mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-08 22:24:15 +00:00
77d276da04
- Add RateLimitMiddleware(10/min) to POST /login (previously unprotected) - Use RemoteAddr instead of X-Real-IP/X-Forwarded-For in getRemoteIp() and rate limiter - Prevents brute-force login and rate-limit bypass via spoofed headers
18 lines
1.1 KiB
Markdown
18 lines
1.1 KiB
Markdown
# 2026-04-25 Security: Fix login rate limiting and IP spoofing
|
|
|
|
## Changes
|
|
- Add `RateLimitMiddleware(10, time.Minute)` to `POST /login` endpoint (was unprotected, only register had rate limiting)
|
|
- Fix `getRemoteIp()` to use `c.Request.RemoteAddr` instead of trusting `X-Real-IP` / `X-Forwarded-For` headers
|
|
- Fix `RateLimitMiddleware` to use `RemoteAddr` directly, preventing IP-based rate limit bypass via header spoofing
|
|
|
|
## Security Issue
|
|
- Login endpoint had zero rate limiting, enabling unlimited brute-force attempts
|
|
- Both IP extraction and rate limiter trusted client-supplied headers, allowing attackers to spoof IPs and bypass all rate limiting
|
|
|
|
## Files Modified
|
|
- `web/controller/index.go` — add rate limit middleware to login route
|
|
- `web/controller/util.go` — use RemoteAddr in getRemoteIp()
|
|
- `web/middleware/ratelimit.go` — use RemoteAddr in rate limiter
|
|
|
|
## Note
|
|
If the panel runs behind a reverse proxy, `RemoteAddr` will show the proxy IP. To restore header-based IP detection, configure `engine.SetTrustedProxies()` in `web/web.go` with the proxy's IP.
|