sftpgo icon indicating copy to clipboard operation
sftpgo copied to clipboard
verified publisher icon drakkan

[Bug]: GeoIPfilter plugin TCP client IP visibility and PROXY protocol usage behind Istio ingress

Open nitindhiman314e opened this issue 1 month ago • 4 comments

⚠️ This issue respects the following points: ⚠️

  • [x] This is a bug, not a question or a configuration issue.
  • [x] This issue is not already reported on Github (I've searched it).

Bug description

Hi Team,

I am currently integrating the geoipfilter plugin with SFTPGo running inside a Kubernetes cluster behind an Istio ingress gateway. While Istio ingress correctly receives and logs the X-Forwarded-For header showing the real client IP, this IP is not visible inside the SFTPGo pod while making the TCP connection, and geoipfilter seems unable to correctly block/allow clients based on IP geography.

  • SFTPGo version: 2.5.4
  • Deployment: Kubernetes pod, behind Istio ingress gateway
  • Connectivity: Using SFTP on a custom port (e.g., 30022)
  • SFTPGo configuration includes "proxy_protocol": 2 in the common section and the ingress IP listed in proxy_allowed.
  • Logs show errors: proxyproto: proxy protocol signature not present
  • Istio ingress receives the real client IP via X-Forwarded-For headers on HTTP but no PROXY protocol is observed on TCP connections.

Can you confirm that the geoipfilter plugin relies solely on the TCP-level client IP? Or Can you advise on best practices to fully integrate geoipfilter plugin behind Istio ingress or other proxy/load balancer solutions?

Thanks

Steps to reproduce

  1. Deploy SFTPGo 2.5.4 in Kubernetes behind an Istio ingress gateway.
  2. Configure SFTPGo with the geoipfilter plugin enabled, using "proxy_protocol": 2 in the common section and listing ingress gateway IP(s) in proxy_allowed.
  3. Configure Istio ingress to serve TCP traffic on custom SFTP port (e.g., 30022).
  4. Connect to the SFTP server via the ingress domain and port with an external client.
  5. Observe logs in the SFTPGo pod showing "proxyproto: proxy protocol signature not present" errors and geoipfilter failing to block/control access based on client IP geography.
  6. Note that Istio ingress observes and logs the actual client IP in the X-Forwarded-For header for HTTP connections but does not send PROXY protocol headers for TCP.

Expected behavior

SFTPGo geoipfilter plugin should be able to use the real client's public IP address for geoip filtering, either via PROXY protocol or alternative means.

SFTPGo version

2.5.4

Data provider

postgresql

Installation method

Community Docker image

Configuration

{ "data_provider": { "driver": "xxxx", "name": "xxxxx", "host": "xxx-xx-ha.xxxx.svc.cluster.local", "port": xx, "username": "sftpgo", "password": "xxxxxxxxxx" }, "common": { "setstat_mode": 2 }, "audit": { "enable": true, "events": ["login", "login_failed", "upload", "download", "delete"], "rotate_max_size": 100, "rotate_max_backups": 5 }, "defender": { "enable": true, "driver": "memory", "ban_time": 30, "threshold": 5, "observation_time": 30 }, "telemetry": { "bind_port": 10000, "bind_address": "0.0.0.0", "enable_profiler": false, "metrics": { "namespace": "sftpgo", "subsystem": "", "const_labels": {} } }, "plugins": [ { "type": "ipfilter", "cmd": "/geoip/sftpgo-plugin-geoipfilter-linux-amd64", "args": [ "serve", "--db-file", "/geoip/GeoLite2-Country.mmdb", "--allowed-countries", "US" ] } ] }

Relevant log output

What are you using SFTPGo for?

Medium business

Additional info

No response

nitindhiman314e avatar Nov 10 '25 12:11 nitindhiman314e

Hi @drakkan - I’ve also tried different protocol settings in the JSON configuration as per the documentation below, but it didn’t help. We’re able to see the X-Forwarded-For IP on the Istio side, but it’s not reaching the SFTPGo pod. Could you please suggest a workaround for this?

https://docs.sftpgo.com/2.6/config-file/#http-server

nitindhiman314e avatar Nov 12 '25 05:11 nitindhiman314e

Hi @drakkan - I’d appreciate it if you could please share your thoughts on this.

nitindhiman314e avatar Nov 19 '25 10:11 nitindhiman314e

@nitindhiman314e this doesn’t appear to be a bug in SFTPGo. You just need to enable the proxy protocol or use an alternative method to preserve the client IP if you can't use proxy protocol

drakkan avatar Nov 19 '25 17:11 drakkan

@nitindhiman314e this doesn’t appear to be a bug in SFTPGo. You just need to enable the proxy protocol or use an alternative method to preserve the client IP if you can't use proxy protocol

Thanks for the reply @drakkan . Is there anything else we need to do apart from what is mentioned in “https://docs.sftpgo.com/2.6/config-file/#sshsftp-server”? Or is the only solution to enable the “proxy protocol signature not present” setting on the Istio side?

nitindhiman314e avatar Nov 20 '25 01:11 nitindhiman314e