Disabling forwarding of X-Forwarded-For header?

I have a web application hosted within a Kubernetes cluster, and it's using Traefik on the front.
In some situations, the web application needs to read a client's IP address and after some digging, I have found that the way to do so behind Traefik is to use the X-Forwarded-For header (meaning that Traefik is adding the real client IP address to it).

However, I fear that this header is not to be trusted at all times because after some experimenting, it seems like anyone could make a request and provide this header from outside and Traefik would simply forward that header into the web application.
Meaning that the X-Forwarded-For header could sometimes be made by Traefik and sometimes actually be forged.

I've been trying to find ways to solve the problem, and I was wondering if there's a way to tell Traefik to not take X-Forwarded-For headers from outside and forward them into the application - that way I could know that if I do get this header - it was generated by Traefik and no one else but perhaps there's a better way to solve this.

I did look it up and found this: https://docs.traefik.io/v1.7/configuration/entrypoints/#forwarded-header
I don't have this configuration set, but if I'm not mistaken - the trusted IP list allowed to use the said header is empty, meaning it should not be happening?

Would really appreciate any help!

The version of Traefik I'm running is 1.7.

Thank you!

Hi @radicate,

I think I don't understand well your question, nonetheless, the consequences of setting up trusted ips for forwarded-header is that it will remove all X-Forwarded-For value before Traefik when the ip cannot match.
See: Is there a way to hack the way Traefik deals with X-Forwarded-For headers?

Hey! thanks for the response, I edited my post and hopefully it's a bit clearer now :slight_smile:
From your link, I'm starting to think that my initial assumption about the trustedIps list was wrong.
Perhaps when the list is empty it means "trust everyone" and in order to "trust no one" I should add an impossible IP to the list.

I'll give that a shot and report back here!

Yep, so turns out that setting the [entry.http.forwardHeaders] trustedIPs to an "impossible IP" list works!
Thank you so much @rtribotte for pointing me in the right direction.