Can't get DMZ client public IP address via 'X-Forwarded-For' header

Hi there.

First of all many thanks to all the people involved in this project for their time, I really appreciate it.

We have traefik 2.2.1 running as a docker container binding ports TCP 80, TCP 443, TCP 22 and UDP 53 to the docker host, everything works as expected.

We deployed a conainer with whoami.

Finally we send an HTP request from DMZ that reached whoami (https://whoami.example.com) but there's no way to get the public IP address of the DMZ client.

We tried with and without solutions but without luck. Any help will be appreciated:

  • NO forwardedHeaders.trustedIP and forwardedHeaders.insecure
  • forwardedHeaders.trustedIP and forwardedHeaders.insecure
  • Only forwardedHeaders.trustedIP
  • Only forwardedHeaders.insecure

I can't even see the public IP address logged in traefik, but I'm sure it can get it, since it logs other TCP service requests, such as an SFTP backend.

Details

  • Traefik
Version:      2.2.1
Codename:     chevrotin
Go version:   go1.14.2
Built:        2020-04-29T18:02:09Z
OS/Arch:      linux/amd64
            "Cmd": [
                "--log.level=DEBUG",
                "--api.insecure=true",
                "--providers.docker=true",
                "--providers.docker.exposedbydefault=false",
                "--entryPoints.entrypoint_http.forwardedHeaders.trustedIPs=10.151.1.1/32,10.151.1.128/32",
                "--entryPoints.entrypoint_http.forwardedHeaders.insecure=true",
                "--entryPoints.entrypoint_https.forwardedHeaders.trustedIPs=10.151.1.1/32,10.151.1.128/32",
                "--entryPoints.entrypoint_https.forwardedHeaders.insecure=true",
                "--entryPoints.entrypoint_ssh.forwardedHeaders.trustedIPs=10.151.1.1/32,10.151.1.128/32",
                "--entryPoints.entrypoint_ssh.forwardedHeaders.insecure=true",
                "--entrypoints.entrypoint_http.address=:80",
                "--entrypoints.entrypoint_https.address=:443",
                "--entrypoints.entrypoint_ssh.address=:22",
                "--entrypoints.entrypoint_dns.address=:53/udp",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.tlschallenge=True",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.email=info@example.com",
                "--certificatesresolvers.certificatesresolver_letsencrypt.acme.storage=/letsencrypt/acme.json"
            ],

            "Networks": {
                "network-reverse-proxy": {
                    "IPAMConfig": {
                        "IPv4Address": "10.151.1.128"
                    },
                    "Links": null,
                    "Aliases": [
                        "32bba139dc09"
                    ],
                    "NetworkID": "3ebdfa30a6f3dfc0993019b3b1ec066a74bf0eae7c23594e48ebbcd620cadc34",
                    "EndpointID": "ede72e56082bc02ad20f29867f0360b3b44e60963f462a9b1ef15f35a7ab2393",
                    "Gateway": "10.151.1.1",
                    "IPAddress": "10.151.1.128",
                    "IPPrefixLen": 24,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:0a:97:01:80",
                    "DriverOpts": null
                }
            }
time="2020-11-09T12:28:00Z" level=debug msg="Handling connection from 10.151.1.1:15769"
time="2020-11-09T12:28:00Z" level=debug msg="Handling connection from 10.151.1.1:26804"
time="2020-11-09T12:28:00Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.72.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"673af69607f0\"],\"X-Real-Ip\":[\"10.151.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.151.1.1:48730\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2020-11-09T12:28:00Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.72.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"673af69607f0\"],\"X-Real-Ip\":[\"10.151.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.151.1.1:48730\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://10.151.1.6:80"
time="2020-11-09T12:28:00Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.72.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"673af69607f0\"],\"X-Real-Ip\":[\"10.151.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.151.1.1:48730\",\"RequestURI\":\"/\",\"TLS\":null}"
  • Whoami
            "Labels": {
                "traefik.enable": "true",
                "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent": "true",
                "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme": "https",
                "traefik.http.routers.whoami-http.entrypoints": "entrypoint_http",
                "traefik.http.routers.whoami-http.middlewares": "redirect-to-https",
                "traefik.http.routers.whoami-http.rule": "Host(`whoami.example.com`)",
                "traefik.http.routers.whoami-https.entrypoints": "entrypoint_https",
                "traefik.http.routers.whoami-https.rule": "Host(`whoami.example.com`)",
                "traefik.http.routers.whoami-https.tls.certresolver": "certificatesresolver_letsencrypt"
            }
            "Networks": {
                "network-reverse-proxy": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": [
                        "d824869fa135"
                    ],
                    "NetworkID": "3ebdfa30a6f3dfc0993019b3b1ec066a74bf0eae7c23594e48ebbcd620cadc34",
                    "EndpointID": "34205e3c682dea390c61992633f6115f1586b8ad5fe314a89d311fe81c0045ec",
                    "Gateway": "10.151.1.1",
                    "IPAddress": "10.151.1.6",
                    "IPPrefixLen": 24,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:0a:97:01:06",
                    "DriverOpts": null
                }
            }
Hostname: d824869fa135
IP: 127.0.0.1
IP: 10.151.1.6
RemoteAddr: 10.151.1.1:38262
GET / HTTP/1.1
Host: whoami.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Cookie: experimentation_subject_id=IjMyYjQ3NjlkLTQ4YmEtNDhhMS1iMzBiLTlkNmVjZTY5ZGY1NCI%3D--96bde26271f34eed6dab3677a42a60e737e50b39; _ga=GA1.2.283781559.1591263718; tk_or=%22%22; tk_lr=%22%22; _fbp=fb.1.1600789674912.825009860
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 10.151.1.1
X-Forwarded-Host: whoami.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 673af69607f0
X-Real-Ip: 10.151.1.1

The same issue is mentioned in Traefik v2.1.4: X-Forwarded-For header doet not pass visitor IP when using IPv6 but it's not solved :frowning: