Hi, I”m assuming I’ve made a massive mistake with my traefik kubernetes config because I’m having a cavalcade of issues with it. I’ll go through them one by one.
Content-Length & Content-Type stripped from request:
some requests from a certain provider get their Content-Length and Conent-Type headers stripped from the request, invalidating the body from the request meaning traefik never sends the body. I have no idea what caused this, but it has never worked properly for certain requests. doing it via curl works fine, but using insomnia/postman for example never works correctly (wierd since insomnia uses libcurl to send requests)
Headers such as X-Forwarded-For and X-Source-IP are never correctly populated
this is exactly what is says on the tin, the only IP i ever get in these headers ais the kubernetes cluster gateway ip, and nothing else. even if i have trust headers & proxy protocol set to insecure or in my current case they are set to: (my network gateway being 192.168.1.1)
forwardedHeaders:
trustedIPs:
- 192.168.0.0/16
- 10.0.0.0/8
proxyProtocol:
trustedIPs:
- 192.168.0.0/16
- 10.0.0.0/8
here is the full config as it stands (im using helm and pulumi to deploy. pulumi is basically terraform for those that dont know)
# apiVersion: helm.cattle.io/v1
# kind: HelmChartConfig
# metadata:
# name: traefik
# namespace: kube-system
# spec:
# valuesContent: |-
image:
registry: docker.io
repository: traefik
# tag: v3.6.4
pullPolicy: Always
env:
- name: CF_DNS_API_TOKEN
valueFrom:
secretKeyRef:
name: traefik-tokens
key: cloudflare-token
# log:
# level: INFO
ports:
web:
port: 80
http:
redirections:
port: websecure
scheme: https
permanent: true
middlewares:
# - crowdsec-crowdsec-bouncer@kubernetescrd
forwardedHeaders:
trustedIPs:
- 10.0.0.0/8
- 192.168.0.0/16
proxyProtocol:
trustedIPs:
- 10.0.0.0/8
- 192.168.0.0/16
transport:
respondingTimeouts:
readTimeout: "0s"
websecure:
port: 443
http:
middlewares:
# - crowdsec-crowdsec-bouncer@kubernetescrd
forwardedHeaders:
trustedIPs:
- 192.168.0.0/16
- 10.0.0.0/8
proxyProtocol:
trustedIPs:
- 192.168.0.0/16
- 10.0.0.0/8
transport:
respondingTimeouts:
readTimeout: "0s"
gateway:
port: 8000
ssh:
port: 2202
expose:
default: true
exposedPort: 2202
protocol: TCP
traefik:
expose:
port: 8080
default: true
ingressRoute:
dashboard:
enabled: true
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
matchRule: "Host(`traefik.litelot.us`) && PathPrefix(`/`)"
entryPoints:
- websecure
middlewares:
- name: default-forward-auth
tls:
secretName: traefik-dashboard-tls
certificatesResolvers:
cloudflare:
acme:
dnsChallenge:
provider: cloudflare
experimental:
plugins:
headerdump:
moduleName: "github.com/jaybubs/headerdump"
version: "v0.2.0"
requestdump:
moduleName: "github.com/cookielab/traefik-middleware-request-logger"
version: "v0.0.7"
crowdsec-bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.4.5
providers:
kubernetesGateway:
enabled: true
kubernetesIngress:
enabled: true
gateway:
namespacePolicy: All
persistence:
enabled: true
name: ssl-certs
size: 1Gi
path: /ssl-certs