Forward Rela Traefik IP and Header Logs

I've seen several posts about broadcasting the real client ip, but I have a couple of questions that I haven't found answers to.
I premise that using forwardedHeaders:insecure:true I can see the real ip in the traefik logs and also in the application, compared to proxyprotocol:insecure:true which shows me nothing

Question 1:
since traefik logs as client address the internal ip of the balancer in front of it (pfsense) and as ClientHost the real ip and transmits to the application (apache) 3 ip as seen below:

Traefik log:

    "ClientAddr": "10.XX.XX.2:6114", <== Load Balancer IP
    "ClientHost": "104.28.XX.XX", <== Real Client IP
    "ClientPort": "6114",
    "ClientUsername": "-",
    "DownstreamContentSize": 362,
    "DownstreamStatus": 302,
    "Duration": 435760465,
    "OriginContentSize": 362,
    "OriginDuration": 435653261,
    "OriginStatus": 302,
    "Overhead": 107204,
    "RequestAddr": "<",
    "RequestContentSize": 0,
    "RequestCount": 404,
    "RequestHost": "",
    "RequestMethod": "GET",
    "RequestPath": "/",
    "RequestPort": "-",
    "RequestProtocol": "HTTP/1.1",
    "RequestScheme": "https",
    "RetryAttempts": 0,
    "RouterName": "snipe-it@docker",
    "ServiceAddr": "172.XX.XX.8:443", **<== internal service IP**
    "ServiceName": "snipe-it@docker",
    "ServiceURL": {
        "Scheme": "https",
        "Opaque": "",
        "User": null,
        "Host": "172.XX.XX.8:443", **<== internal service IP**
        "Path": "",
        "RawPath": "",
        "OmitHost": false,
        "ForceQuery": false,
        "RawQuery": "",
        "Fragment": "",
        "RawFragment": ""
    "StartLocal": "2024-04-04T10:38:34.097254424Z",
    "StartUTC": "2024-04-04T10:38:34.097254424Z",
    "TLSCipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLSVersion": "1.2",
    "entryPointName": "websecure",
    "level": "info",
    "msg": "",
    "time": "2024-04-04T10:38:34Z"

Apache Log:

172.XX.XX.5- - [04 / Apr / 2024: 10: 38: 35 + 0000]"GET /login/saml HTTP/1.1" 302 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Mobile/15E148 Safari/604.1" "104.28.XX.XX, 10.XX.XX.2"

if I wanted to whitelist ip's or networks at the router/service traefik level, which one does it work on? ClientAddr or Client Host?

question 2:

what exactly does forwardedHeaders do? how come insecure=true is used? is it really insecure? what do I risk

question 3:
do i have any way to restrict traefik to only log the real ip without the balancer ip in front of it?

question 4:
do i have a way to transmit only real ip to applications as contact ip instead of transmitting 3 ip?

question 5:
do I have a way to enable a geolocation check so that in logging, it shows me the country string near the client host without using external plugins?

question 6:
do i have a way to put acl by country instead of source ip?

question 7:
in traefik access logs can I include more info like for example device and app details as seen in apache?


Internet networking basics:

A TCP connection will always have a source and destination, which will always be the IPs of the machines. If you want to know the IPs of previous machines, you need a workaround.

On TCP leaves there is ProxyProtocol, which will add the original IP in the data stream before the real data. This needs to be enabled on sender side (load balancer) and receiver side (Traefik). This can also be enabled between Traefik and target service.

On http level, you can just use the http headers. Regular target services will accept X-Forwarded-* headers and work with those.

X-Forwarded-For might contain multiple IPs chained if the request has multiple http hops. X-Real-Ip usually just has the first client IP (browser).

Geolocation always needs an external service via middleware/plugin.

You can enable Traefik access log in JSON format for a wealth of information.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.