Hey guys, I noticed that when there is 1 IP address in the
X-Forwarded-For header and I am using the
ipStrategy.depth=1 setting, it will always return an
empty IP address. This results in me getting a forbidden because the
empty IP address is not in the IP whitelist source range.
My setup is fairly simple, I am using traefik to forward my requests to the containious/whoami docker container. This docker container will show the request headers that it received from traefik.
ipWhitelist middleware I put
"0.0.0.0/0 to white list all IPv4 addresses and
0000:0000::/0 to whitelist all IPv6 addresses.
When I access traefik directly (meaning no tunnels in between and I am inside the same network) I only have 1 IP address in the
When I have 1 IP in the
X-Forwarded-For header and I set the
excludedIPs or the
depth=1 setting, I get a 403 forbidden response. I am expecting a 200 response instead.
known-ips-internal: ipWhiteList: sourceRange: - "0.0.0.0/0" # Whitelisting ipv4 for testing - "0000:0000::/0" # Whitelisting all ipv6 for testing ipStrategy: excludedIPs: - 172.16.0.0/12 # depth: 1 # this setting has the same behavior if enabled
time="2023-02-09T22:32:04-08:00" level=debug msg="Rejecting IP : empty IP address" middlewareName=known-ips-internal@file middlewareType=IPWhiteLister
[Behaving as expected] Accessing Traefik via cloudflare tunnel - 2 IP addresses in X-Forwarded-For header
When I accessing via the cloudflare tunnel I have 2 IPs in the X-Forwarded-For header. It will look like this:
X-Forwarded-For: <public IP>, <cloudflared container IP>. When I use the
excludedIPs setting it will select the correct IP address which is the public IP address.
X-Forwarded-For: 111.222.333.444, 172.22.0.123
known-ips-internal: ipWhiteList: sourceRange: - "0.0.0.0/0" # Whitelisting ipv4 for testing - "0000:0000::/0" # Whitelisting all ipv6 for testing ipStrategy: excludedIPs: - 172.16.0.0/12
time="2023-02-09T22:27:15-08:00" level=debug msg="Accepting IP 111.222.333.444" middlewareName=known-ips-internal@file middlewareType=IPWhiteLister
For the scenario I listed above when I have 1 IP address in the
X-Forwarded-For header and I am using a different
excludedIPs, I expect it to use that IP address to evaluate for the IP whitelist.