gonic version: v0.22.0
There's currently no reliable way to detect and act on failed username/password authentication attempts by source IP. GONIC_HTTP_LOG provides generic request logging, but there's no explicit failed-auth event that's easy to parse (see also #279, where a user wanted this for fail2ban-style IP blocking).
On top of that, gonic has no concept of trusted proxies. When running behind a reverse proxy chain (e.g. Cloudflare → Traefik → gonic), any IP gonic does log for a request would be the upstream proxy's IP, not the real client IP - making IP-based abuse detection useless in this common deployment pattern.
Proposed solution:
- Failed-auth logging: Emit a clear, structured log line on every failed authentication attempt (bad username or bad password), including at minimum: timestamp, username attempted, and client IP. Ideally a consistent, greppable format, e.g.:
auth failed: user="alice" ip="203.0.113.7" reason="bad password"
so it can be parsed by fail2ban, CrowdSec, or similar tools.
TRUSTED_PROXY env var / config option: Add a GONIC_TRUSTED_PROXY (and matching -trusted-proxy CLI flag) that accepts a comma-separated list of trusted proxy IPs/CIDRs (e.g. Cloudflare's published ranges, or an internal Traefik subnet). When the immediate connecting peer is in this list, gonic should extract the real client IP from X-Forwarded-For (rightmost untrusted hop) or CF-Connecting-IP, following the standard "don't trust XFF unless the immediate peer is a known proxy" pattern. This IP should then be used both in the failed-auth log line above and in GONIC_HTTP_LOG request logs.
This would be especially useful for people running gonic behind Cloudflare/Traefik/nginx with tools like CrowdSec or fail2ban for automated IP banning on repeated failed logins.
Thank you in advance!
gonic version: v0.22.0
There's currently no reliable way to detect and act on failed username/password authentication attempts by source IP.
GONIC_HTTP_LOGprovides generic request logging, but there's no explicit failed-auth event that's easy to parse (see also #279, where a user wanted this for fail2ban-style IP blocking).On top of that, gonic has no concept of trusted proxies. When running behind a reverse proxy chain (e.g. Cloudflare → Traefik → gonic), any IP gonic does log for a request would be the upstream proxy's IP, not the real client IP - making IP-based abuse detection useless in this common deployment pattern.
Proposed solution:
auth failed: user="alice" ip="203.0.113.7" reason="bad password"so it can be parsed by fail2ban, CrowdSec, or similar tools.
TRUSTED_PROXYenv var / config option: Add aGONIC_TRUSTED_PROXY(and matching-trusted-proxyCLI flag) that accepts a comma-separated list of trusted proxy IPs/CIDRs (e.g. Cloudflare's published ranges, or an internal Traefik subnet). When the immediate connecting peer is in this list, gonic should extract the real client IP fromX-Forwarded-For(rightmost untrusted hop) orCF-Connecting-IP, following the standard "don't trust XFF unless the immediate peer is a known proxy" pattern. This IP should then be used both in the failed-auth log line above and inGONIC_HTTP_LOGrequest logs.This would be especially useful for people running gonic behind Cloudflare/Traefik/nginx with tools like CrowdSec or fail2ban for automated IP banning on repeated failed logins.
Thank you in advance!