Skip to content

Support logging failed auth attempts with real client IP, plus TRUSTED_PROXY for reverse-proxy setups #711

Description

@baragoon

gonic version: v0.22.0

There's currently no reliable way to detect and act on failed username/password authentication attempts by source IP. GONIC_HTTP_LOG provides generic request logging, but there's no explicit failed-auth event that's easy to parse (see also #279, where a user wanted this for fail2ban-style IP blocking).
On top of that, gonic has no concept of trusted proxies. When running behind a reverse proxy chain (e.g. Cloudflare → Traefik → gonic), any IP gonic does log for a request would be the upstream proxy's IP, not the real client IP - making IP-based abuse detection useless in this common deployment pattern.

Proposed solution:

  1. Failed-auth logging: Emit a clear, structured log line on every failed authentication attempt (bad username or bad password), including at minimum: timestamp, username attempted, and client IP. Ideally a consistent, greppable format, e.g.:
    auth failed: user="alice" ip="203.0.113.7" reason="bad password"
    so it can be parsed by fail2ban, CrowdSec, or similar tools.
  2. TRUSTED_PROXY env var / config option: Add a GONIC_TRUSTED_PROXY (and matching -trusted-proxy CLI flag) that accepts a comma-separated list of trusted proxy IPs/CIDRs (e.g. Cloudflare's published ranges, or an internal Traefik subnet). When the immediate connecting peer is in this list, gonic should extract the real client IP from X-Forwarded-For (rightmost untrusted hop) or CF-Connecting-IP, following the standard "don't trust XFF unless the immediate peer is a known proxy" pattern. This IP should then be used both in the failed-auth log line above and in GONIC_HTTP_LOG request logs.

This would be especially useful for people running gonic behind Cloudflare/Traefik/nginx with tools like CrowdSec or fail2ban for automated IP banning on repeated failed logins.

Thank you in advance!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions