Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FRPS日志中有没有可能记录得到请求头传递的地址 #4640

Open
1 of 11 tasks
utopeadia opened this issue Jan 16, 2025 · 3 comments
Open
1 of 11 tasks

FRPS日志中有没有可能记录得到请求头传递的地址 #4640

utopeadia opened this issue Jan 16, 2025 · 3 comments

Comments

@utopeadia
Copy link

Describe the feature request

我在FRPS服务后套nginx反代端口,这种情况下frps日志中获取的访问ip是127.0.0.1,我想构建一套统一基于frps.log的fail2ban规则,想请问一下frps中有没有可能在日志中获取真实访问ip。(这是一个求助issus,不是功能请求,因为我知道这种fail2ban的用法不符合一般的规范,只是我的个人情况,合理的方案应该是对nginx日志进行分析从而执行ip ban)

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
@potoo0
Copy link

potoo0 commented Jan 17, 2025

单纯讨论 http 代理的话,是能获取到的。代码这里 req 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(X-Forwarded-For / X-Real-IP) 传递真实 ip,所以这里可以 req.Header.Get("X-Forwarded-For")

而对于 tcp 连接,debug 日志已经包含了,userConn.RemoteAddr()

我现在的方案是:

  1. frpc 端获取到真实 ip (ssh 可以参考 issue#2470 的方案 Proxy Protocol and go-mmproxy)
  2. 通过 fail2ban 自定义的 action (比如名称叫 remote) 将待封禁的 ip 在 frps 机器上执行 ban

自定义的 action:

# write to dir action.d/remote.local
# send ban ip to remote
[Definition]
actionstart =
actionstop =
timeout =

# test
# actionban = echo 'ban <ip>. matches=<matches> ' >> /var/log/fail2ban.log
# actionunban = echo unban <ip> >> /var/log/fail2ban.log
actionban = ssh ali 'fail2ban-client set sshd banip <ip>'
actionunban = ssh ali 'fail2ban-client unban <ip>'

然后在目标 jail 里配置: banaction = remote,如:

[sshd]
enabled = true
banaction = remote

[jupyter]
enabled = true
backend = systemd[journalflags=1]
banaction = remote

@utopeadia
Copy link
Author

单纯讨论 http 代理的话,是能获取到的。代码这里 req 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(X-Forwarded-For / X-Real-IP) 传递真实 ip,所以这里可以 req.Header.Get("X-Forwarded-For")

而对于 tcp 连接,debug 日志已经包含了,userConn.RemoteAddr()

我现在的方案是:

  1. frpc 端获取到真实 ip (ssh 可以参考 issue#2470 的方案 Proxy Protocol and go-mmproxy)
  2. 通过 fail2ban 自定义的 action (比如名称叫 remote) 将待封禁的 ip 在 frps 机器上执行 ban

自定义的 action:

# write to dir action.d/remote.local
# send ban ip to remote
[Definition]
actionstart =
actionstop =
timeout =

# test
# actionban = echo 'ban <ip>. matches=<matches> ' >> /var/log/fail2ban.log
# actionunban = echo unban <ip> >> /var/log/fail2ban.log
actionban = ssh ali 'fail2ban-client set sshd banip <ip>'
actionunban = ssh ali 'fail2ban-client unban <ip>'

然后在目标 jail 里配置: banaction = remote,如:

[sshd]
enabled = true
banaction = remote

[jupyter]
enabled = true
backend = systemd[journalflags=1]
banaction = remote

看起来是一种解决方案,俺研究一下

@potoo0
Copy link

potoo0 commented Jan 17, 2025

单纯讨论 http 代理的话,是能获取到的。代码这里 req 就是客户端请求,header / path / queryparams 等都可以在这里获取到。一般来说 http(s) 代理会通过 header(X-Forwarded-For / X-Real-IP) 传递真实 ip,所以这里可以 req.Header.Get("X-Forwarded-For")
...
看起来是一种解决方案,俺研究一下

fail2ban-client 的文档

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@potoo0 @utopeadia