Restoring Cloudflare Real IP on Traefik

Is it possible to Log the real IP from Cloudflare as per the below docs?

To restore original visitor IP addresses at your origin web server, Cloudflare recommends your logs or applications look at CF-Connecting-IP or True-Client-IP instead of X-Forwarded-For since CF-Connecting-IP and True-Client-IP have a consistent format containing only one IP.

@jnovack Thank you for your response. But is it possible in Traefik to rate limit based on CF-Connecting-IP?

This should give you a good idea what is and is not possible with regards to rate limiting in traefik. Traefik does not have special integration with CloudFlare for the purpose of rate limiting.

1 Like

How can I now configure Traefik to pass the visitor's original IP so I can filter them based on their IP via iptables? Like month ago my iptables filtration worked, now it does not.. I suspect that Cloudflare is now no longer "handling" visitors original IP as before.. but it has to put his original IP somewhere and Traefik should have a config flag to restore it.

So my config scenario is as follows:

INTERNET -> Cloudflare (DNS-Proxy) -> MY_FIREWALL -> Traefik -> Server (filters e.g. whole Russia based on the source IP) -> Docker Container

^^^This worked before (month ago).. However now my server sees only Cloudflare IP and thus iptables overcoming iptables rule..

Appreciate any input here, Thanks.

In order to proceed with any filters based on Source IP address, the first step is to correctly configure forwarded headers EntryPoints - Traefik.

Depending on your setup additional changes might be required especially for the Kubernetes Load Balancer service type to preserve real Ip addresses (externalTrafficPolicy)

Once you have the real IP address you can consider configuring rate limiter or any other middlewares that relies on the source IP address.

We should provide a full-fledged tutorial to present how to achieve it because it is a recurring question.

Thank you, Jakub

Firstly thank you for taking time here. Now let me first be more specific with the actual scenario:

image

Here:

Then:

I have configured this where I am trusting Cloudflare's IPs:

    forwardedHeaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 172.64.0.0/13
        - 131.0.72.0/22

Thus:

The server still sees the Cloudlfare Y.Y.Y.Y IP address and passes it to the Traefik. Now you say that it is possible to filter those request based on the X-Forwarded-For: X.X.X.X - well sure for couple of IPs but not for the whole region.. Here it would be ideal and much desired if Traefik could make use of systems IP sets or be able to implement them itself (or import them from system at start?).
Some time ago I created a feature request for this very scenario and no one cared to even reply :disappointed:. With this capability we now have power to effectively filter this per service.

Thanks.

Hello @MacGyver27

In regards to IPSETS I would use ForwardAuth middleware. I would forward the request to the authentication backend. The backend's responsibility would be to make a decision whether the source IP is whitelisted or blacklisted.
Traefik can use the response from the backend to technically accept the incoming connection or block it based on the HTTP responses coming from the backend.

However, you need to correctly get the source IP address of the client.

Regarding your feature request, I encourage you to open the issue on the Traefik Github repository and describe the request you wish to have in the next releases.

Thank you,