forwardedHeaders.insecure to true not working

stum_ff · July 4, 2021, 8:20am

Hi, I have nginx terminating SSL and forwarding to traefik in a k3s cluster. Traefik is overwriting the X-Forwarded-* headers and passing on X-Forwarded-Proto: http instead of passing this through from nginx.

How do I enable forwardedHeaders.insecure to true using the K3s helm chart thats installed by default. Apologies if this should be asked over at Rancher. But I thought I would start here first.

I have created a trafik-config.yaml file in /var/lib/rancher/k3s/server/manifests/ with

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    entryPoints:
      web:
        address: ":80"
        forwardedHeaders:
          insecure: true

This appears to be picked up and the helm-install-traefik pod is detecting the change in config and restarting but I never get the forwarded headers from nginx.

Any help would be appreciated.

stum_ff · July 11, 2021, 3:52am

This is the applied config, but still I am not getting the forwarded headers from the upstream Nginx

additionalArguments: []
additionalVolumeMounts: []
affinity: {}
autoscaling:
  enabled: false
deployment:
  additionalContainers: []
  additionalVolumes: []
  annotations: {}
  enabled: true
  imagePullSecrets: []
  initContainers: []
  kind: Deployment
  labels: {}
  podAnnotations: {}
  podLabels: {}
  replicas: 1
entryPoints:
  web:
    forwardedHeaders:
      insecure: true
env: []
envFrom: []
experimental:
  kubernetesGateway:
    appLabelSelector: traefik
    certificates: []
    enabled: false
  plugins:
    enabled: false
forwardedHeaders:
  enabled: true
  insecure: true
  trustedIPs:
  - 192.168.1.0/16
global:
  systemDefaultRegistry: 0
globalArguments:
- --global.checknewversion
- --global.sendanonymoususage
hostNetwork: false
image:
  name: rancher/library-traefik
  pullPolicy: IfNotPresent
  tag: ""
ingressClass:
  enabled: false
  isDefaultClass: false
ingressRoute:
  dashboard:
    annotations: {}
    enabled: true
    labels: {}
logs:
  access:
    enabled: false
    fields:
      general:
        defaultmode: keep
        names: {}
      headers:
        defaultmode: drop
        names: {}
    filters: {}
  general:
    level: ERROR
nodeSelector: {}
persistence:
  accessMode: ReadWriteOnce
  annotations: {}
  enabled: false
  name: data
  path: /data
  size: 128Mi
pilot:
  enabled: false
  token: ""
podAnnotations:
  prometheus.io/port: "8082"
  prometheus.io/scrape: "true"
podDisruptionBudget:
  enabled: false
podSecurityContext:
  fsGroup: 65532
podSecurityPolicy:
  enabled: false
ports:
  traefik:
    expose: false
    exposedPort: 9000
    port: 9000
    protocol: TCP
  web:
    expose: true
    exposedPort: 80
    forwardedHeaders:
      insecure: true
    port: 8000
    protocol: TCP
  websecure:
    expose: true
    exposedPort: 443
    forwardedHeaders:
      insecure: true
    port: 8443
    protocol: TCP
    tls:
      certResolver: ""
      domains: []
      enabled: true
      options: ""
priorityClassName: system-cluster-critical
providers:
  kubernetesCRD:
    enabled: true
    namespaces: []
  kubernetesIngress:
    enabled: true
    namespaces: []
    publishedService:
      enabled: true
rbac:
  enabled: true
  namespaced: false
resources: {}
rollingUpdate:
  maxSurge: 1
  maxUnavailable: 1
securityContext:
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsGroup: 65532
  runAsNonRoot: true
  runAsUser: 65532
service:
  annotations: {}
  enabled: true
  externalIPs: []
  labels: {}
  loadBalancerSourceRanges: []
  spec: {}
  type: LoadBalancer
serviceAccount:
  name: ""
serviceAccountAnnotations: {}
ssl:
  enabled: true
  permanentRedirect: false
tlsOptions: {}
tolerations:
- key: CriticalAddonsOnly
  operator: Exists
- effect: NoSchedule
  key: node-role.kubernetes.io/control-plane
  operator: Exists
- effect: NoSchedule
  key: node-role.kubernetes.io/master
  operator: Exists
volumes: []

bangonkali · October 7, 2021, 5:51pm

I am having the same issue. Maybe there's something missing. All requests comes from 10.42.0.1 which is the host IP, i think of the single node (also control plane), k3s kubernetes deployment.

bangonkali · October 7, 2021, 6:30pm

You may already have solved this. I'm just gonna share my solution for closure.

All of the important bits are in the additionalArguments. It seems it does not work if it's in the ports section of the yaml.

# helm upgrade --namespace=traefik --values=traefik/traefik-values.yaml traefik traefik/traefik

image:
  name: traefik
  pullPolicy: Always
  tag: v2.5.3

pilot:
  enabled: false

ports:
  web:
    port: 8000
    expose: true
    exposedPort: 80
    protocol: TCP
    tls:
      passthrough: true
      enabled: false
  websecure:
    port: 8443
    expose: true
    exposedPort: 443
    protocol: TCP
    tls:
      passthrough: true
      enabled: false

additionalArguments:
  - "--entryPoints.web.forwardedHeaders.insecure"
  - "--entrypoints.websecure.forwardedHeaders.insecure"
  - "--entryPoints.web.proxyProtocol.insecure"
  - "--entryPoints.websecure.proxyProtocol.insecure"
  - "--log.level=error"