add allow_ips for frps

2023-03-16 11:07:12 +08:00 · 2023-03-16 11:07:12 +08:00 · bc5cdf120b
commit bc5cdf120b
parent 8f394dba27
3 changed files with 21 additions and 0 deletions
--- a/cmd/frps/root.go
+++ b/cmd/frps/root.go
@ -38,6 +38,7 @@ var (
 	showVersion bool

 	bindAddr             string
+	allowIps             []string
 	bindPort             int
 	bindUDPPort          int
 	kcpBindPort          int
@ -69,6 +70,7 @@ func init() {
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frps")

 	rootCmd.PersistentFlags().StringVarP(&bindAddr, "bind_addr", "", "0.0.0.0", "bind address")
+	rootCmd.PersistentFlags().StringArrayVarP(&allowIps, "allow_ip", "", nil, "ip whitelists")
 	rootCmd.PersistentFlags().IntVarP(&bindPort, "bind_port", "p", 7000, "bind port")
 	rootCmd.PersistentFlags().IntVarP(&bindUDPPort, "bind_udp_port", "", 0, "bind udp port")
 	rootCmd.PersistentFlags().IntVarP(&kcpBindPort, "kcp_bind_port", "", 0, "kcp bind udp port")
@ -159,6 +161,7 @@ func parseServerCommonCfgFromCmd() (cfg config.ServerCommonConf, err error) {

 	cfg.BindAddr = bindAddr
 	cfg.BindPort = bindPort
+	cfg.AllowIps = allowIps
 	cfg.BindUDPPort = bindUDPPort
 	cfg.KCPBindPort = kcpBindPort
 	cfg.ProxyBindAddr = proxyBindAddr
--- a/pkg/config/server.go
+++ b/pkg/config/server.go
@ -50,6 +50,10 @@ type ServerCommonConf struct {
 	// Set this value to 0 will disable this feature.
 	// By default, the value is 0.
 	QUICBindPort int `ini:"quic_bind_port" json:"quic_bind_port" validate:"gte=0,lte=65535"`
+
+	// AllowIps specifies the IP whitelists to limit clients.
+	AllowIps []string `ini:"allow_ips" json:"allow_ips"`
+
 	// QUIC protocol options
 	QUICKeepalivePeriod    int `ini:"quic_keepalive_period" json:"quic_keepalive_period" validate:"gte=0"`
 	QUICMaxIdleTimeout     int `ini:"quic_max_idle_timeout" json:"quic_max_idle_timeout" validate:"gte=0"`
--- a/server/service.go
+++ b/server/service.go
@ -431,8 +431,22 @@ func (svr *Service) HandleListener(l net.Listener) {
 		}
 		log.Trace("check TLS connection success, isTLS: %v custom: %v", isTLS, custom)

+		allowIps := make(map[string]bool, len(svr.cfg.AllowIps))
+		for _, allowIP := range svr.cfg.AllowIps {
+			allowIps[allowIP] = true
+		}
 		// Start a new goroutine to handle connection.
 		go func(ctx context.Context, frpConn net.Conn) {
+			if len(allowIps) > 0 {
+				if addr, ok := frpConn.RemoteAddr().(*net.TCPAddr); ok {
+					if remoteIP := addr.IP.String(); !allowIps[remoteIP] {
+						log.Warn("Connection from %s is not allowed", remoteIP)
+						frpConn.Close()
+						return
+					}
+				}
+			}
+
 			if svr.cfg.TCPMux {
 				fmuxCfg := fmux.DefaultConfig()
 				fmuxCfg.KeepAliveInterval = time.Duration(svr.cfg.TCPMuxKeepaliveInterval) * time.Second