diff --git a/web/middleware/domainValidator.go b/web/middleware/domainValidator.go
index c94130c..1de300d 100644
--- a/web/middleware/domainValidator.go
+++ b/web/middleware/domainValidator.go
@@ -2,7 +2,6 @@ package middleware
 
 import (
 	"net"
-	"net/http"
 	"strings"
 
 	"github.com/gin-gonic/gin"
@@ -15,8 +14,10 @@ func DomainValidatorMiddleware(domain string) gin.HandlerFunc {
 			host, _, _ = net.SplitHostPort(c.Request.Host)
 		}
 
-		if host != domain {
-			c.AbortWithStatus(http.StatusForbidden)
+		// Allow direct IP access even when a domain is configured.
+		// This keeps domain-based access working while removing the hard reverse-proxy-only restriction.
+		if host != domain && net.ParseIP(host) == nil {
+			c.AbortWithStatus(403)
 			return
 		}
 
diff --git a/web/web.go b/web/web.go
index ddec611..88586ed 100644
--- a/web/web.go
+++ b/web/web.go
@@ -397,12 +397,9 @@ func (s *Server) Start() (err error) {
 		// 监听用户配置的地址
 		listenAddr = net.JoinHostPort(listen, strconv.Itoa(port))
 	} else {
-		// 方式二：未配置证书，强制监听在本地回环地址，仅供 SSH 转发使用
-		logger.Info("No certificate configured. Forcing listen address to localhost for security.")
-		logger.Info("Access is only possible via SSH tunnel (e.g., http://127.0.0.1).")
-		
-		// 无论用户在 listen 中填写什么，都强制使用回环地址
-		listen = fallbackToLocalhost(listen)
+		// 未配置证书时，允许按用户配置直接监听。
+		// 原版会强制回环地址导致必须 SSH 隧道或反代；本分支允许 IP:端口 直连访问。
+		logger.Info("No certificate configured. Direct HTTP access is enabled; using configured listen address.")
 		listenAddr = net.JoinHostPort(listen, strconv.Itoa(port))
 	}