[GH-ISSUE #4135] How to get the real IP of client side when using TCP proxy? #3264

New issue

Closed

opened 2026-05-05 14:06:28 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented 2026-05-05 14:06:28 -06:00

Owner

Copy link

Originally created by @peace4j on GitHub (Apr 9, 2024).
Original GitHub issue: https://github.com/fatedier/frp/issues/4135

Bug Description

Actually it's not a bug, it's a discussion. But since no place to discuss it, I have to post it here. Sorry for that.
I just can't get the real IP from client side when I deploy my services behind frp TCP proxies running in a docker container, both FRPS and FRPC. Let me describe it clearly below.

On the service side in my LAN, it's a host server runs many docker containers. Of course, I devided each service into individual container. In them, there is a frpc service running in one of them. I use this frpc to expose my ssh service to public network on frps, on which the exposed port is 31818. ( I disabled password login on the SSHD so that only authorized users can login through port 31818 with certificated private key)

Even I know it's safe now for my SSHD, but as you know there are still many illegal break-in tries everyday and everytime happen on port 31818. They all left foot marks in /var/log/secure, such as below:

Apr  8 00:08:03 localhost sshd[28751]: Did not receive identification string from 172.18.0.2 port 58658
Apr  8 00:08:13 localhost sshd[28760]: Did not receive identification string from 172.18.0.2 port 58660
Apr  8 00:08:23 localhost sshd[28761]: Did not receive identification string from 172.18.0.2 port 58662
Apr  8 00:08:33 localhost sshd[28762]: Did not receive identification string from 172.18.0.2 port 58664
Apr  8 00:08:43 localhost sshd[28763]: Did not receive identification string from 172.18.0.2 port 58666

And in the log file of frps side, you will look :

2024/04/08 22:46:14 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [108.179.aaa.143:50856]
2024/04/08 23:11:25 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [87.107.aaa.59:58034]
2024/04/08 23:55:59 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [87.107.aaa.59:33856]

The IP 172.18.0.2 is the address of the frpc container. It means sshd gets no real ip of the client side but only the ip address of the frpc container.
The IP 108.179.aaa.143 and 87.107.aaa.59 are address of connection users, nothing can identify the visitions are legal or illegal.

Anybody knows how to get the real ip from client side, please let me know. I'll be appriciate.

All the best.

frpc Version

0.54.0

frps Version

0.54.0

System Architecture

linux/amd64 docker

Configurations

normally configuration. no special

Logs

No response

Steps to reproduce

...

Affected area

• Docs
• Installation
• Performance and Scalability
• Security
• User Experience
• Test and Release
• Developer Infrastructure
• Client Plugin
• Server Plugin
• Extensions
• Others

Originally created by @peace4j on GitHub (Apr 9, 2024). Original GitHub issue: https://github.com/fatedier/frp/issues/4135 ### Bug Description Actually it's not a bug, it's a discussion. But since no place to discuss it, I have to post it here. Sorry for that. I just can't get the real IP from client side when I deploy my services behind frp TCP proxies running in a docker container, both FRPS and FRPC. Let me describe it clearly below. On the service side in my LAN, it's a host server runs many docker containers. Of course, I devided each service into individual container. In them, there is a frpc service running in one of them. I use this frpc to expose my ssh service to public network on frps, on which the exposed port is 31818. ( I disabled password login on the SSHD so that only authorized users can login through port 31818 with certificated private key) Even I know it's safe now for my SSHD, but as you know there are still many illegal break-in tries everyday and everytime happen on port 31818. They all left foot marks in /var/log/secure, such as below: ``` Apr 8 00:08:03 localhost sshd[28751]: Did not receive identification string from 172.18.0.2 port 58658 Apr 8 00:08:13 localhost sshd[28760]: Did not receive identification string from 172.18.0.2 port 58660 Apr 8 00:08:23 localhost sshd[28761]: Did not receive identification string from 172.18.0.2 port 58662 Apr 8 00:08:33 localhost sshd[28762]: Did not receive identification string from 172.18.0.2 port 58664 Apr 8 00:08:43 localhost sshd[28763]: Did not receive identification string from 172.18.0.2 port 58666 ``` And in the log file of frps side, you will look : ``` 2024/04/08 22:46:14 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [108.179.aaa.143:50856] 2024/04/08 23:11:25 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [87.107.aaa.59:58034] 2024/04/08 23:55:59 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [87.107.aaa.59:33856] ``` The IP 172.18.0.2 is the address of the frpc container. It means sshd gets no real ip of the client side but only the ip address of the frpc container. The IP 108.179.aaa.143 and 87.107.aaa.59 are address of connection users, nothing can identify the visitions are legal or illegal. Anybody knows how to get the real ip from client side, please let me know. I'll be appriciate. All the best. ### frpc Version 0.54.0 ### frps Version 0.54.0 ### System Architecture linux/amd64 docker ### Configurations normally configuration. no special ### Logs _No response_ ### Steps to reproduce 1. 2. 3. ... ### Affected area - [X] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror 2026-05-05 14:06:28 -06:00

