Hello,
I have a web application hosted within a Kubernetes cluster, and it's using Traefik on the front.
In some situations, the web application needs to read a client's IP address and after some digging, I have found that the way to do so behind Traefik is to use the X-Forwarded-For header (meaning that Traefik is adding the real client IP address to it).
However, I fear that this header is not to be trusted at all times because after some experimenting, it seems like anyone could make a request and provide this header from outside and Traefik would simply forward that header into the web application.
Meaning that the X-Forwarded-For header could sometimes be made by Traefik and sometimes actually be forged.
I've been trying to find ways to solve the problem, and I was wondering if there's a way to tell Traefik to not take X-Forwarded-For headers from outside and forward them into the application - that way I could know that if I do get this header - it was generated by Traefik and no one else but perhaps there's a better way to solve this.
I did look it up and found this: https://docs.traefik.io/v1.7/configuration/entrypoints/#forwarded-header
I don't have this configuration set, but if I'm not mistaken - the trusted IP list allowed to use the said header is empty, meaning it should not be happening?
Would really appreciate any help!
The version of Traefik I'm running is 1.7.
Thank you!
