Real IP Address is not forwarded to forward auth

Traefik Traefik v3 (latest)
,
1

I try to write my own forward auth server to do some geoblocking and general authentication.
So far I am able to forward the requests to the server but I don't recieve the real ip address. Eventhrough traefik is running it's port in host mode.
Also the whoami service, which is behind the forward auth, again recieves the real ip. Does someone have a clue how this happens/how to fix it?

The whoami output (using curl )

> curl http://whoami.example.com --ipv4 -L -i

HTTP/1.1 301 Moved Permanently
Location: https://whoami.example.com/
Date: Fri, 21 Mar 2025 01:01:46 GMT
Content-Length: 17

HTTP/1.1 200 OK
Content-Length: 380
Content-Type: text/plain; charset=utf-8
Date: Fri, 21 Mar 2025 01:01:46 GMT

Hostname: 12e2f2351ac7
IP: 127.0.0.1
IP: ::1
IP: 172.19.0.5
RemoteAddr: 172.19.0.13:46478
GET / HTTP/1.1
Host: whoami.example.com
User-Agent: curl/8.10.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: my.rea.l.ip
X-Forwarded-Host: whoami.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: ab703d407d5e
X-Real-Ip: my.rea.l.ip

meanwhile my fastapi server only recieves these headers/values

        "headers": {
              "host": "auth.example.com",
              "user-agent": "Go-http-client/2.0",
              "accept-encoding": "gzip",
              "x-forwarded-for": "172.19.0.1",
              "x-forwarded-host": "auth.example.com",
              "x-forwarded-port": "443",
              "x-forwarded-proto": "https",
              "x-forwarded-server": "ab703d407d5e",
              "x-real-ip": "172.19.0.1"
        }

how do I get the real ip that whoami recieves to my forward auth?

2

I just tested this, it works for me, x-real-ip is correctly set to Internet IP of browser/client.

1 Like
3

thank you for sharing an example, when I am running your code it all works. Could it be an issue, if the forward auth I try to reference, is in another docker compose file or accessed via a domain? Before trying yours it was located at "auth.example.com" which of course is behind traefik.
If I try to reference to my auth server via the docker service name/container_name it seems like no request ever hits it.

4

I think a ForwardAuth server should not be public*. So you should use only the service name and you need to make sure it’s within a shared Docker network with the proxy.

* maybe parts of it can be public, as a nice login page might need scripts, css, images.

5

okay, thank you for the information. I somehow am not able to get the forward auth to actually forward auth to the server.
Maybe if you could look at the configs you can spot a mistake I made. I am fairly new and have done only really basic configuration with Traefik and Docker

# whoami docker-compose.yml
services:
  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80
      - traefik.http.routers.mywhoami.middlewares=auth
      - traefik.http.middlewares.auth.forwardauth.address=http://pyauthserver/traefik

networks:
  proxy:
    name: proxy
    external: {}

# auth server docker-compose.yml
services:
  pyauthserver:
    container_name: pyauthserver
    build: .
    command: python3 main.py
    volumes:
      - .:/usr/src/app
    ports:
      - ":8000"
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.pyauthserver.entrypoints=websecure
      - traefik.http.routers.pyauthserver.rule=Host(`auth.example.com`)
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    external: true

from my understanding all requests should hit the auth server at /traefik and be handled from there on by the server which then responds with either any 200 code or any 400 code correct?

6

reality hit hard, I've noticed that my auth server is running at port 8000. So when referencing the service internally I have to write it down in the address
- traefik.http.middlewares.auth.forwardauth.address=http://pyauthserver:8000/traefik
http://container_name:port/url
This is the correct label to use for the forward auth when referencing a service internally

7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.