• closed this issue
• added the
  lifecycle/stale
  label

gitea-mirror commented 2026-05-05 14:06:31 -06:00

Author

Owner

Copy link

@fatedier commented on GitHub (Apr 10, 2024):

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

<!-- gh-comment-id:2046459745 --> @fatedier commented on GitHub (Apr 10, 2024): https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

gitea-mirror commented 2026-05-05 14:06:32 -06:00

Author

Owner

Copy link

@peace4j commented on GitHub (Apr 10, 2024):

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot.
But it's not what I need.

As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container.

@fatedier

<!-- gh-comment-id:2047054599 --> @peace4j commented on GitHub (Apr 10, 2024): > https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip Thanks a lot. But it's not what I need. As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. @fatedier

gitea-mirror commented 2026-05-05 14:06:33 -06:00

Author

Owner

Copy link

@xqzr commented on GitHub (Apr 10, 2024):

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need.

As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container.

@fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

<!-- gh-comment-id:2047370049 --> @xqzr commented on GitHub (Apr 10, 2024): > > https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip > > Thanks a lot. But it's not what I need. > > As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. > > @fatedier 你的 TCP 客户端 需要实现 `Proxy Protocol`

gitea-mirror commented 2026-05-05 14:06:34 -06:00

Author

Owner

Copy link

@peace4j commented on GitHub (Apr 10, 2024):

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need.
As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container.
@fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

谢谢回复。

1、没有看到有配置参考案例，您有的话，发一个给看看
2、你说的是tcp客户端，还是frpc客户端？如果是tcp客户端，那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP，现在居然要求它支持proxy protocol才能知道它真实IP，想想这些客户端们得多高兴。举个反例，试想下，用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx，你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。

<!-- gh-comment-id:2047410920 --> @peace4j commented on GitHub (Apr 10, 2024): > > > https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip > > > > > > Thanks a lot. But it's not what I need. > > As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. > > @fatedier > > 你的 TCP 客户端 需要实现 `Proxy Protocol` 谢谢回复。 1、没有看到有配置参考案例，您有的话，发一个给看看 2、你说的是tcp客户端，还是frpc客户端？如果是tcp客户端，那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP，现在居然要求它支持proxy protocol才能知道它真实IP，想想这些客户端们得多高兴。举个反例，试想下，用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx，你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。

gitea-mirror commented 2026-05-05 14:06:34 -06:00

Author

Owner

Copy link

@xqzr commented on GitHub (Apr 10, 2024):

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need.
As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container.
@fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

谢谢回复。

1、没有看到有配置参考案例，您有的话，发一个给看看 2、你说的是tcp客户端，还是frpc客户端？如果是tcp客户端，那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP，现在居然要求它支持proxy protocol才能知道它真实IP，想想这些客户端们得多高兴。举个反例，试想下，用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx，你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。

