search

fatedier / frp

A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
Apache License 2.0
81.43k stars 12.82k forks source link

How to get the real IP of client side when using TCP proxy? #4135

Closed peace4j closed 1 month ago

peace4j commented 2 months ago

Bug Description

Actually it's not a bug, it's a discussion. But since no place to discuss it, I have to post it here. Sorry for that. I just can't get the real IP from client side when I deploy my services behind frp TCP proxies running in a docker container, both FRPS and FRPC. Let me describe it clearly below.

On the service side in my LAN, it's a host server runs many docker containers. Of course, I devided each service into individual container. In them, there is a frpc service running in one of them. I use this frpc to expose my ssh service to public network on frps, on which the exposed port is 31818. ( I disabled password login on the SSHD so that only authorized users can login through port 31818 with certificated private key)

Even I know it's safe now for my SSHD, but as you know there are still many illegal break-in tries everyday and everytime happen on port 31818. They all left foot marks in /var/log/secure, such as below:

Apr  8 00:08:03 localhost sshd[28751]: Did not receive identification string from 172.18.0.2 port 58658
Apr  8 00:08:13 localhost sshd[28760]: Did not receive identification string from 172.18.0.2 port 58660
Apr  8 00:08:23 localhost sshd[28761]: Did not receive identification string from 172.18.0.2 port 58662
Apr  8 00:08:33 localhost sshd[28762]: Did not receive identification string from 172.18.0.2 port 58664
Apr  8 00:08:43 localhost sshd[28763]: Did not receive identification string from 172.18.0.2 port 58666

And in the log file of frps side, you will look :

2024/04/08 22:46:14 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [108.179.aaa.143:50856]
2024/04/08 23:11:25 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [87.107.aaa.59:58034]
2024/04/08 23:55:59 [I] [proxy.go:204] [a4e65b44bcc874c8] [brdg.ssh] get a user connection [87.107.aaa.59:33856]

The IP 172.18.0.2 is the address of the frpc container. It means sshd gets no real ip of the client side but only the ip address of the frpc container. The IP 108.179.aaa.143 and 87.107.aaa.59 are address of connection users, nothing can identify the visitions are legal or illegal.

Anybody knows how to get the real ip from client side, please let me know. I'll be appriciate.

All the best.

frpc Version

0.54.0

frps Version

0.54.0

System Architecture

linux/amd64 docker

Configurations

normally configuration. no special

Logs

No response

Steps to reproduce

  3. ...

Affected area

fatedier commented 2 months ago

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

peace4j commented 2 months ago

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need.

As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container.

@fatedier

xqzr commented 2 months ago

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need.

As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container.

@fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

peace4j commented 2 months ago

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need. As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. @fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

谢谢回复。

1、没有看到有配置参考案例,您有的话,发一个给看看 2、你说的是tcp客户端,还是frpc客户端?如果是tcp客户端,那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP,现在居然要求它支持proxy protocol才能知道它真实IP,想想这些客户端们得多高兴。举个反例,试想下,用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx,你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。

xqzr commented 2 months ago

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need. As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. @fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

谢谢回复。

1、没有看到有配置参考案例,您有的话,发一个给看看 2、你说的是tcp客户端,还是frpc客户端?如果是tcp客户端,那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP,现在居然要求它支持proxy protocol才能知道它真实IP,想想这些客户端们得多高兴。举个反例,试想下,用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx,你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。

抱歉...我错过了一些信息。 需要 sshd 实现 Proxy Protocol 与 frpc 相互配合

peace4j commented 2 months ago

https://github.com/fatedier/frp?tab=readme-ov-file#get-real-ip

Thanks a lot. But it's not what I need. As I mentioned above, I want to get the real ip from TCP client, NOT from HTTP client. It's a TCP application, NOT a HTTP application. And I run my frpc in a docker container. @fatedier

你的 TCP 客户端 需要实现 Proxy Protocol

谢谢回复。 1、没有看到有配置参考案例,您有的话,发一个给看看 2、你说的是tcp客户端,还是frpc客户端?如果是tcp客户端,那么这个说法就有点不太make sense了。要知道这个功能本来就是要防止客户端隐匿自己的IP,现在居然要求它支持proxy protocol才能知道它真实IP,想想这些客户端们得多高兴。举个反例,试想下,用所谓的不支持Proxy Protocol的客户端去访问支持Proxy Protocol的Nginx、或者各种其他支持Proxy Protocol的反向代理后面的Nginx,你看这个故意不支持Proxy protocol的客户端能不能成功把自己IP藏起来。

抱歉...我错过了一些信息。 需要 sshd 实现 Proxy Protocol 与 frpc 相互配合

嗯嗯,这个说法成立。我查查看SSHD有无这类支持。 谢谢

zjsailor commented 2 months ago

In fact, I also would like to know whether the FRPS server-side log files can be configured to record the IP address of each client connections. At the same time, to check which IP is occupying each port of the frps

github-actions[bot] commented 1 month ago

Issues go stale after 21d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.