TCP Proxy and Original Source IP

Gibletron · May 13, 2022, 10:45am

Hello,

I am using Traefik as a TCP Proxy for my Plex container, using the config at the bottom.
This works fine for all internal and external user, however in Plex it shows the Traefik container IP as the user IP.
With the HTTP proxy the original user IP is passed (I believe in a X-Forwarded-For header or something along those lines)
However for the TCP proxy there is no such option.
Is there any way to show the original source IP instead of the traefik IP?

The relevant part of my stack for reference:

  plex:
    hostname: plex
    container_name: plex
    image: lscr.io/linuxserver/plex
    volumes:
      - ${VOL_CONF}/plex:/config
      - ${VOL_MEDIA}:/media
    networks:
      - traefik-net
    environment:
      - PUID=${ENV_PUID}
      - PGID=${ENV_PGID}
      - TZ=${ENV_TZ}
      - PLEX_UID=${ENV_PUID}
      - PLEX_GID=${ENV_PGID}
      - VERSION=docker
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      labels:
        traefik.enable: "true"
        traefik.http.services.plex.loadBalancer.server.port: "32400"
        traefik.http.services.plex.loadBalancer.PassHostHeader: "true"
        
        traefik.http.routers.plex-int.entryPoints: "http"
        traefik.http.routers.plex-int.rule: "Host(`plex.${DOMAIN_INT}`)"
        traefik.http.routers.plex-int.service: "plex"

        traefik.http.routers.plex-ext-https.entryPoints: "https"
        traefik.http.routers.plex-ext-https.tls: "true"
        traefik.http.routers.plex-ext-https.rule: "Host(`plex.${DOMAIN_EXT}`)"
        traefik.http.routers.plex-ext-https.service: "plex"

        traefik.tcp.services.tcp-plex-32400.loadbalancer.server.port: "32400"
        traefik.tcp.routers.tcp-plex-32400.entryPoints: "tcp-plex-32400"
        traefik.tcp.routers.tcp-plex-32400.rule: "HostSNI(`*`)"
        traefik.tcp.routers.tcp-plex-32400.service: "tcp-plex-32400"

moutoum · May 16, 2022, 1:03pm

Hi @Gibletron,
Thanks for your interest in Traefik.

As you might know, HTTP headers are not available at TCP level. To get rid of this limitation, HAProxy created a protocol called Proxy Protocol.
This protocol encapsulates the TCP connection with some basic headers to have more context in case of proxy connections.

You can enable this protocol in the configurations of your services. You can find more information here: Traefik Services Documentation - Traefik .

cakiwi · May 16, 2022, 2:45pm

Additionally in Swarm mode you may need to publish your ports in host mode otherwise you could still end up with an overlay/docker ip address.

Gibletron · May 16, 2022, 5:47pm

Thank you very much for your responses, I did not know about this Proxy Protocol, will try later today and report back!

Gibletron · May 16, 2022, 8:22pm

I'm having a tough time figuring out how this is supposed to work, and the (traefik) documentation is somewhat limited on this.
Would it be possible for you to give me an example on how to enable Proxy Protocol?
Should I enable it only on the service level, as such:

traefik.tcp.services.tcp-plex-32400.loadbalancer.proxyprotocol.version: "2"

Should I also enable it on the tcp-plex-32400 entrypoint as such:

  [Entrypoints.tcp-plex-32400]
    Address = ":32400"
    [entryPoints.tcp-plex-32400.proxyProtocol]
      insecure = true

Should I be able to see that ProxyProtocl is enabled in the Traefik dashboard?
When I do both of the above Plex is no longer accesible externally, as such I think I'm missing something vital.

moutoum · May 17, 2022, 8:24am

Hi @Gibletron,

These 2 configurations solve different use cases.

When enabling Proxy Protocol on an Entrypoint, it allows Traefik to understand an incoming Proxy Protocol wrapped request. With this, you can for example restrict the access to some user IPs.
When enabling Proxy Protocol on a service, you ask Traefik to add Proxy Protocol headers to forwarded request. It means that the IP/port from the incoming request will be added in the outgoing request.

In your scenario, you need the second option, enabling proxy protocol on a service. Your first snippet seems good to me. Once this step is done, you only did half of the job, as your Plex server doesn't know yet how to understand this protocol. It can result in a badly formatted packet, depending on the expected protocol. To make it work, you should use a third party library or implementing yourself the proxy protocol unwrapping. This one is an example, but feel free to use another depending on your preferences, GitHub - inkel/viaproxy: Proxy Protocol support for Go net.Conn.

Gibletron · May 17, 2022, 11:24am

Ahhh clear! thank you very much
Seems for now that this isn't feasible for me, I will send in a feature request for plex to support ProxyProtocol

system · May 20, 2022, 11:24am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik and PiHole with Docker: forward client IP Traefik v2 (latest) docker , tcp	7	4969	August 24, 2023
Real IP in rabbitmq cluster Traefik v2 (latest) tcp	7	1704	April 27, 2020
TCP reverse proxy pass through (nginx equivalent) Traefik v2 (latest) file , tcp	3	2546	January 31, 2022
Traefik see's local clients in network as remote Traefik v2 (latest) docker , middleware	0	211	July 4, 2022
Using Traefik as tcp proxy outside docker Traefik v2 (latest) tcp	0	403	April 3, 2020

TCP Proxy and Original Source IP

Related Topics