抱歉...我错过了一些信息。
需要 sshd 实现 Proxy Protocol 与 frpc 相互配合

<!-- gh-comment-id:2048264248 --> @xqzr commented on GitHub (Apr 10, 2024): > > > > https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip > > > > > > > > > Thanks a lot. But it's not what I need. > > > As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. > > > @fatedier > > > > > > 你的 TCP 客户端 需要实现 `Proxy Protocol` > > 谢谢回复。 > > 1、没有看到有配置参考案例，您有的话，发一个给看看 2、你说的是tcp客户端，还是frpc客户端？如果是tcp客户端，那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP，现在居然要求它支持proxy protocol才能知道它真实IP，想想这些客户端们得多高兴。举个反例，试想下，用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx，你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。 抱歉...我错过了一些信息。 需要 sshd 实现 `Proxy Protocol` 与 frpc 相互配合

gitea-mirror commented 2026-05-05 14:06:34 -06:00

Author

Owner

Copy link

@peace4j commented on GitHub (Apr 11, 2024):

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need.
As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container.
@fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

谢谢回复。
1、没有看到有配置参考案例，您有的话，发一个给看看 2、你说的是tcp客户端，还是frpc客户端？如果是tcp客户端，那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP，现在居然要求它支持proxy protocol才能知道它真实IP，想想这些客户端们得多高兴。举个反例，试想下，用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx，你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。

抱歉...我错过了一些信息。 需要 sshd 实现 Proxy Protocol 与 frpc 相互配合

嗯嗯，这个说法成立。我查查看SSHD有无这类支持。
谢谢

<!-- gh-comment-id:2048689346 --> @peace4j commented on GitHub (Apr 11, 2024): > > > > > https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip > > > > > > > > > > > > Thanks a lot. But it's not what I need. > > > > As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. > > > > @fatedier > > > > > > > > > 你的 TCP 客户端 需要实现 `Proxy Protocol` > > > > > > 谢谢回复。 > > 1、没有看到有配置参考案例，您有的话，发一个给看看 2、你说的是tcp客户端，还是frpc客户端？如果是tcp客户端，那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP，现在居然要求它支持proxy protocol才能知道它真实IP，想想这些客户端们得多高兴。举个反例，试想下，用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx，你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。 > > 抱歉...我错过了一些信息。 需要 sshd 实现 `Proxy Protocol` 与 frpc 相互配合 嗯嗯，这个说法成立。我查查看SSHD有无这类支持。 谢谢

gitea-mirror commented 2026-05-05 14:06:35 -06:00

Author

Owner

Copy link

@zjsailor commented on GitHub (Apr 11, 2024):

In fact, I also would like to know whether the FRPS server-side log files can be configured to record the IP address of each client connections. At the same time, to check which IP is occupying each port of the frps

<!-- gh-comment-id:2048827932 --> @zjsailor commented on GitHub (Apr 11, 2024): In fact, I also would like to know whether the FRPS server-side log files can be configured to record the IP address of each client connections. At the same time, to check which IP is occupying each port of the frps

gitea-mirror commented 2026-05-05 14:06:35 -06:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (May 3, 2024):

Issues go stale after 21d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

<!-- gh-comment-id:2091956398 --> @github-actions[bot] commented on GitHub (May 3, 2024): Issues go stale after 21d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

gitea-mirror commented 2026-05-05 14:06:36 -06:00

Author

Owner

Copy link

@nomed commented on GitHub (Nov 28, 2024):

Hi all,

any update on this topic ?

It 'd be really useful to know what client ( not frpc ) is connected to a specific frps remote port.

<!-- gh-comment-id:2505489615 --> @nomed commented on GitHub (Nov 28, 2024): Hi all, any update on this topic ? It 'd be really useful to know what client ( not frpc ) is connected to a specific frps remote port.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3264

No description provided.