Changes
This release adds Proxy Protocol support. It enables capturing the original client IP address when running SSH and TCP honeypots behind a proxy server. When enabled, the client IP from the Proxy Protocol header is used in the threat feed, logs, and live view.
Proxy Protocol versions 1 and 2 are supported. Deceptifeed automatically detects the version.
To enable, set <useProxyProtocol>true</useProxyProtocol> in the SSH and TCP honeypot configurations. The default config file now includes this option, but is disabled by default.
Your proxy server must support Proxy Protocol and be configured to use it. Your proxy server must connect to the honeypot using a private IP address. Deceptifeed will not use proxy headers from connections over the Internet. Here is an example configuration snippet for HAProxy:
frontend ssh_front
bind *:22
mode tcp
default_backend ssh_backend
backend ssh_backend
mode tcp
server sshl 192.168.0.10:2222 send-proxy-v2
Here is the logging behavior in Deceptifeed when useProxyProtocol is enabled:
- The actual connecting IP (your proxy server) is logged as
remote_ip. - The IP extracted from the header is logged as
source_ip. - Any problems extracting an IP from the header results in
source_ipfalling back to the actual connecting IP. - A new
source_ip_parsedfield indicates whether an IP was extracted from the header. - If parsing fails, a
source_ip_errorfield is included with the error message.
Full Changelog: v0.64.0...v0.65.0
Binaries built with Go 1.24.3 using make all from the project root.