I am running Traefik v2.1.6 in Kubernetes.
What I am trying to achieve is a IpWhiteList middleware configuration that results in ONLY internal IPs AND our external, commercial WAF being able to directly hit the ingress. I had initially thought that I could white list the internal IPs and the IP ranges of the WAF.
As a test scenario I have the setup a local Nginx docker container to proxy all requests to Traefik. This seems to be working as I'm getting the correct results back. However what I'm not seeing is multiple IPs in the HTTP_X_FORWARDED_FOR header. My understanding is that this is what the IPWhiteList middleware uses to determine the client ip.
I have tried to turn on, for testing only, insecure forwarded headers but I still am not seeing the chain of IPs in the HTTP_X_FORWARDED_FOR header.
For a request made to the local nginx container I would have expected to see something like:
HTTP_X_FORWARDED_FOR: , but all I'm seeing is the ip address of the K8s worker node.
Here is the relevant portion of the Nginx config:
server {
listen 8081;
location / {
proxy_pass https://<traefik proxied service>;
proxy_redirect off;
proxy_set_header Host '<traefik proxied service host>';
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
Thanks!