From 679045eb294f08eb4a57d01dc57473940765bb5a Mon Sep 17 00:00:00 2001
From: yusing <yusing.wys@gmail.com>
Date: Fri, 13 Feb 2026 23:56:14 +0800
Subject: [PATCH] feat(forwardAuth): add blocked log like
 95ac659b1f28b8fc1a764507183b91d9b8c63f89

---
 internal/net/gphttp/middleware/forwardauth.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/internal/net/gphttp/middleware/forwardauth.go b/internal/net/gphttp/middleware/forwardauth.go
index 434bbabd..e24086b2 100644
--- a/internal/net/gphttp/middleware/forwardauth.go
+++ b/internal/net/gphttp/middleware/forwardauth.go
@@ -104,6 +104,20 @@ func (m *forwardAuthMiddleware) before(w http.ResponseWriter, r *http.Request) (
 		httpheaders.CopyHeader(w.Header(), resp.Header)
 		httpheaders.RemoveHopByHopHeaders(w.Header())
 
+		isGet := r.Method == http.MethodGet
+		isWS := httpheaders.IsWebsocket(r.Header)
+		if !isGet || isWS {
+			reqType := r.Method
+			if isWS {
+				reqType = "WebSocket"
+			}
+			ForwardAuth.LogWarn(r).Msgf(
+				"[ForwardAuth] %s request rejected by auth upstream (HTTP %d).\nConsider adding bypass rule for this path if needed",
+				reqType,
+				resp.StatusCode,
+			)
+		}
+
 		loc, err := resp.Location()
 		if err != nil {
 			if !errors.Is(err, http.ErrNoLocation) {