[Bug]: GeoIPfilter plugin TCP client IP visibility and PROXY protocol usage behind Istio ingress #2104
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration issue.
- This issue is not already reported on Github (I've searched it).
Bug description
Hi Team,
I am currently integrating the geoipfilter plugin with SFTPGo running inside a Kubernetes cluster behind an Istio ingress gateway. While Istio ingress correctly receives and logs the X-Forwarded-For header showing the real client IP, this IP is not visible inside the SFTPGo pod while making the TCP connection, and geoipfilter seems unable to correctly block/allow clients based on IP geography.
- SFTPGo version: 2.5.4
- Deployment: Kubernetes pod, behind Istio ingress gateway
- Connectivity: Using SFTP on a custom port (e.g., 30022)
- SFTPGo configuration includes "proxy_protocol": 2 in the common section and the ingress IP listed in proxy_allowed.
- Logs show errors: proxyproto: proxy protocol signature not present
- Istio ingress receives the real client IP via X-Forwarded-For headers on HTTP but no PROXY protocol is observed on TCP connections.
Can you confirm that the geoipfilter plugin relies solely on the TCP-level client IP? Or Can you advise on best practices to fully integrate geoipfilter plugin behind Istio ingress or other proxy/load balancer solutions?
Thanks
Steps to reproduce
- Deploy SFTPGo 2.5.4 in Kubernetes behind an Istio ingress gateway.
- Configure SFTPGo with the geoipfilter plugin enabled, using "proxy_protocol": 2 in the common section and listing ingress gateway IP(s) in proxy_allowed.
- Configure Istio ingress to serve TCP traffic on custom SFTP port (e.g., 30022).
- Connect to the SFTP server via the ingress domain and port with an external client.
- Observe logs in the SFTPGo pod showing "proxyproto: proxy protocol signature not present" errors and geoipfilter failing to block/control access based on client IP geography.
- Note that Istio ingress observes and logs the actual client IP in the X-Forwarded-For header for HTTP connections but does not send PROXY protocol headers for TCP.
Expected behavior
SFTPGo geoipfilter plugin should be able to use the real client's public IP address for geoip filtering, either via PROXY protocol or alternative means.
SFTPGo version
2.5.4
Data provider
postgresql
Installation method
Community Docker image
Configuration
{
"data_provider": {
"driver": "xxxx",
"name": "xxxxx",
"host": "xxx-xx-ha.xxxx.svc.cluster.local",
"port": xx,
"username": "sftpgo",
"password": "xxxxxxxxxx"
},
"common": {
"setstat_mode": 2
},
"audit": {
"enable": true,
"events": ["login", "login_failed", "upload", "download", "delete"],
"rotate_max_size": 100,
"rotate_max_backups": 5
},
"defender": {
"enable": true,
"driver": "memory",
"ban_time": 30,
"threshold": 5,
"observation_time": 30
},
"telemetry": {
"bind_port": 10000,
"bind_address": "0.0.0.0",
"enable_profiler": false,
"metrics": {
"namespace": "sftpgo",
"subsystem": "",
"const_labels": {}
}
},
"plugins": [
{
"type": "ipfilter",
"cmd": "/geoip/sftpgo-plugin-geoipfilter-linux-amd64",
"args": [
"serve",
"--db-file", "/geoip/GeoLite2-Country.mmdb",
"--allowed-countries", "US"
]
}
]
}
Relevant log output
What are you using SFTPGo for?
Medium business
Additional info
No response