Afternoon y'all.
I recently started playing around with request/response headers because my reverse proxied services would always display my Asus WRT routers IP while on LAN instead of the actual client's IP. After a couple hours of melting my brain with Traefik documentation i have made little progress.
i did learn that Traefik does report the proper IP on X-Forward-For & X-Real-IP when connected to my Wireguard server (which my router also hosts) so i'm in a position of either continuing fiddling around with request/response headers or i could potentially brick my network by fiddling around with my router settings or, this is all normal and X-Forwarded-For & X-Real-IP don't display LAN IP's?
Obviously I'm not at all familiar with headers and would appreciate some input here!
Thank you!
docker-compose.yml
services:
homepage:
image: ghcr.io/gethomepage/homepage:latest
hostname: homepage
container_name: homepage
networks:
main:
environment:
PUID: 0 # optional, your user id
PGID: 0 # optional, your group id
HOMEPAGE_ALLOWED_HOSTS: my.domain
ports:
- '127.0.0.1:3000:3000'
volumes:
- ./config/homepage:/app/config # Make sure your local config directory exists
- /var/run/docker.sock:/var/run/docker.sock:ro # optional, for docker integrations
- /home/user/Pictures:/app/public/icons
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.homepage.rule=Host(`my.domain`)"
- "traefik.http.routers.homepage.entrypoints=https"
- "traefik.http.routers.homepage.tls=true"
- "traefik.http.services.homepage.loadbalancer.server.port=3000"
- "traefik.http.routers.homepage.middlewares=my-fail2ban@file"
traefik:
image: traefik:v3.2
container_name: traefik
hostname: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- main
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- target: 80
published: 80
mode: host
# Listen on port 443, default for HTTPS
- target: 443
published: 443
mode: host
environment:
CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
# CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
secrets:
- cf_api_token
env_file: .env # use .env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik/traefik.yml:/traefik.yml:ro
- ./config/traefik/acme.json:/acme.json
#- ./config/traefik/config.yml:/config.yml:ro
- ./config/traefik/custom-yml:/custom
# - ./config/traefik/homebridge.yml:/homebridge.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.my.domain`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.my.domain`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=my.domain"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.my.domain"
- "traefik.http.routers.traefik-secure.service=api@internal"
command:
# Enable the access log, with HTTP requests
- --accesslog
# Enable the Traefik log, for configurations and errors
- --log
# Enable the Dashboard and API
- --api
# Create an entrypoint "http" listening on address 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on address 443
- --entrypoints.https.address=:443
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
Traefik.yml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.0/24"
- "172.18.0.1"
- "172.19.0.1"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
network: main
file:
directory: /custom
certificatesResolvers:
cloudflare:
acme:
email: my@email.com
storage: acme.json
caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
delayBeforeCheck: 10s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
experimental:
plugins:
themepark:
moduleName: "github.com/packruler/traefik-themepark"
version: "v1.4.2"
crowdsec-bouncer:
moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
version: "v1.4.1"
fail2ban:
moduleName: "github.com/tomMoulard/fail2ban"
version: "v0.8.3"
log:
level: DEBUG
