Can't get DMZ client public IP address for SFTP backend

jlegido · November 9, 2020, 11:17am

Hi there.

First of all many thanks to all the people involved in this project for their time, I really appreciate it.

We have traefik 2.2.1 running as a docker container binding ports TCP 80, TCP 443, TCP 22 and UDP 53 to the docker host, everything works as expected.

We deployed a conainer with SFTP.

Finally we connected from the DMZ to SFTP, but there's no way to get the public IP address of the DMZ client.

We tried several solutions but without luck. Any help will be appreciated.

Details

Traefik

Version:      2.2.1
Codename:     chevrotin
Go version:   go1.14.2
Built:        2020-04-29T18:02:09Z
OS/Arch:      linux/amd64

            "Cmd": [
                "--log.level=DEBUG",
                "--api.insecure=true",
                "--providers.docker=true",
                "--providers.docker.exposedbydefault=false",
                "--entryPoints.entrypoint_http.forwardedHeaders.trustedIPs=10.151.1.1/32,10.151.1.128/32",
                "--entryPoints.entrypoint_http.forwardedHeaders.insecure=true",
                "--entryPoints.entrypoint_https.forwardedHeaders.trustedIPs=10.151.1.1/32,10.151.1.128/32",
                "--entryPoints.entrypoint_https.forwardedHeaders.insecure=true",
                "--entryPoints.entrypoint_ssh.forwardedHeaders.trustedIPs=10.151.1.1/32,10.151.1.128/32",
                "--entryPoints.entrypoint_ssh.forwardedHeaders.insecure=true",
                "--entrypoints.entrypoint_http.address=:80",
                "--entrypoints.entrypoint_https.address=:443",
                "--entrypoints.entrypoint_ssh.address=:22",
                "--entrypoints.entrypoint_dns.address=:53/udp",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.tlschallenge=True",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.email=info@example.com",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.storage=/letsencrypt/acme.json"
            ],

            "Networks": {
                "network-reverse-proxy": {
                    "IPAMConfig": {
                        "IPv4Address": "10.151.1.128"
                    },
                    "Links": null,
                    "Aliases": [
                        "32bba139dc09"
                    ],
                    "NetworkID": "3ebdfa30a6f3dfc0993019b3b1ec066a74bf0eae7c23594e48ebbcd620cadc34",
                    "EndpointID": "ede72e56082bc02ad20f29867f0360b3b44e60963f462a9b1ef15f35a7ab2393",
                    "Gateway": "10.151.1.1",
                    "IPAddress": "10.151.1.128",
                    "IPPrefixLen": 24,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:0a:97:01:80",
                    "DriverOpts": null
                }
            }

time="2020-11-09T11:59:06Z" level=debug msg="Handling connection from 37.15.255.226:54282"

SFTP

            "Labels": {
                "org.opencontainers.image.created": "2020-11-06 12:18:02+00:00",
                "org.opencontainers.image.revision": "f735906a358a03bcb3f6906604a50226ff877e04",
                "org.opencontainers.image.source": "https://github.com/atmoz/sftp",
                "traefik.enable": "true",
                "traefik.tcp.routers.sftp-ssh.entrypoints": "entrypoint_ssh",
                "traefik.tcp.routers.sftp-ssh.rule": "HostSNI(`*`)",
                "traefik.tcp.routers.sftp-ssh.service": "sftp-ssh-service",
                "traefik.tcp.services.sftp-ssh-service.loadbalancer.server.port": "22"
            }

            "Networks": {
                "network-reverse-proxy": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": [
                        "37e70fb8e44b"
                    ],
                    "NetworkID": "3ebdfa30a6f3dfc0993019b3b1ec066a74bf0eae7c23594e48ebbcd620cadc34",
                    "EndpointID": "37a2d42850a85edca038a45a5263fda6ee08a4efb43f714acc1e2356d6f40a1a",
                    "Gateway": "10.151.1.1",
                    "IPAddress": "10.151.1.5",
                    "IPPrefixLen": 24,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:0a:97:01:05",
                    "DriverOpts": null
                }
            }

Accepted password for foo from 10.151.1.1 port 49374 ssh2
Received disconnect from 10.151.1.1 port 49374:11: disconnected by user
Disconnected from user foo 10.151.1.1 port 49374

ldez · November 9, 2020, 11:38am

Hello,

trustedIPs and insecure cannot be used at the same time:

insecure trust all the sources
trustedIPs trust only some IP

As a first step , I recommend to try with only insecure

jlegido · November 9, 2020, 12:08pm

Many thanks for your reply. I used just trustedIPs but same result, SFTP is still logging the private IP address corresponding to the docker gateway of its network, 10.151.1.1, instead of the public IP address which is logged in traefik:

Traefik cmd

            "Cmd": [
                "--log.level=DEBUG",
                "--api.insecure=true",
                "--providers.docker=true",
                "--providers.docker.exposedbydefault=false",
                "--entryPoints.entrypoint_http.forwardedHeaders.insecure=true",
                "--entryPoints.entrypoint_https.forwardedHeaders.insecure=true",
                "--entryPoints.entrypoint_ssh.forwardedHeaders.insecure=true",
                "--entrypoints.entrypoint_http.address=:80",
                "--entrypoints.entrypoint_https.address=:443",
                "--entrypoints.entrypoint_ssh.address=:22",
                "--entrypoints.entrypoint_dns.address=:53/udp",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.tlschallenge=True",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.email=info@example.com",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.storage=/letsencrypt/acme.json"
            ],

Traefik logs

time="2020-11-09T12:07:23Z" level=debug msg="Handling connection from 37.15.255.226:54362"

SFTP logs

Accepted password for foo from 10.151.1.1 port 50384 ssh2
Received disconnect from 10.151.1.1 port 50384:11: disconnected by user
Disconnected from user foo 10.151.1.1 port 50384

Not sure if it's relevant, but the docker container running traefik is NOT in host mode.

leifnel · December 21, 2020, 3:24am

I'm not sure if you are having this problem with legacy adresses, but the same problem exists here for modern ip-adresses.

jlegido · December 22, 2020, 1:32pm

@leifnel thanks for your reply, but I guess it's not connected, since the issue you linked refers to HTTP router, and this issue is about TCP routers.

Topic		Replies	Views
Can't get DMZ client public IP address via 'X-Forwarded-For' header Traefik v2 docker	1	960	December 21, 2020
See Remote or Public IP in the Docker Container Traefik v2 docker	2	260	April 30, 2024
Traefik + Docker + sftpgo - tcp connection issues Traefik v2 docker , tcp	2	2158	February 20, 2024
Traefik and PiHole with Docker: forward client IP Traefik v2 docker , tcp	7	5444	August 24, 2023
Traefik (via Docker/Podman) cannot get clients real ip in Gitlab logs Traefik v2 tcp	2	1772	July 3, 2022

Can't get DMZ client public IP address for SFTP backend

Related topics