github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #4640] FRPS日志中有没有可能记录得到请求头传递的地址 #3666

New issue
Closed
opened 2026-05-05 14:21:06 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 14:21:06 -06:00
Owner
Copy link

Originally created by @somnifex on GitHub (Jan 16, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4640

Describe the feature request

我在FRPS服务后套nginx反代端口,这种情况下frps日志中获取的访问ip是127.0.0.1,我想构建一套统一基于frps.log的fail2ban规则,想请问一下frps中有没有可能在日志中获取真实访问ip。(这是一个求助issus,不是功能请求,因为我知道这种fail2ban的用法不符合一般的规范,只是我的个人情况,合理的方案应该是对nginx日志进行分析从而执行ip ban)

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @somnifex on GitHub (Jan 16, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4640 ### Describe the feature request 我在FRPS服务后套nginx反代端口,这种情况下frps日志中获取的访问ip是127.0.0.1,我想构建一套统一基于frps.log的fail2ban规则,想请问一下frps中有没有可能在日志中获取真实访问ip。(这是一个求助issus,不是功能请求,因为我知道这种fail2ban的用法不符合一般的规范,只是我的个人情况,合理的方案应该是对nginx日志进行分析从而执行ip ban) ### Describe alternatives you've considered _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [X] Others
gitea-mirror 2026-05-05 14:21:06 -06:00
gitea-mirror commented 2026-05-05 14:21:09 -06:00
Author
Owner
Copy link

@potoo0 commented on GitHub (Jan 17, 2025):

单纯讨论 http 代理的话,是能获取到的。代码这里 req 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(X-Forwarded-For / X-Real-IP) 传递真实 ip,所以这里可以 req.Header.Get("X-Forwarded-For")

而对于 tcp 连接,debug 日志已经包含了,userConn.RemoteAddr()

我现在的方案是:

  1. frpc 端获取到真实 ip (ssh 可以参考 issue#2470 的方案 Proxy Protocol and go-mmproxy)
  2. 通过 fail2ban 自定义的 action (比如名称叫 remote) 将待封禁的 ip 在 frps 机器上执行 ban

自定义的 action:

# write to dir action.d/remote.local
# send ban ip to remote
[Definition]
actionstart =
actionstop =
timeout =

# test
# actionban = echo 'ban <ip>. matches=<matches> ' >> /var/log/fail2ban.log
# actionunban = echo unban <ip> >> /var/log/fail2ban.log
actionban = ssh ali 'fail2ban-client set sshd banip <ip>'
actionunban = ssh ali 'fail2ban-client unban <ip>'

然后在目标 jail 里配置: banaction = remote,如:

[sshd]
enabled = true
banaction = remote

[jupyter]
enabled = true
backend = systemd[journalflags=1]
banaction = remote
<!-- gh-comment-id:2598365391 --> @potoo0 commented on GitHub (Jan 17, 2025): 单纯讨论 http 代理的话,是能获取到的。[代码这里 req](https://github.com/fatedier/frp/blob/450b8393bc5a06fd1182690b967e8deb0c20b606/pkg/util/vhost/http.go#L65) 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(`X-Forwarded-For` / `X-Real-IP`) 传递真实 ip,所以这里可以 `req.Header.Get("X-Forwarded-For")`。 而对于 tcp 连接,debug 日志已经包含了,[userConn.RemoteAddr()](https://github.com/fatedier/frp/blob/450b8393bc5a06fd1182690b967e8deb0c20b606/server/proxy/proxy.go#L261)。 --- 我现在的方案是: 1. frpc 端获取到真实 ip (ssh 可以参考 issue#2470 的方案 [Proxy Protocol and go-mmproxy](https://github.com/fatedier/frp/issues/2470#issuecomment-878131408)) 2. 通过 fail2ban 自定义的 action (比如名称叫 *remote*) 将待封禁的 ip 在 frps 机器上执行 ban 自定义的 action: ```ini # write to dir action.d/remote.local # send ban ip to remote [Definition] actionstart = actionstop = timeout = # test # actionban = echo 'ban <ip>. matches=<matches> ' >> /var/log/fail2ban.log # actionunban = echo unban <ip> >> /var/log/fail2ban.log actionban = ssh ali 'fail2ban-client set sshd banip <ip>' actionunban = ssh ali 'fail2ban-client unban <ip>' ``` 然后在目标 jail 里配置: `banaction = remote`,如: ```ini [sshd] enabled = true banaction = remote [jupyter] enabled = true backend = systemd[journalflags=1] banaction = remote ```
gitea-mirror commented 2026-05-05 14:21:10 -06:00
Author
Owner
Copy link

