I am currently using AdGuard home behind a traefik instance (no k8s, just docker). I was trying to set it up, so it displays the clients IP addresses, instead of just the docker IP of the traefik instance.
In this guide, they have an example of how to configure it using nginx proxy. I put the docker network (172.17.0.0/16) in the trusted_proxies list, since the IP of traefik may change on a restart. They also mention that AdGuard looks at the X-Forwarded-For and X-Real-IP header, to see from where the request came. As much as I understood, traefik automatically sets the X-Forwarded-For header (FAQ). But some resources say that I need to set the forwardedHeaders options for my entry points(1, 2). I used this option when I was having requests coming from cloudflare`s proxies, so that I can retain the source IP of the request, but I don't know if I need this here too?
In the end, I tried everything out, but it didn't work out. Am I missing something relevant?
Start a traefik/whoami service/container and just check what headers are sent by Traefik.
Thanks for the tip! Always asked myself what are those whoami containers in the example!
I fired it up using http and it seems to forward the right headers. The X-Forwarded-For and X-Real-IP have been set correctly, without any of the settings for the entrypoints.
Now I am not sure on how to test this for DNS, basically a whoami for 53 tcp/udp traffic, but I guess that will have a similar behavior.
So it seems I have to figure out, what is going wrong on AdGuard part...
The headers are part of the http protocol, DNS/TCP/UDP does not have those.
I thought so, but thanks for the clarification. Somehow I also skipped the part in the tutorial, where they told, that this is for DoH. The problem I was having is, that I am running traefik on Synology and I was not able to get access to ports 80 and 443. So I made a macvlan network, got an IP just for traefik and wanted to use this IP also for DNS requests (same problem as with http/https on synology, port 53 is also already used).
I tried using network_mode: container:traefik in compose file of AdGuard and it worked... Now I get the raw requests!