Can't get the real IP with Traefik V3 and GeoBlock

Hello everyone,

I'm trying different things on my homelab

And I wanted to add a traefik rp instead of nginx, with that I wanted to add the geoblock plugin

But wathever i've configured, it continue to see a local IP in the logs

## Geoblock.log
INFO: GeoBlock: 2025/04/30 22:58:40 my-geoblock@file: request allowed [192.168.48.1] since local IP addresses are allowed

## Access.log
192.168.48.1 - - [01/May/2025:08:13:45 +0000] "GET /debug/pprof/ HTTP/1.1" 404 19 "-" "-" 48 "-" "-" 0ms
192.168.48.1 - - [01/May/2025:08:13:54 +0000] "GET /metrics HTTP/1.1" 404 19 "-" "-" 49 "-" "-" 0ms

I'm running traefik on docker (host on Synology), there is my docker-compose, I'm using an external network to access my others containers
(I also have tried without the additional config on ports 443)

#################################
##   Traefik - Reverse Proxy   ##
#################################

---
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - target: 443
        published: 10001
        protocol: tcp
        mode: host
      - "10000:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./acme.json:/letsencrypt/acme.json:rw
      - ./dynamic:/etc/traefik/dynamic:ro
      - ./logs:/var/log/:rw
    env_file: .env
    networks:
      - rp-net

networks:
  rp-net:
    external: true

There is my static entrypoint, that should let pass the headers

entryPoints:
  websecure:
    address: ":443"
    forwardedHeaders:
      insecure: true
    proxyProtocol:
      insecure: true

And the plugin (static part)

experimental:
  plugins:
    geoblock:
      moduleName: "github.com/PascalMinder/geoblock"
      version: "v0.3.3"

And dynamic (I've allowed local request temporary, until I found a fix)

http:
  middlewares:
    my-geoblock:
      plugin:
        geoblock:
          allowLocalRequests: "true"
          allowUnknownCountries: "false"
          api: https://get.geojs.io/v1/ip/country/{ip}
          apiTimeoutMs: "150"
          cacheSize: "15"
          countries:
            - BE
            - FR
            - LU
            - NL
            - DE
          forceMonthlyUpdate: "true"
          logAllowedRequests: "true"
          logApiRequests: "true"
          logLocalRequests: "true"
          silentStartUp: "false"
          unknownCountryApiResponse: nil
          logFilePath: "/var/log/geoblock.log"

I also have notice this in the logs from geoblock, is it related ? because as showed earlier, the access.log are wrong too

traefik  | INFO: GeoBlock: 2025/05/01 08:17:57 use custom HTTP header field for country lookup: false

PS: I'm on 3.3.6
PS2: Only have ACME creds in .env fyi

Thanks a lot

Ok, I've found a solution

I've set it to host mode, with still an access to my rp-net
And I've modified the entryPoint on traefik static conf to open my ports 10001

#################################
##   Traefik - Reverse Proxy   ##
#################################

---
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./acme.json:/letsencrypt/acme.json:rw
      - ./dynamic:/etc/traefik/dynamic:ro
      - ./logs:/var/log/:rw
    env_file: .env
    network_mode: host

networks:
  rp-net:
    external: true

Static conf

entryPoints:
  websecure:
    address: ":10001"
    forwardedHeaders:
      insecure: true

PS: I'm not using the dashboard so I don't look after a solution for that

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.