@somnifex commented on GitHub (Jan 17, 2025):

单纯讨论 http 代理的话,是能获取到的。代码这里 req 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(X-Forwarded-For / X-Real-IP) 传递真实 ip,所以这里可以 req.Header.Get("X-Forwarded-For")

而对于 tcp 连接,debug 日志已经包含了,userConn.RemoteAddr()

我现在的方案是:

  1. frpc 端获取到真实 ip (ssh 可以参考 issue#2470 的方案 Proxy Protocol and go-mmproxy)
  2. 通过 fail2ban 自定义的 action (比如名称叫 remote) 将待封禁的 ip 在 frps 机器上执行 ban

自定义的 action:

# write to dir action.d/remote.local
# send ban ip to remote
[Definition]
actionstart =
actionstop =
timeout =

# test
# actionban = echo 'ban <ip>. matches=<matches> ' >> /var/log/fail2ban.log
# actionunban = echo unban <ip> >> /var/log/fail2ban.log
actionban = ssh ali 'fail2ban-client set sshd banip <ip>'
actionunban = ssh ali 'fail2ban-client unban <ip>'

然后在目标 jail 里配置: banaction = remote,如:

[sshd]
enabled = true
banaction = remote

[jupyter]
enabled = true
backend = systemd[journalflags=1]
banaction = remote

看起来是一种解决方案,俺研究一下

<!-- gh-comment-id:2598371956 --> @somnifex commented on GitHub (Jan 17, 2025): > 单纯讨论 http 代理的话,是能获取到的。[代码这里 req](https://github.com/fatedier/frp/blob/450b8393bc5a06fd1182690b967e8deb0c20b606/pkg/util/vhost/http.go#L65) 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(`X-Forwarded-For` / `X-Real-IP`) 传递真实 ip,所以这里可以 `req.Header.Get("X-Forwarded-For")`。 > > 而对于 tcp 连接,debug 日志已经包含了,[userConn.RemoteAddr()](https://github.com/fatedier/frp/blob/450b8393bc5a06fd1182690b967e8deb0c20b606/server/proxy/proxy.go#L261)。 > > --- > 我现在的方案是: > 1. frpc 端获取到真实 ip (ssh 可以参考 issue#2470 的方案 [Proxy Protocol and go-mmproxy](https://github.com/fatedier/frp/issues/2470#issuecomment-878131408)) > 2. 通过 fail2ban 自定义的 action (比如名称叫 *remote*) 将待封禁的 ip 在 frps 机器上执行 ban > > 自定义的 action: > ```ini > # write to dir action.d/remote.local > # send ban ip to remote > [Definition] > actionstart = > actionstop = > timeout = > > # test > # actionban = echo 'ban <ip>. matches=<matches> ' >> /var/log/fail2ban.log > # actionunban = echo unban <ip> >> /var/log/fail2ban.log > actionban = ssh ali 'fail2ban-client set sshd banip <ip>' > actionunban = ssh ali 'fail2ban-client unban <ip>' > ``` > > 然后在目标 jail 里配置: `banaction = remote`,如: > ```ini > [sshd] > enabled = true > banaction = remote > > [jupyter] > enabled = true > backend = systemd[journalflags=1] > banaction = remote > ``` > 看起来是一种解决方案,俺研究一下
gitea-mirror commented 2026-05-05 14:21:11 -06:00
Author
Owner
Copy link

@potoo0 commented on GitHub (Jan 17, 2025):

单纯讨论 http 代理的话,是能获取到的。代码这里 req 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(X-Forwarded-For / X-Real-IP) 传递真实 ip,所以这里可以 req.Header.Get("X-Forwarded-For")
...
看起来是一种解决方案,俺研究一下

fail2ban-client 的文档

<!-- gh-comment-id:2598385088 --> @potoo0 commented on GitHub (Jan 17, 2025): > > 单纯讨论 http 代理的话,是能获取到的。[代码这里 req](https://github.com/fatedier/frp/blob/450b8393bc5a06fd1182690b967e8deb0c20b606/pkg/util/vhost/http.go#L65) 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(`X-Forwarded-For` / `X-Real-IP`) 传递真实 ip,所以这里可以 `req.Header.Get("X-Forwarded-For")`。 > > ... > 看起来是一种解决方案,俺研究一下 [fail2ban-client 的文档](https://man.archlinux.org/man/fail2ban-client.1#set~26)
gitea-mirror commented 2026-05-05 14:21:12 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Feb 1, 2025):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

<!-- gh-comment-id:2628622198 --> @github-actions[bot] commented on GitHub (Feb 1, 2025): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3666
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?