Issues with Real Client IP in Traefik

Traefik Traefik v3 (latest)
,
1

Hello Traefik Community,

I am currently setting up Traefik as a reverse proxy for my phpBB forum running on an Apache server. I have encountered two issues that I need assistance with:

  1. Real Client IP Address: Despite configuring the middleware to forward the real IP addresses, the access logs on my phpBB container still show the Traefik IP address (10.0.1.100). Below are the relevant parts of my configuration:
    websites-conf.yml:
http:
  routers:
    to-website:
      rule: "Host(`website.net`)"
      service: website-svc
      entryPoints:
        - "websecure"
      middlewares:
        - "cloudflarewarp"
      tls:
        certResolver: "mycloudflare"

  services:
    website-svc:
      loadBalancer:
        serversTransport: insecure
        servers:
          - url: "https://website:8443"

  serversTransports:
    insecure:
      insecureSkipVerify: true

traefik.yml:

experimental:
  plugins:
    cloudflarewarp:
      modulename: github.com/BetterCorp/cloudflarewarp
      version: v1.3.3

metrics:
  prometheus:
    entryPoint: metrics
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5.0

accessLog:
  filePath: "/var/log/traefik/access.log"
  format: "json"
  bufferingSize: 100

log:
  level: INFO

api:
  dashboard: true
  insecure: false

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: "/etc/traefik"
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: mycloudflare
    asDefault: true

  minecraft:
    address: ":19132/udp"

  metrics:
    address: ":8082"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "dummy"
      storage: "/letsencrypt/acme.json"
      httpChallenge:
        entryPoint: "web"

  mycloudflare:
    acme:
      email: "dummy"
      storage: "/letsencrypt/acme.json"
      dnsChallenge:
        provider: cloudflare

docker-compose.yml:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    ports:
      - "80:80" # http
      - "443:443" # ssl
      - "8080:8080" # dashboard
      - "3306:3306" # mariadb
      - "19132:19132/udp" # minecraft
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt:/letsencrypt
      - /home/artem/docker-data/traefik/.htpasswd:/etc/traefik/.htpasswd:ro
      - /home/artem/docker-data/traefik:/etc/traefik
      - /home/artem/docker-data/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - /home/artem/docker-data/traefik/access.log:/var/log/traefik/access.log
    networks:
      web:
        ipv4_address: 10.0.1.100
    restart: unless-stopped
  website:
    image: bitnami/phpbb:latest
    container_name: website
    environment:
      PHPBB_DATABASE_HOST: mariadb
      PHPBB_DATABASE_USER: dummy
      PHPBB_DATABASE_PASSWORD: dummy
      PHPBB_DATABASE_NAME: dummy
      PHPBB_HOST: dummy.net
      PHPBB_SKIP_BOOTSTRAP: yes
    volumes:
      - /home/artem/docker-data/websites/phpbb_hozdvoriki:/bitnami/phpbb
    networks:
      web:
        ipv4_address: 10.0.1.16
networks:
  web:
    name: web
    external: true

However, the IP addresses logged are still the Traefik IP.

10.0.1.100 - - [28/May/2024:23:15:39 +0000] "GET /posting.php?mode=quote&f=94&p=16144&sid=c2a09e466fb4fa957ea86d65193b54c2 HTTP/1.1" 200 4353
10.0.1.100 - - [28/May/2024:23:15:38 +0000] "GET /mcp.php?f=128&t=1909&start=0&quickmod=1&redirect=.%2Fviewtopic.php%3Ft%3D1909%26sid%3D1ec35722d3e6723fcfa301e715d63731&action=topic_logs&sid=1ec35722d3e6723fcfa301e715d63731 HTTP/1.1" 200 4399
10.0.1.100 - - [28/May/2024:23:15:36 +0000] "GET /mcp.php?i=main&mode=post_details&f=128&p=10363&sid=1edc149431fc1110de1444f63822aa65 HTTP/1.1" 200 4361
10.0.1.100 - - [28/May/2024:23:15:34 +0000] "GET /posting.php?mode=quote&p=25568&sid=e8de7c6116e13d3df4916f08dd1ce011 HTTP/1.1" 200 4342
10.0.1.100 - - [28/May/2024:23:15:32 +0000] "GET /posting.php?mode=quote&f=119&p=4716&sid=6ced6240c88daea328517470f90b3800 HTTP/1.1" 200 4350

  1. HTTP/2 Support: All requests seem to be handled using HTTP/1.1 instead of HTTP/2.

  2. Cloudflare Warp Middleware: I have created a custom middleware to forward the real IP addresses from Cloudflare Warp. The middleware is enabled in the router configuration, but the IP addresses are still not being forwarded. Probably I am doing something wrong from the Cloudflare part.

I would appreciate any guidance on how to resolve these issues. If there are additional configurations or steps that I might have missed, please let me know.

Thank you for your help!

Best regards,
Artem Stepanov

2

Traefik will forward the "real IP" as header meta data in every forwarded http request. (Or with ProxyProtocol if you configured it.)

So the target service needs to read/use the IP address from the header, not from the TCP connection, which will always come from a Docker IP.

Traefik has a disablehttp2 option (doc), which is false by default, so it should be be able to send requests with http/2.

1 Like
3

Thank you! Sounds reasonable. Realized that problems were in containers themselves. Specially, with Apache server, which did not serve mod_remoteip module.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.