How to get the remote real IP?

Traefik Traefik v3 (latest)
,
1

I have a k3s cluster with traefik I deployed the whoami app and do not get my real IP.

Hostname: whoami-55dd44b4d9-m2fhm
IP: 127.0.0.1
IP: ::1
IP: 10.42.0.57
IP: fe80::d482:1ff:feb6:cbc0
RemoteAddr: 10.42.4.59:40024
GET / HTTP/1.1
Host: whoami.cluster.example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: de,es-AR;q=0.8,pl;q=0.6,tr;q=0.4,en;q=0.2
Cookie: d116ad49ccc4b322d40771510fbf595e=ef3b4f65bfb02d9dac250556798a28b1
Priority: u=0, i
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 10.42.0.0
X-Forwarded-Host: whoami.example org
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-854cc995fb-7cdgm
X-Real-Ip: 10.42.0.0

The X-Real-IP is an address which is cluster intern and it is a net address (e. g. zero value as fourth byte → 10.42.0.0).

  • My traefik-xxxxxxxxx-nnnnn pod has the IP 10.42.4.59
  • The traefic-service has the IP 10.43.71.34
  • The traefik-endpoint is listed with the IP 10.42.4.59
  • There is a whoami-endpoint with the IP 10.42.0.57
  • My real real client IP is 192.168.3.43

May be that there is a partial IP-address masking active. I found the PR #2853 which presents a feature for masking the last byte of an IPv4 address for access_log. But I did not analyse it further.

The documentation states that the proxy headers are added automatically and indeed they are but they do not have the expected values. Is there a host in front of the ingress which is hiding the real real IP? How can I archive the real real IP?

Here is my deployment definition (from First deploy - K3S Rocks )

apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
spec:
  selector:
    matchLabels:
      app: whoami
  replicas: 1
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami:latest
          ports:
            - containerPort: 80

Here is my service definition (also from First deploy - K3S Rocks )

apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  type: ClusterIP
  ports:
    - port: 5678
      targetPort: 80
  selector:
    app: whoami

Here is my ingress definition (also from First deploy - K3S Rocks )

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami-tls-ingress
  annotations:
    spec.ingressClassName: traefik
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
  rules:
    - host: whoami.example.org
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: whoami
                port:
                  number: 5678
  tls:
    - secretName: whoami-tls
      hosts:
        - whoami.example.org

I changed the url of the host – thats all.