ClientHost is not my IP

llaumgui · June 16, 2025, 3:57pm

Hello,

I've been using Traefik for a little while and I want to set up protections like CrowdSec. The problem is that I just realized that in Traefik's logs, the ClientHost / ClientAddr doesn't match my IP address, but rather that of my Docker gateway. My Traefik's IP is 172.25.0.35 and the ClientHost values are 172.25.0.1. How can I fix this?

# Global setup
global:
  sendAnonymousUsage: false
log:
  level: INFO
  format: common
api:
  dashboard: true
  insecure: true

# Set accessLog for fail2ban
accessLog:
  filePath: "/var/log/traefik/traefik.log"
  format: json
  #filters:
  #  statusCodes:
  #    - "200"
  #    - "400-599"
    #retryAttempts: true
    #minDuration: "10ms"
  # collect logs as in-memory buffer before writing into log file
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop # drop all headers per default
      names:
        User-Agent: keep # log user agent strings

# Set providers
providers:
  file:
    directory: "/etc/traefik/dynamic_config"
    watch: true
  docker:
    exposedByDefault: false
    network: traefik-net
    allowEmptyServices: true


# Setup entrypoints
entrypoints:
  ## HTTP to HTTPs
  webunsecure:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: web
          scheme: https
  ## HTTPS 
  web:
    address: ":443"
    http2:
      maxConcurrentStreams: 50

  # Metrics for prometheus
  metrics:
    address: ":8082"

# Certificats resolvers & TLS
certificatesresolvers:
  letsencrypt:
    acme:
      storage: /etc/traefik/acme.json
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      email: xxx@xxx.fr
      httpChallenge:
        entryPoint: webunsecure
      #dnschallenge:
        #delayBeforeCheck: 0
        #provider: infomaniak
        #resolvers:
        #  - "1.1.1.1:53"
        #  - "8.8.8.8:53"

# Setups features (metrics)
metrics:
  prometheus:
    entryPoint: metrics

bluepuma77 · June 17, 2025, 4:44am

You shared Traefik config, but more relevant is a Docker compose file or run command.

And your context, which OS, using Docker Desktop?

llaumgui · June 17, 2025, 6:01am

Thx. I use Docker over Portner on OpenMediaVault:

# Define docker stack
# Based on personal stack v2.3


# Services definition part
services:

## traefik
  traefik:
    container_name: docker_traefik
    hostname: docker-traefik
    image: traefik
    restart: always
    env_file: stack.env
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=web
      - traefik.http.routers.traefik.rule=Host("traefik.deepspace9.starfleet")
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.middlewares=ipwhitelist_starfletsecure@file,headers_hsts@file
    volumes:
      - /srv/dev-disk-by-label-omvdata/traefik/conf:/etc/traefik
      - /srv/dev-disk-by-label-omvdata/traefik/log:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock
    healthcheck:
      test: ["CMD-SHELL", "wget --no-verbose --tries=1 http://localhost:8080 -q -O /dev/null || exit 1"]
    networks:
      - traefik
    dns:
      - 1.1.1.1
      - 8.8.8.8
    ports:
      - "80:80"
      - "443:443"
      - "8085:8080"

## postfix
  postfix:
    container_name: docker_postfix
    hostname: docker-mailserver
    image: boky/postfix
    restart: unless-stopped
    env_file: stack.env
    environment:
      ...
    healthcheck:
      test: ["CMD-SHELL", "netstat -an | fgrep 587 | fgrep -q LISTEN || exit 1"]
    networks:
      - traefik
      - nextcloud

## watchtower
  watchtower:
    container_name: docker_watchtower
    hostname: docker-watchtower
    image: containrrr/watchtower:latest
    restart: unless-stopped
    env_file: stack.env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - traefik
    expose:
      - 8080


# Networks definition part
networks:
  traefik:
    name: traefik-net
    external: true
  nextcloud:
    name: nextcloud-backend-net
    external: true

Other compose use the traefik-net network.

bluepuma77 · June 17, 2025, 6:27am

When I use Traefik on a VM connected to the Internet with it's own dedicated IP, I see my client IP in Traefik access log. Check simple Traefik example.

My best guess is you have a router in between (maybe a VM with NAT) or OMV's Docker is doing something to the network.

llaumgui · June 17, 2025, 3:03pm

OK, after a big analyse, issues is only for external call from IPv6.

llaumgui · June 18, 2025, 11:00am

OK, issue is the ipv6 support. If ipv6 is disabled, and I call with an ipv6, ClientHost is the gateway not the true IP. To fix that:

networks:
  frontend:
    enable_ipv6: true
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    ipam:
      driver: default
      config:
      - subnet: 172.18.0.0/16
        gateway: 172.18.0.1
      - subnet: 2001:db8:2::/64

system · June 21, 2025, 11:01am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Private address on ClientHost after external request Traefik v3 (latest) docker , rest-api	3	46	October 22, 2025
Traefik Accesslog doesn't show Clients IP Address Traefik v2 docker	4	3429	February 17, 2022
How to get real IP from the client Traefik v2 docker	9	11480	December 2, 2023
ClientAddr different for traefik api and entrypoints Traefik v3 (latest) docker , middleware	1	46	March 22, 2025
Status 500 after Docker + Traefik(host-mode) + Crowdsec Traefik v2 docker	10	663	June 16, 2024

ClientHost is not my IP

Related topics