I am using traefik with adguard behind it using DNS over HTTPS and DNS of TLS on a remote server. So I can use android "private dns server".
But what traefik does is forwarding the local ip instead of the outside IP. So I see the adguard log the docker IP of traefik. Is there away to forward the original IP?
Traefik does not "forward" the local IP, but the connection to Adguard has Traefik IP just as origin, because that's where the local connection is coming from.
Traefik will "forward" IP information by placing them in the HTTP header ( X-Forwarded-*), I think that's done automatically, check if Adguard supports getting the IP from the header. Alternatively you can check if Adguard supports proxy-protocol.
Thanks for your information, adguard does support x-forward-* since I was using SWAG before which was forwarding the IP just fine.
My traefik config
---
global:
sendAnonymousUsage: false
#checkNewVersion: false
api:
insecure: false
dashboard: true
#debug: true
log:
level: "WARN"
# accessLog:
# format: json
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
watch: true
swarmMode: false
file:
directory: /rules
watch: true
serversTransport:
insecureSkipVerify: true
entryPoints:
web:
address: :80
proxyProtocol:
insecure: true
forwardedHeaders:
insecure: true
http:
redirections:
entryPoint:
to: websecure
websecure:
address: :443
proxyProtocol:
insecure: true
forwardedHeaders:
insecure: true
dnsovertls:
address: :853
dns:
address: :53
udpdns:
address: :53/udp
# metrics:
# address: :8456
# smtp:
# address: :25
# smtp-ssl:
# address: :465
# imap-ssl:
# address: :993
certificatesResolvers:
lets-encrypt:
acme:
#caserver: https://acme-staging-v02.api.letsencrypt.org/directory #only for debug
email: {{emailaddress}}
storage: /letsencrypt/acme.json
tlschallenge: true
preferredChain: 'ISRG Root X1'
# httpChallenge:
# entrypoint: web
#metrics:
# prometheus:
# entryPoint: metrics
# addEntryPointsLabels: true
# addRoutersLabels: true
# addServicesLabels: true
# buckets:
# - 0.1
# - 0.3
# - 1.2
# - 5.0
My Docker config
services:
traefik:
image: traefik:latest
container_name: traefik
restart: {{dockerrestartpolicy}}
networks:
- traefik_proxy
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 853
published: 853
protocol: tcp
mode: host
- target: 53
published: 53
protocol: tcp
mode: host
- target: 53
published: 53
protocol: udp
mode: host
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/srv/docker/traefik2/rules:/rules"
- "/srv/docker/traefik2/acme:/letsencrypt"
- "/srv/docker/traefik2/traefik.yaml:/etc/traefik/traefik.yaml"
environment:
- TZ={{ntp_timezone}}
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_proxy"
- "traefik.http.routers.traefikdashboard.rule=Host(`traefik.{{hostname}}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefikdashboard.entrypoints=websecure"
- "traefik.http.routers.traefikdashboard.service=api@internal"
- "traefik.http.routers.traefikdashboard.tls=true"
- "traefik.http.routers.traefikdashboard.tls.certresolver=lets-encrypt"
- "traefik.http.routers.traefikdashboard.middlewares=middlewares-ipwhitelist@file, redirect-web-to-websecure@internal, middlewares-rate-limit@file"