[PR #4983] [CLOSED] chore: Ip address whitelist on frpc #5092

New issue

Closed

opened 2026-05-05 14:54:33 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:54:33 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/4983
Author: @pipethedev
Created: 9/17/2025
Status: ❌ Closed

Base: dev ← Head: feature/ip-whitelist-for-proxied-services

📝 Commits (7)

0270fd7 tcp ip address whitelist on frps server
95c59e1 feat: add ip whitelist for proxied service access
c8db61c feat: add ip whitelist for proxied service access
ffd7ad5 changed copyright year for ip_validator.go
b5ba027 use client side ip whitelist for proxy access control
f2ebf43 feat: implemented test suites
820aeb4 fix: clarify allowedAccessIPs documentation in server configs

📊 Changes

9 files changed (+483 additions, -0 deletions)

View changed files

📝 conf/frps.toml (+4 -0)
📝 conf/frps_full_example.toml (+6 -0)
📝 pkg/config/v1/proxy.go (+3 -0)
📝 pkg/config/v1/proxy_test.go (+74 -0)
📝 pkg/config/v1/server.go (+1 -0)
📝 pkg/msg/msg.go (+1 -0)
➕ pkg/util/net/ip_validator.go (+101 -0)
➕ pkg/util/net/ip_validator_test.go (+265 -0)
📝 server/proxy/proxy.go (+28 -0)

📄 Description

Add IP Address Whitelist for Proxied Services

WHY

This feature addresses the need to restrict access to proxied services based on client IP addresses. Currently, FRP allows any IP to connect to proxied services once they're exposed. This creates security concerns for users who want to limit access to specific IP ranges or trusted networks.

This implementation provides per-proxy IP restrictions controlled by the client, allowing each service to have its own access control rules rather than server-wide restrictions.

Configuration Options:

TOML Configuration:

# frpc.toml
serverAddr = "127.0.0.1"
serverPort = 7000

[[proxies]]
name = "mysql"
type = "tcp"
localPort = 3306
remotePort = 3309
allowedAccessIPs = ["127.0.0.1", "192.168.1.0/24", "10.0.0.0/8"]

[[proxies]]
name = "web"
type = "tcp"
localPort = 8080
remotePort = 8080
# No allowedAccessIPs = allows all IPs for this proxy

Features:

Client-controlled: Each client configures access restrictions for their own proxies
Per-proxy granularity: Different services can have different IP access rules
CIDR support: Supports both individual IPs (127.0.0.1) and CIDR blocks (192.168.1.0/24, IPv4/IPv6)
Immediate rejection: Unauthorized connections are terminated immediately with clear logging
Performance optimized: IP validators are cached per proxy to avoid repeated parsing

Breaking Changes

None - this is a backward compatible feature that defaults to allowing all IPs when allowedAccessIPs is not configured for a proxy.

Implementation Details

Added allowedAccessIPs field to proxy configuration in client
Updated message protocol to transmit IP restrictions from client to server
Server creates cached IP validator per proxy for efficient validation
IP validation occurs in handleUserTCPConnection with detailed logging
Rejected connections log: user connection from <IP> rejected: IP not in whitelist

Screenshots

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/4983 **Author:** [@pipethedev](https://github.com/pipethedev) **Created:** 9/17/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feature/ip-whitelist-for-proxied-services` --- ### 📝 Commits (7) - [`0270fd7`](https://github.com/fatedier/frp/commit/0270fd7407fcad56472b15074829621f440b7156) tcp ip address whitelist on frps server - [`95c59e1`](https://github.com/fatedier/frp/commit/95c59e12f7e8d9338cbc8f62e86f7674a4eff1a6) feat: add ip whitelist for proxied service access - [`c8db61c`](https://github.com/fatedier/frp/commit/c8db61c14073f23849b2ce7b65c58337c726a6c1) feat: add ip whitelist for proxied service access - [`ffd7ad5`](https://github.com/fatedier/frp/commit/ffd7ad5a9b0e658c993f3e64b88dace9306b8697) changed copyright year for ip_validator.go - [`b5ba027`](https://github.com/fatedier/frp/commit/b5ba0279ff753bf97283e4cde29c2dddc7bcafab) use client side ip whitelist for proxy access control - [`f2ebf43`](https://github.com/fatedier/frp/commit/f2ebf4363971f379fab6e17dcdef89f5f6625ae3) feat: implemented test suites - [`820aeb4`](https://github.com/fatedier/frp/commit/820aeb4a334634320d51c5eee30bced9de6a3277) fix: clarify allowedAccessIPs documentation in server configs ### 📊 Changes **9 files changed** (+483 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `conf/frps.toml` (+4 -0) 📝 `conf/frps_full_example.toml` (+6 -0) 📝 `pkg/config/v1/proxy.go` (+3 -0) 📝 `pkg/config/v1/proxy_test.go` (+74 -0) 📝 `pkg/config/v1/server.go` (+1 -0) 📝 `pkg/msg/msg.go` (+1 -0) ➕ `pkg/util/net/ip_validator.go` (+101 -0) ➕ `pkg/util/net/ip_validator_test.go` (+265 -0) 📝 `server/proxy/proxy.go` (+28 -0) </details> ### 📄 Description # Add IP Address Whitelist for Proxied Services ## WHY This feature addresses the need to restrict access to proxied services based on client IP addresses. Currently, FRP allows any IP to connect to proxied services once they're exposed. This creates security concerns for users who want to limit access to specific IP ranges or trusted networks. This implementation provides **per-proxy IP restrictions** controlled by the client, allowing each service to have its own access control rules rather than server-wide restrictions. ### Configuration Options: **TOML Configuration:** ```toml # frpc.toml serverAddr = "127.0.0.1" serverPort = 7000 [[proxies]] name = "mysql" type = "tcp" localPort = 3306 remotePort = 3309 allowedAccessIPs = ["127.0.0.1", "192.168.1.0/24", "10.0.0.0/8"] [[proxies]] name = "web" type = "tcp" localPort = 8080 remotePort = 8080 # No allowedAccessIPs = allows all IPs for this proxy ``` **Features:** - **Client-controlled**: Each client configures access restrictions for their own proxies - **Per-proxy granularity**: Different services can have different IP access rules - **CIDR support**: Supports both individual IPs (`127.0.0.1`) and CIDR blocks (`192.168.1.0/24`, IPv4/IPv6) - **Immediate rejection**: Unauthorized connections are terminated immediately with clear logging - **Performance optimized**: IP validators are cached per proxy to avoid repeated parsing ## Breaking Changes None - this is a backward compatible feature that defaults to allowing all IPs when `allowedAccessIPs` is not configured for a proxy. ## Implementation Details - Added `allowedAccessIPs` field to proxy configuration in client - Updated message protocol to transmit IP restrictions from client to server - Server creates cached IP validator per proxy for efficient validation - IP validation occurs in `handleUserTCPConnection` with detailed logging - Rejected connections log: `user connection from <IP> rejected: IP not in whitelist` ## Screenshots <img width="1030" height="672" alt="Screenshot 2025-09-18 at 00 57 37" src="https://github.com/user-attachments/assets/16f2d8b1-a93f-44ba-834c-6714b943b67c" /> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>