github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 16:15:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #4749] frpc的ssh配置怎么样获取客户端真实ip(已解决) #3751

New issue
Closed
opened 2026-05-05 14:24:11 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 14:24:11 -06:00
Owner
Copy link

Originally created by @gexiaopeng on GitHub (Apr 9, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4749

Bug Description

我在群晖的服务器上配置了frpc的ssh代理,最近有国外ip攻击。群晖获取到的Ip是127.0.0.1,所以无法封锁这个ip。后来在配置里加了transport.proxyProtocolVersion = "v2" ,但ssh无法连接,telnet出错:Invalid SSH identification string。请教 ssh配置怎么样获取到客户端的真实ip? 如果服务端需要nginx代理,那nginx怎么样配置?

Image
Image

frpc Version

0.61.2

frps Version

0.61.2

System Architecture

linux/amd64

Configurations

proxies
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 5005
remotePort = 52223
transport.proxyProtocolVersion = "v2"

Logs

No response

Steps to reproduce

...

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @gexiaopeng on GitHub (Apr 9, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4749 ### Bug Description 我在群晖的服务器上配置了frpc的ssh代理,最近有国外ip攻击。群晖获取到的Ip是127.0.0.1,所以无法封锁这个ip。后来在配置里加了transport.proxyProtocolVersion = "v2" ,但ssh无法连接,telnet出错:Invalid SSH identification string。请教 ssh配置怎么样获取到客户端的真实ip? 如果服务端需要nginx代理,那nginx怎么样配置? ![Image](https://github.com/user-attachments/assets/ec4cabca-d565-4588-9a3f-30500725dccc) ![Image](https://github.com/user-attachments/assets/92b105b9-cd5b-4f96-8275-e7557dcc30c7) ### frpc Version 0.61.2 ### frps Version 0.61.2 ### System Architecture linux/amd64 ### Configurations [[proxies]] name = "ssh" type = "tcp" localIP = "127.0.0.1" localPort = 5005 remotePort = 52223 transport.proxyProtocolVersion = "v2" ### Logs _No response_ ### Steps to reproduce 1. 2. 3. ... ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror commented 2026-05-05 14:24:14 -06:00
Author
Owner
Copy link

@ghostLiulang commented on GitHub (Apr 9, 2025):

同问 昨天用HAProxy能成功转发流量到ssh上,但是获取到的请求IP还是127.0.0.1 不是真实IP,最后用的是stcp,两边都上装frp才解决国外IP攻击的问题.

<!-- gh-comment-id:2788151531 --> @ghostLiulang commented on GitHub (Apr 9, 2025): 同问 昨天用HAProxy能成功转发流量到ssh上,但是获取到的请求IP还是127.0.0.1 不是真实IP,最后用的是stcp,两边都上装frp才解决国外IP攻击的问题.
gitea-mirror commented 2026-05-05 14:24:15 -06:00
Author
Owner
Copy link

@gexiaopeng commented on GitHub (Apr 9, 2025):

同问 昨天用HAProxy能成功转发流量到ssh上,但是获取到的请求IP还是127.0.0.1 不是真实IP,最后用的是stcp,两边都上装frp才解决国外IP攻击的问题.

我参考了 https://github.com/fatedier/frp/issues/4692#issuecomment-2728547880 ,可以获取真实ip了,使用
docker比较方便。

<!-- gh-comment-id:2788656004 --> @gexiaopeng commented on GitHub (Apr 9, 2025): > 同问 昨天用HAProxy能成功转发流量到ssh上,但是获取到的请求IP还是127.0.0.1 不是真实IP,最后用的是stcp,两边都上装frp才解决国外IP攻击的问题. 我参考了 https://github.com/fatedier/frp/issues/4692#issuecomment-2728547880 ,可以获取真实ip了,使用 docker比较方便。
gitea-mirror commented 2026-05-05 14:24:16 -06:00
Author
Owner
Copy link

@ghostLiulang commented on GitHub (Apr 9, 2025):

同问 昨天用HAProxy能成功转发流量到ssh上,但是获取到的请求IP还是127.0.0.1 不是真实IP,最后用的是stcp,两边都上装frp才解决国外IP攻击的问题.

