i'm having the same issue,
i have an nginx RP that on the host and traefik as a docker container whith middleware configured to allow 192.168.0.0/16 and exludedIp of 172.20.0.1
Nginx forward the requests to traefik (and add X-Forwarded-For and X-Real-IP headers)
but the middleware reject the request
even tough there is already the header in the request
tcpdump on docker interface :
172.20.0.1.55706 > 172.20.0.6.http: Flags [P.], cksum 0x6421 (incorrect -> 0x09bc), seq 1:3020, ack 1, win 502, options [nop,nop,TS val 1888465225 ecr 593107050], length 3019: HTTP, length: 3019
GET /jenkins HTTP/1.0
Host: *******
X-Real-IP: 192.168.0.2
X-Forwarded-For: 192.168.0.2
X-Forwarded-Proto: http
X-Forwarded-Login: *********
X-Forwarded-Name: ********
X-Forwarded-User: **********
Connection: close
if i disable the ipStrategy i get the docker ip as remoteAddr (172.20.0.1) which is not whitelisted
i saw also this on the middleware doc
As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to
X-Forwarded-Forduring the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present inX-Forwarded-For, it cannot be matched againstsourceRange.
not sure if i understand the bold part