+var defaultFetchSetting = FetchSetting{
+ EnableSSRFProtection: true, // 默认开启SSRF防护
+ AllowPrivateIp: false,
+ DomainFilterMode: false,
+ IpFilterMode: false,
+ DomainList: []string{},
+ IpList: []string{},
+ AllowedPorts: []string{"80", "443", "8080", "8443"},
+ ApplyIPFilterForDomain: false,
+}
+
+func init() {
+ // 注册到全局配置管理器
+ config.GlobalConfig.Register("fetch_setting", &defaultFetchSetting)
+}
+
+func GetFetchSetting() *FetchSetting {
+ return &defaultFetchSetting
+}
diff --git a/types/error.go b/types/error.go
index 883ee0641..a42e84385 100644
--- a/types/error.go
+++ b/types/error.go
@@ -122,6 +122,9 @@ func (e *NewAPIError) MaskSensitiveError() string {
return string(e.errorCode)
}
errStr := e.Err.Error()
+ if e.errorCode == ErrorCodeCountTokenFailed {
+ return errStr
+ }
return common.MaskSensitiveInfo(errStr)
}
@@ -153,8 +156,9 @@ func (e *NewAPIError) ToOpenAIError() OpenAIError {
Code: e.errorCode,
}
}
-
- result.Message = common.MaskSensitiveInfo(result.Message)
+ if e.errorCode != ErrorCodeCountTokenFailed {
+ result.Message = common.MaskSensitiveInfo(result.Message)
+ }
return result
}
@@ -178,7 +182,9 @@ func (e *NewAPIError) ToClaudeError() ClaudeError {
Type: string(e.errorType),
}
}
- result.Message = common.MaskSensitiveInfo(result.Message)
+ if e.errorCode != ErrorCodeCountTokenFailed {
+ result.Message = common.MaskSensitiveInfo(result.Message)
+ }
return result
}
diff --git a/web/src/components/settings/SystemSetting.jsx b/web/src/components/settings/SystemSetting.jsx
index 9c7eeaadc..f9a2c019d 100644
--- a/web/src/components/settings/SystemSetting.jsx
+++ b/web/src/components/settings/SystemSetting.jsx
@@ -29,6 +29,7 @@ import {
TagInput,
Spin,
Card,
+ Radio,
} from '@douyinfe/semi-ui';
const { Text } = Typography;
import {
@@ -44,6 +45,7 @@ import { useTranslation } from 'react-i18next';
const SystemSetting = () => {
const { t } = useTranslation();
let [inputs, setInputs] = useState({
+
PasswordLoginEnabled: '',
PasswordRegisterEnabled: '',
EmailVerificationEnabled: '',
@@ -87,6 +89,15 @@ const SystemSetting = () => {
LinuxDOClientSecret: '',
LinuxDOMinimumTrustLevel: '',
ServerAddress: '',
+ // SSRF防护配置
+ 'fetch_setting.enable_ssrf_protection': true,
+ 'fetch_setting.allow_private_ip': '',
+ 'fetch_setting.domain_filter_mode': false, // true 白名单,false 黑名单
+ 'fetch_setting.ip_filter_mode': false, // true 白名单,false 黑名单
+ 'fetch_setting.domain_list': [],
+ 'fetch_setting.ip_list': [],
+ 'fetch_setting.allowed_ports': [],
+ 'fetch_setting.apply_ip_filter_for_domain': false,
});
const [originInputs, setOriginInputs] = useState({});
@@ -98,6 +109,11 @@ const SystemSetting = () => {
useState(false);
const [linuxDOOAuthEnabled, setLinuxDOOAuthEnabled] = useState(false);
const [emailToAdd, setEmailToAdd] = useState('');
+ const [domainFilterMode, setDomainFilterMode] = useState(true);
+ const [ipFilterMode, setIpFilterMode] = useState(true);
+ const [domainList, setDomainList] = useState([]);
+ const [ipList, setIpList] = useState([]);
+ const [allowedPorts, setAllowedPorts] = useState([]);
const getOptions = async () => {
setLoading(true);
@@ -113,6 +129,37 @@ const SystemSetting = () => {
case 'EmailDomainWhitelist':
setEmailDomainWhitelist(item.value ? item.value.split(',') : []);
break;
+ case 'fetch_setting.allow_private_ip':
+ case 'fetch_setting.enable_ssrf_protection':
+ case 'fetch_setting.domain_filter_mode':
+ case 'fetch_setting.ip_filter_mode':
+ case 'fetch_setting.apply_ip_filter_for_domain':
+ item.value = toBoolean(item.value);
+ break;
+ case 'fetch_setting.domain_list':
+ try {
+ const domains = item.value ? JSON.parse(item.value) : [];
+ setDomainList(Array.isArray(domains) ? domains : []);
+ } catch (e) {
+ setDomainList([]);
+ }
+ break;
+ case 'fetch_setting.ip_list':
+ try {
+ const ips = item.value ? JSON.parse(item.value) : [];
