Real IP and Host Header

Could anybody help me on how to pass the real IP address and host header in Traefik please? I have a file provider that proxies connects to my Open Media Vault Control Panel but the logs still report that Traefik's IP address are the one contacting it rather than the IP from the originating source.

1 Like

Hello @DanW

thanks for using Traefik and asking the question.

I would recommend you to see the following docs:

Then the real IP address should be available in the X-Forwarded header.

If you deploy Traefik on Kubernetes with service type Loadbalancer, the externalTrafficPolicy should be also updated.

Thank you

Hi @jakubhajek thank you so much for your response! So does traffic pass the X-Forwarded header by default and it is just a matter of getting Traefik to trust the forwarded headers then?

Hello @DanW

The header X-Forwarded-for is being passed by default. However, in order to get a real IP address, the trust headers mechanism has to be configured.

For testing purposes, it can be set in insecure mode.

Thank you,
Jakub

why can't traefik have a way to easily get the real ip of user? Every other software/website i use in the world does this or is this a rocket science to implement?

As a reverse proxy, i think it is safe to say most people want this. So why have us waste so much time and energy for something that is widely needed??????

We have to drill into forwarded headers to figure this out ourselves? cloudflare for example passes this as response header with Cf-Connecting-Ip and am sure others have a way of passing this, so why can't traefik implement this that makes sense to be on traefik layer?

3 Likes

Hi,

We are soon in 2024! 2 years after this thread was opened no one has been able to solve this problem. Just yesterday, other people opened topics on this subject. Lots of people on lots of forums are asking this question.

Personally, I gave up the idea of ​​having my visitors' IPs with Traefik after several months of active research. I have tried many solutions without success. It could perhaps come from the infrastructure.
As long as there is no solution, I had to remove Traefik from the production for security reasons. I find it surprising that there is no official support for this because it’s very important and so basic for an ingress controller.
The community needs support on this.

1 Like

We use ProxyProtocol with Traefik and everything works for us.

1 Like

Please share your configuration. I am running into same issues - no solution so far.
Just tested "forwardedHeaders.insecure" and "proxyProtocol.insecure" => same results - no "real visitors ips".

ProxyProtocol can be used with Traefik on 2 sides: one is entrypoint to receive PP for example from a load balancer, and on the service side to send PP to the target service, which is usually TCP only and needs to understand PP.

this did the trick for me:

docker-compose.yaml

    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
1 Like