Printing ProxyProtocol header in access logs and changing traefics IP to the client IP


in my set-up, traefik is running behind another tcp proxy (e.g. nginx) and behind traefik multiple tcp or http based servers (as container) are running.

This works generally fine, but I struggle with two use cases:

  1. the tcp proxy in front of traefik enables the Proxy Protocol to ship the actual client IP. I want to print this information in the traefik access logs. By setting the "insecure" parameter in the proxy protocol section of the entry point to true, I achieved that the "ClientAddress" field in the access logs is overwritten with the IP shipped via the proxy protocol. However, this is not really what I would like to achieve. I would like to see the actual client ip (the proxy protocol data) in addition to the ip of the proxy, which forwards the communciation to my traefik instance. I've tried with setting different potential header names to "keep" in the access log configuration, but couldn't find any working approach. Can anybody help me on this?
  2. In my containerized applications, which are running behind traefik, the client IP of the request maps to the IP of traefik. I understand, that I can find the ip of the connecting client in the X-Real-IP header (if it's a http connection) or I could activate also the proxy protocol in traefik itself (if it is for a tcp connection). However, I'm wondering if there isn't an option that traefik set's its own ip to the ip of the client connecting to it (like other proxies can do). So any confirmation if this is actually not possible or if I just didn't find the right documentation for this, would be highly appreciated.

Thanks for any support!

  1. If you want to use ProxyProtocol and not insecure, then you need to set the trusted IPs (of the proxy before Traefik).

  2. You can only use ProxyProtocol or HTTP headers for the original request IP. You can’t fake a TCP address within you network.
    (It might work with hacky tools, but that’s not the way to go for regular IT infrastructure.)

thanks a lot for confirming point 2 for me, so I will no longer search for options :slight_smile:

About the first topic:
I cannot set trusted IPs, since in my very special set-up I will have an unknown number of client proxies with even changing IPs. So setting insecure to true is the only option for me. But anyhow, when doing this, it results in traefik changing the ClientAddress field in the access logs to the value shipped in the proxy protocol. By this overwritting the IP of the client proxy. This is not what I would like to achieve. I would like to print the IP in the proxy protocol in addition to the ClientAddress, as this shall stick with the IP of my client tcp proxy. Is it somehow understandable what I'm trying to achieve? :sweat_smile:

Someone already created a feature request for this (link) :smile:

Hm I think this is not really what I'm looking for. I don't need it to be added to http header (since this wouldn't work then anymore for non http connections). I just want the information in the access logs. But I guess this is not supported then as of now. So maybe I should also create a feature request for that?

Access log in CLF has a fixed format. Have you checked the JSON format?

Yes I did. This is my logging configuration. I was not able to find a header name that I could explicitly confiugre to "keep". But my understanding ist that setting defaultMode to keep should show all available headers in the log line

    level: INFO  
    enabled: true 
    format: json
        defaultMode: keep
          X-Forwarded-Tls-Client-Cert-Info: keep  
          X-Real-IP: keep