Not getting source IP

vsha · November 25, 2020, 9:06pm

(installed in a EKS k8s cluster behind a classic Load Balancer (ELB))
I am testing Traefik as a replacement for our Nginx-ingress and have done:

Installed via helm chart and overrode some defaults:
helm upgrade --debug --set="additionalArguments={--accesslog=true,--accesslog.fields.defaultmode=keep, --accesslog.fields.headers.defaultmode=keep,--log.level=DEBUG}" traefik traefik/traefik -n traefik

Aded in the whoami service with an IngressRoute:


apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
  namespace: traefik
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`whoami.YYY.com`)
      kind: Rule
      services:
        - name: whoami
          port: 80

However when I look at the output of whoami, I only see the IP of the AWS ELB:

Hostname: whoami
IP: 127.0.0.1
IP: 192.168.141.105
RemoteAddr: 192.168.137.83:36394
GET / HTTP/1.1
Host: whoami.YYY.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.143.223
X-Forwarded-Host: whoami.YYY.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-6c7b99fdfd-w6km8
X-Real-Ip: 192.168.143.223

How do I get the real client/source IPs to show up in Traefik?

Thanks
V

jspdown · November 26, 2020, 2:37pm

Hello @vsha and thanks for your interest in Traefik.

The X-Forwarded-For header contains the source IP as well as IPs of the different proxies. For security reasons, Traefik doesn't trust this list by default. You can configure the forwardedHeaders options on your entrypoint to explicitly trust your ELB.

vsha · November 29, 2020, 2:34am

Thanks for the reply @jspdown. I thought I had tried that by using

- --entrypoints.web.forwardedheaders.insecure=true
- --entrypoints.websecure.forwardedheaders.insecure=true

but that didn't seem to work either. Am I using the arguments incorrectly?
Thanks
Viren

vsha · November 29, 2020, 2:40am

Went back and looked at my config and realized that I had incorrect indentation that caused the insecure header arguments not to be applied. Sorry about that and thanks for the help.

system · December 2, 2020, 2:40am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik Ingress not getting loadbalancer IP Traefik v2 kubernetes-ingress	3	5173	January 19, 2024
Preserve client source IP Traefik v2 kubernetes-crd , kubernetes-ingress	2	5408	September 3, 2021
How to get Traefix to pass the Real Remote IP to the pod Traefik v2 kubernetes-ingress	6	10475	January 6, 2024
Basic K8s Ingress example Traefik v2 kubernetes-ingress	4	2180	April 24, 2020
Real IP from ELB Traefik v2 kubernetes-ingress	3	2523	November 12, 2019

Not getting source IP

Related topics