+ setIpList(Array.isArray(ips) ? ips : []);
+ } catch (e) {
+ setIpList([]);
+ }
+ break;
+ case 'fetch_setting.allowed_ports':
+ try {
+ const ports = item.value ? JSON.parse(item.value) : [];
+ setAllowedPorts(Array.isArray(ports) ? ports : []);
+ } catch (e) {
+ setAllowedPorts(['80', '443', '8080', '8443']);
+ }
+ break;
case 'PasswordLoginEnabled':
case 'PasswordRegisterEnabled':
case 'EmailVerificationEnabled':
@@ -140,6 +187,13 @@ const SystemSetting = () => {
});
setInputs(newInputs);
setOriginInputs(newInputs);
+ // 同步模式布尔到本地状态
+ if (typeof newInputs['fetch_setting.domain_filter_mode'] !== 'undefined') {
+ setDomainFilterMode(!!newInputs['fetch_setting.domain_filter_mode']);
+ }
+ if (typeof newInputs['fetch_setting.ip_filter_mode'] !== 'undefined') {
+ setIpFilterMode(!!newInputs['fetch_setting.ip_filter_mode']);
+ }
if (formApiRef.current) {
formApiRef.current.setValues(newInputs);
}
@@ -276,6 +330,46 @@ const SystemSetting = () => {
}
};
+ const submitSSRF = async () => {
+ const options = [];
+
+ // 处理域名过滤模式与列表
+ options.push({
+ key: 'fetch_setting.domain_filter_mode',
+ value: domainFilterMode,
+ });
+ if (Array.isArray(domainList)) {
+ options.push({
+ key: 'fetch_setting.domain_list',
+ value: JSON.stringify(domainList),
+ });
+ }
+
+ // 处理IP过滤模式与列表
+ options.push({
+ key: 'fetch_setting.ip_filter_mode',
+ value: ipFilterMode,
+ });
+ if (Array.isArray(ipList)) {
+ options.push({
+ key: 'fetch_setting.ip_list',
+ value: JSON.stringify(ipList),
+ });
+ }
+
+ // 处理端口配置
+ if (Array.isArray(allowedPorts)) {
+ options.push({
+ key: 'fetch_setting.allowed_ports',
+ value: JSON.stringify(allowedPorts),
+ });
+ }
+
+ if (options.length > 0) {
+ await updateOptions(options);
+ }
+ };
+
const handleAddEmail = () => {
if (emailToAdd && emailToAdd.trim() !== '') {
const domain = emailToAdd.trim();
@@ -587,6 +681,179 @@ const SystemSetting = () => {
+
+
+
+ {t('配置服务器端请求伪造(SSRF)防护,用于保护内网资源安全')}
+
+
+
+
+ handleCheckboxChange('fetch_setting.enable_ssrf_protection', e)
+ }
+ >
+ {t('启用SSRF防护(推荐开启以保护服务器安全)')}
+
+
+
+
+
+
+
+ handleCheckboxChange('fetch_setting.allow_private_ip', e)
+ }
+ >
+ {t('允许访问私有IP地址(127.0.0.1、192.168.x.x等内网地址)')}
+
+
+
+
+
+
+
+ handleCheckboxChange('fetch_setting.apply_ip_filter_for_domain', e)
+ }
+ style={{ marginBottom: 8 }}
+ >
+ {t('对域名启用 IP 过滤(实验性)')}
+
+
+ {t(domainFilterMode ? '域名白名单' : '域名黑名单')}
+
+
+ {t('支持通配符格式,如:example.com, *.api.example.com')}
+
+ {
+ const selected = val && val.target ? val.target.value : val;
+ const isWhitelist = selected === 'whitelist';
+ setDomainFilterMode(isWhitelist);
+ setInputs(prev => ({
+ ...prev,
+ 'fetch_setting.domain_filter_mode': isWhitelist,
+ }));
+ }}
+ style={{ marginBottom: 8 }}
+ >
+ {t('白名单')}
+ {t('黑名单')}
+
+ {
+ setDomainList(value);
+ // 触发Form的onChange事件
+ setInputs(prev => ({
+ ...prev,
+ 'fetch_setting.domain_list': value
+ }));
+ }}
+ placeholder={t('输入域名后回车,如:example.com')}
+ style={{ width: '100%' }}
+ />
+
+
+
+
+
+
+ {t(ipFilterMode ? 'IP白名单' : 'IP黑名单')}
+
+
+ {t('支持CIDR格式,如:8.8.8.8, 192.168.1.0/24')}
+
+ {
+ const selected = val && val.target ? val.target.value : val;
+ const isWhitelist = selected === 'whitelist';
+ setIpFilterMode(isWhitelist);
+ setInputs(prev => ({
+ ...prev,
+ 'fetch_setting.ip_filter_mode': isWhitelist,
+ }));
+ }}
+ style={{ marginBottom: 8 }}
+ >
+ {t('白名单')}
+ {t('黑名单')}
+
+ {
+ setIpList(value);
+ // 触发Form的onChange事件
+ setInputs(prev => ({
+ ...prev,
+ 'fetch_setting.ip_list': value
+ }));
+ }}
+ placeholder={t('输入IP地址后回车,如:8.8.8.8')}
+ style={{ width: '100%' }}
+ />
+
+
+
+
+
+ {t('允许的端口')}
+
+ {t('支持单个端口和端口范围,如:80, 443, 8000-8999')}
+
+ {
+ setAllowedPorts(value);
+ // 触发Form的onChange事件
+ setInputs(prev => ({
+ ...prev,
+ 'fetch_setting.allowed_ports': value
+ }));
+ }}
+ placeholder={t('输入端口后回车,如:80 或 8000-8999')}
+ style={{ width: '100%' }}
+ />
+
+ {t('端口配置详细说明')}
+
+
+
+
+
+
+
+