我参考了 #4692 (comment) ,可以获取真实ip了,使用 docker比较方便。

我懒得搞了,我的目标是为了安全,稍微麻烦点也问题不大.

<!-- gh-comment-id:2788702394 --> @ghostLiulang commented on GitHub (Apr 9, 2025): > > 同问 昨天用HAProxy能成功转发流量到ssh上,但是获取到的请求IP还是127.0.0.1 不是真实IP,最后用的是stcp,两边都上装frp才解决国外IP攻击的问题. > > 我参考了 [#4692 (comment)](https://github.com/fatedier/frp/issues/4692#issuecomment-2728547880) ,可以获取真实ip了,使用 docker比较方便。 我懒得搞了,我的目标是为了安全,稍微麻烦点也问题不大.
gitea-mirror commented 2026-05-05 14:24:17 -06:00
Author
Owner
Copy link

@gexiaopeng commented on GitHub (Apr 15, 2025):

我用haproxy也解决了tcp获取真实ip的问题,说明如下:

一、frpc配置:
proxies
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 5005
remotePort = 52223
transport.proxyProtocolVersion = "v2"

二、安装haproxy (3.1 是当前最新稳定分支,可根据需要调整 )
apt install software-properties-common -y &&
add-apt-repository ppa:vbernat/haproxy-3.1 -y &&
apt update &&
apt install haproxy &&
haproxy -v

三、haproxy关键配置:
global
......
setcap cap_net_raw,cap_net_admin

defaults
.....
frontend ssh_proxy
bind *:5005 accept-proxy
mode tcp
timeout client 86400000 # 24小时(可以自己调整)
default_backend ssh_real
backend ssh_real
mode tcp
timeout server 86400000 # 24小时(可以自己调整)
server ssh_local 127.0.0.1:5000 source 0.0.0.0 usesrc clientip

四、haproxy配置注意:
1)global 增加setcap cap_net_raw,cap_net_admin
2)frontend 增加 timeout client 86400000 # 24小时(可以自己调整)
3)backend 增加 timeout server 86400000 # 24小时(可以自己调整)
4)backend的 ssh_local(或者ssh_server) ip地址 必须127.0.0.1(应该是为了安全)
5)backend 的 source 0.0.0.0 usesrc clientip 不能少

<!-- gh-comment-id:2803899312 --> @gexiaopeng commented on GitHub (Apr 15, 2025): 我用haproxy也解决了tcp获取真实ip的问题,说明如下: 一、frpc配置: [[proxies]] name = "ssh" type = "tcp" localIP = "127.0.0.1" localPort = 5005 remotePort = 52223 **transport.proxyProtocolVersion = "v2"** 二、安装haproxy (3.1 是当前最新稳定分支,可根据需要调整 ) apt install software-properties-common -y && \ add-apt-repository ppa:vbernat/haproxy-3.1 -y && \ apt update && \ apt install haproxy && \ haproxy -v 三、haproxy关键配置: global ...... **setcap cap_net_raw,cap_net_admin** defaults ..... frontend ssh_proxy bind *:5005 accept-proxy mode tcp **timeout client 86400000** # 24小时(可以自己调整) default_backend ssh_real backend ssh_real mode tcp **timeout server 86400000** # 24小时(可以自己调整) server ssh_local **127.0.0.1**:5000 **source 0.0.0.0 usesrc clientip** 四、haproxy配置注意: 1)global 增加setcap cap_net_raw,cap_net_admin 2)frontend 增加 timeout client 86400000 # 24小时(可以自己调整) 3)backend 增加 timeout server 86400000 # 24小时(可以自己调整) 4)backend的 ssh_local(或者ssh_server) ip地址 必须127.0.0.1(应该是为了安全) 5)backend 的 source 0.0.0.0 usesrc clientip 不能少
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3751
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?