Could anybody help me on how to pass the real IP address and host header in Traefik please? I have a file provider that proxies connects to my Open Media Vault Control Panel but the logs still report that Traefik's IP address are the one contacting it rather than the IP from the originating source.
1 Like
Hello @DanW
thanks for using Traefik and asking the question.
I would recommend you to see the following docs:
- forwarded Headers EntryPoints - Traefik
Then the real IP address should be available in the X-Forwarded header.
If you deploy Traefik on Kubernetes with service type Loadbalancer, the externalTrafficPolicy should be also updated.
Thank you
Hi @jakubhajek thank you so much for your response! So does traffic pass the X-Forwarded header by default and it is just a matter of getting Traefik to trust the forwarded headers then?
Hello @DanW
The header X-Forwarded-for is being passed by default. However, in order to get a real IP address, the trust headers mechanism has to be configured.
For testing purposes, it can be set in insecure mode.
Thank you,
Jakub
why can't traefik have a way to easily get the real ip of user? Every other software/website i use in the world does this or is this a rocket science to implement?
As a reverse proxy, i think it is safe to say most people want this. So why have us waste so much time and energy for something that is widely needed??????
We have to drill into forwarded headers to figure this out ourselves? cloudflare for example passes this as response header with Cf-Connecting-Ip and am sure others have a way of passing this, so why can't traefik implement this that makes sense to be on traefik layer?
4 Likes
Hi,
We are soon in 2024! 2 years after this thread was opened no one has been able to solve this problem. Just yesterday, other people opened topics on this subject. Lots of people on lots of forums are asking this question.
Personally, I gave up the idea of having my visitors' IPs with Traefik after several months of active research. I have tried many solutions without success. It could perhaps come from the infrastructure.
As long as there is no solution, I had to remove Traefik from the production for security reasons. I find it surprising that there is no official support for this because it’s very important and so basic for an ingress controller.
The community needs support on this.
1 Like
We use ProxyProtocol with Traefik and everything works for us.
1 Like
Please share your configuration. I am running into same issues - no solution so far.
Just tested "forwardedHeaders.insecure" and "proxyProtocol.insecure" => same results - no "real visitors ips".
ProxyProtocol can be used with Traefik on 2 sides: one is entrypoint to receive PP for example from a load balancer, and on the service side to send PP to the target service, which is usually TCP only and needs to understand PP.
this did the trick for me:
docker-compose.yaml
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
1 Like