Comments (7)
Still, would you be willing to accept a PR to include the IP of failed connections in the log output? I feel this could help elsewhere as well, debugging other issues...
EDIT: Looking at the code, might be too hard for me actually, to get this right ;)
Yes, we have similar plans in the refactoring of the v2 major version. This is a relatively long-term and complex plan, which is also related to other aspects of refactoring. I will write this part of the code myself.
At this stage, the main focus is on gathering requirements. Your feedback will be helpful for how we will refactor in the future.
from frp.
Short update: I've noticed the issue goes away when changing vhostHTTPSPort
to something different than 443
, e.g.
vhostHTTPSPort = 444
or
vhostHTTPSPort = 44344
then CPU goes down to 0%.
BTW: In any case - even when CPU usage is high – I can connect with frpc
just fine and everything works.
from frp.
Exposure of services on the public network being accessed or scanned is very normal, you can troubleshoot traffic on port 443 by capturing packets.
from frp.
You are right, didn't think about that.
There are ~5 incoming TCP connections per second on port 443. Each connection attempt has about 8-9 packets exchanged with about 500 bytes of data total.
frps
with loglevel of debug
or trace
, shows tons of messages like this:
2024/03/11 11:20:51 [D] [vhost.go:206] get hostname from http/https request error: tls: first record does not look like a TLS handshake
So I am thinking:
- Is there any way the server can limit the amount of processing required for these invalid connections? (I guess this is unlikely, given the amount of packets seems already very small.)
- Could you add more comprehensive logging for failed connection or authentication attempts, that include IP (and port)? Then a tool such as fail2ban could be used to ban hosts with repeated failed connections attempts, based on the log file.
from frp.
Perhaps there are more professional tools/proxies available that can be used to identify/configure some simple protection rules.
Currently, frp will not make too many changes in this regard; this is more like a capability of a WAF gateway.
from frp.
Right, this kind of protection is not the responsibility of frp. This is a small/hobby project so I can't invest in extra services – but I've managed to get the CPU down to idle levels by simply rate limiting incoming connections to the frp server.
Still, would you be willing to accept a PR to include the IP of failed connections in the log output? I feel this could help elsewhere as well, debugging other issues...
EDIT: Looking at the code, might be too hard for me actually, to get this right ;)
from frp.
Issues go stale after 21d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.
from frp.
Related Issues (20)
- frps-panel
- frp用dev分支编译之后提示socks插件未注册 HOT 1
- subdomains not supported HOT 2
- serverAddr 配置域名连接不上,用IP就可以 HOT 1
- [Feature Request] frp http using random port like tcp and udp HOT 2
- [Feature Request] 我现在想使用URL路由 根据访问的路由代理到不同的服务器,比如 访问www.baidu.com:8060/aaa 代理到本机1.100的80端口,访问www.baidu.com:8060/bbb代理到本机1.110的80端口.服务器端和客户端怎么配置呢 请教 HOT 7
- From v0.55.0 to 0.57.0, linux_arm arch won't work and shows illegal instruction when its start HOT 3
- [Feature Request] 增加命令行 强制以 TOML/JSON/INI 方式解析配置文件 HOT 2
- hack/download.sh using latest release page HOT 1
- With using authtoken,it cloud be link failure in version 0.57.0 HOT 2
- [Feature Request] Enable dashboard behind a reverse proxy HOT 1
- [Feature Request] [1;34m2024-05-09 14:12:54.709 [I] [sub/root.go:142] start frpc service for config file [frpc.toml] [0m[1;34m2024-05-09 14:12:54.714 [I] [client/service.go:294] try to connect to server... [0m[1;33m2024-05-09 14:13:04.716 [W] [client/service.go:297] connect to server error: dial tcp 112.124.65.163:7070: i/o timeout [0m[1;34m2024-05-09 14:13:04.716 [I] [sub/root.go:160] frpc service for config file [frpc.toml] stopped [0mlogin to the server failed: dial tcpxxx.xxx.xxx.xxx:7070: i/o timeout. With loginFailExit enabled, no additional retries will be attempted HOT 1
- frpc 客户端自定义端口不起作用 HOT 1
- Wake On LAN HOT 3
- error: dial tcp 127.0.0.1:22: connect: connection refused HOT 6
- 客户端一会就会断开 HOT 2
- Variable substitution for TOML config in Docker Compose - how to make it happen? HOT 2
- 最新版0.58.0,报错vhost_http_port没有设置 HOT 1
- 不能开机自启动 HOT 1
- Server can bind to 80 but client failed to connect with it HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frp.