How to get Traefix to pass the Real Remote IP to the pod

Traefik Traefik v2
1

I have the Traefik in Kubernetes (LoadBalance Type) with ingressRoute to whoami depoyment running.
The issue I have now is the the Remote IP of the PC is not reported.

How do I get the traefik to report the Remote Machine IP?

All this works if I use the ingress-nginx Ingress Controller.

  1. the RemoteAddr IP belongs to traefik pod.
  2. the IP: 10.42.0.229 belongs to the whoami pod.
  3. X-Real-Ip: 192.168.88.70 belongs to the Kubernetes Node IP.
Hostname: whoami-deployment-85bfbd48f-zvghl
IP: 127.0.0.1
IP: 10.42.0.229
RemoteAddr: 10.42.0.231:38426
GET / HTTP/1.1
Host: testweb.company.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.88.70
X-Forwarded-Host: testweb.company.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-694b5bd776-vkvv9
X-Real-Ip: 192.168.88.70
2

Would you please configure trusted headers as it is explained in our documentation:

Additionally, in regards to the Loadbalancer type in order to preserve the client IP address the following configuration should be also implemented:

1 Like
3

I have tried that, May be my setup is different. I am using kube-vip as my cloud provider loadbalancer. This does not do the http/https termination.

Can I say that if the http/https is not terminated at the external "load balancer", I am not be able to forward any headers.

4

YEAH, MAN! THANK YOU!

I don't know how I've been missing it, but setting the externalTrafficPolicy to "Local" was exactly what I was missing!

Made an account just to thank you. You made my day! :smile: :tada:

5

Hi,

I am also trying to preserve the http headers x-forwarded-* and x-real-ip to know the IP address of my visitors. I have enabled all possible features at the level of my Helm charts without success. This has been going on for several months. Traefik is my default Ingress Controller, I am currently on v2.9.6.

I have enabled the "forwardedHeaders" and "proxyProtocol" in insecure mode.
Here are the options enabled:
--entrypoints.web.forwardedHeaders.insecure
--entrypoints.web.proxyProtocol.insecure
--entrypoints.websecure.forwardedHeaders.insecure
--entrypoints.websecure.proxyProtocol.insecure

Traefik is in LoadBalancer mode with the 3 IPs of my nodes.

With or without websecure redirection, whoami always returns the same IP address.
Here is the return:

Hostname: whoami-658fc5c6bc-zzfvj
IP: 127.0.0.1
IP: ::1
IP: 172.16.126.60
IP: fe80::fca5:54ff:fe6e:3c69
RemoteAddr: 172.16.194.90:56920
GET / HTTP/1.1
Host: whoami.example.fr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: fr,fr-FR;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 172.16.235.192
X-Forwarded-Host: whoami.example.fr
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-b95c7bb9d-pc7l2
X-Real-Ip: 172.16.235.192

As mentioned by @jakubhajek, I configured the externalTrafficPolicy parameter (tested in Cluster and Local) via the Helm charts but this did not solve the problem. However I don't understand why you need to add an authentication delegation middleware (forwardAuth).

I still don't understand what this is due to. I have followed the documentation carefully. I am on a freshly installed Kubernetes cluster, I have not set up any firewall rules.

PS: trying another approach, I also tried to install the GitHub - soulbalz/traefik-real-ip: When traefik is deployed behind a load balancer, it should get the real IP from the X-Forwarded-For or Cf-Connecting-Ip (if from Cloudflare) header. plugin but that didn't work either. On whoami, I get the following headers:

X-Forwarded-For: , 172.16.235.192 (a comma is added)
X-Real-Ip: (no value)

6

@yaya did you ever get this working? I'm having the same issue.

7

I never managed to get that working. I gave up on that idea several months ago :frowning: