Don't understand how setup forwarding "X-Forwarded-For" header via Traefik to services in K8s

Hi!
I installed on a test installation of Kubernetes cluster Traefik with Helm chart https://github.com/traefik/traefik-helm-chart.
My values file is:


IngressRoute config about is:
image
I send request via curl:
curl -v -H "X-Forwarded-For: 1.1.1.1" -H "Hello: world" TARGET_URL
and see in the logs of Traefik:

{"ClientAddr":"10.20.56.179:46934","ClientHost":"10.20.56.179","ClientPort":"46934","ClientUsername":"-","DownstreamContentSize":612,"DownstreamStatus":200,"Duration":753444,"OriginContentSize":612,"OriginDuration":711862,"OriginStatus":200,"Overhead":41582,"RequestAddr":"test-traefik.surfstudio.ru","RequestContentSize":0,"RequestCount":324,"RequestHost":"test-traefik.surfstudio.ru","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"default-traefik-ingress-http-49c1f9c3592ef6a3f176@kubernetescrd","ServiceAddr":"10.244.21.221:80","ServiceName":"default-traefik-ingress-http-49c1f9c3592ef6a3f176@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.244.21.221:80","Path":"","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2020-12-16T16:06:00.397103664Z","StartUTC":"2020-12-16T16:06:00.397103664Z","downstream_Accept-Ranges":"bytes","downstream_Content-Length":"612","downstream_Content-Type":"text/html","downstream_Date":"Wed, 16 Dec 2020 16:06:00 GMT","downstream_Etag":""5f9ade5a-264"","downstream_Last-Modified":"Thu, 29 Oct 2020 15:23:06 GMT","downstream_Server":"nginx/1.18.0","downstream_Vary":"Accept-Encoding","entryPointName":"web","level":"info","msg":"","origin_Accept-Ranges":"bytes","origin_Content-Length":"612","origin_Content-Type":"text/html","origin_Date":"Wed, 16 Dec 2020 16:06:00 GMT","origin_Etag":""5f9ade5a-264"","origin_Last-Modified":"Thu, 29 Oct 2020 15:23:06 GMT","origin_Server":"nginx/1.18.0","origin_Vary":"Accept-Encoding","request_Accept":"/","request_Accept-Encoding":"gzip","request_Hello":"world","request_User-Agent":"curl/7.68.0","request_X-Forwarded-Host":"test-traefik.surfstudio.ru","request_X-Forwarded-Port":"80","request_X-Forwarded-Proto":"http","request_X-Forwarded-Server":"test-k8s-all","request_X-Real-Ip":"10.20.56.179","time":"2020-12-16T16:06:00Z"}

that is, there is no header in the logs.
I searched for information in google and documentation, but could not find an exact description of how to set up saving the header "X-Forwarded-For" and sending it to the service. Tell me how to set it up. Or I don’t understand something.
Thank you.

Hi @zab_djuda,

Thanks for your interest in Traefik!

By default, Traefik will override all X-Forwarded-* headers in the request if the sources sending those headers are not trusted. The following documentation explained how to configure the trusted sources: https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers

As a side note, you are not seeing the X-Forwarded-For in the logs because, as said before, this header is removed by Traefik and added later by the ReverseProxy implementation in the go standard library.

Hope this helps.

1 Like

I figured out how to set it up correctly using Helm Chart!
See lines with comments:


But it is better not to use "X-Forwared-For" header because it can be easily faked.
I think we can use a "X-Real-Ip" header.

1 Like

You say that the header "X-Forwarded-For" added later by the ReverseProxy implementation, can you please tell me how the ip is determined which is further add in the header?

I've sent you the link to the go source code.

Basically, the X-Forwarded-For value is set to the source IP of the remote connection, if the header value is not already defined (which is the case if Traefik removes the header because the source is not trusted).