Hello,
I've seen several posts about broadcasting the real client ip, but I have a couple of questions that I haven't found answers to.
I premise that using forwardedHeaders:insecure:true I can see the real ip in the traefik logs and also in the application, compared to proxyprotocol:insecure:true which shows me nothing
Question 1:
since traefik logs as client address the internal ip of the balancer in front of it (pfsense) and as ClientHost the real ip and transmits to the application (apache) 3 ip as seen below:
Traefik log:
{
"ClientAddr": "10.XX.XX.2:6114", <== Load Balancer IP
"ClientHost": "104.28.XX.XX", <== Real Client IP
"ClientPort": "6114",
"ClientUsername": "-",
"DownstreamContentSize": 362,
"DownstreamStatus": 302,
"Duration": 435760465,
"OriginContentSize": 362,
"OriginDuration": 435653261,
"OriginStatus": 302,
"Overhead": 107204,
"RequestAddr": "<XY.company.it",
"RequestContentSize": 0,
"RequestCount": 404,
"RequestHost": "XY.company.it",
"RequestMethod": "GET",
"RequestPath": "/",
"RequestPort": "-",
"RequestProtocol": "HTTP/1.1",
"RequestScheme": "https",
"RetryAttempts": 0,
"RouterName": "snipe-it@docker",
"ServiceAddr": "172.XX.XX.8:443", **<== internal service IP**
"ServiceName": "snipe-it@docker",
"ServiceURL": {
"Scheme": "https",
"Opaque": "",
"User": null,
"Host": "172.XX.XX.8:443", **<== internal service IP**
"Path": "",
"RawPath": "",
"OmitHost": false,
"ForceQuery": false,
"RawQuery": "",
"Fragment": "",
"RawFragment": ""
},
"StartLocal": "2024-04-04T10:38:34.097254424Z",
"StartUTC": "2024-04-04T10:38:34.097254424Z",
"TLSCipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLSVersion": "1.2",
"entryPointName": "websecure",
"level": "info",
"msg": "",
"time": "2024-04-04T10:38:34Z"
}
Apache Log:
172.XX.XX.5- - [04 / Apr / 2024: 10: 38: 35 + 0000]"GET /login/saml HTTP/1.1" 302 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Mobile/15E148 Safari/604.1" "104.28.XX.XX, 10.XX.XX.2"
if I wanted to whitelist ip's or networks at the router/service traefik level, which one does it work on? ClientAddr or Client Host?
question 2:
what exactly does forwardedHeaders do? how come insecure=true is used? is it really insecure? what do I risk
question 3:
do i have any way to restrict traefik to only log the real ip without the balancer ip in front of it?
question 4:
do i have a way to transmit only real ip to applications as contact ip instead of transmitting 3 ip?
question 5:
do I have a way to enable a geolocation check so that in logging, it shows me the country string near the client host without using external plugins?
question 6:
do i have a way to put acl by country instead of source ip?
question 7:
in traefik access logs can I include more info like for example device and app details as seen in apache?
thanks