Traefik Accesslog doesn't show Clients IP Address

leonfilser · February 16, 2022, 11:15pm

Hi!

I am running Traefik 2.6. on Docker (no Kubernetes) with multiple WordPress Containers and noticed that the Traefik accesslog doesn't log my clients real IP address when accessing one of those WordPress Websites but instead logs the IP of the Docker network gateway (172.19.0.1).

Is there an option to log the real client IP address?

Thanks in advance!

Edit: I added my traefik configuration files.

docker-compose.yml:

version: '3.5'

networks:
  traefik:
    name: traefik

services:
  traefik:
    image: traefik:v2.6
    restart: unless-stopped
    container_name: traefik
    networks:
      - traefik
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

      - /var/log/traefik:/var/log

      - ${PWD}/traefik.toml:/traefik.toml:ro
      - ${PWD}/dynamic.toml:/dynamic.toml:ro
      - ${PWD}/acme.json:/acme.json

    ports:
      - 80:80
      - 443:443
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`host.internet.com`)"
      - "traefik.http.routers.traefik.entrypoints=web-secure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=auth"
      #Generate password: echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
      - "traefik.http.middlewares.auth.basicauth.users=user:password"
      #Limits Requests; Defined in dynamic.toml
      - "traefik.http.routers.traefik.middlewares=reqlimit@file"
      #Label to autoupdate this container via watchtower
      - "com.centurylinklabs.watchtower.enable=true"

traefik.toml:
(static configuration)

# Network traffic will be entering our Docker network on the usual web ports
# (ie, 80 and 443), where Traefik will be listening.
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web-secure]
    address= ":443"
    [entryPoints.web-secure.http.tls]
      certResolver = "letsencrypt"

    #Redirection from HTTP to HTTPS
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
        to = "web-secure"
        scheme = "https"


#Integration with Let's Encrypt
[certificatesResolvers.letsencrypt.acme]
  email = "mail@internet.com"
  storage = "acme.json"
  [certificatesResolvers.letsencrypt.acme.httpChallenge]
    # used during the challenge
    entryPoint = "web"

#Dynamic configuration file
[providers.file]
  filename="/dynamic.toml"

[api]
  dashboard = true

#These options are for Traefik's integration with Docker.
[providers.docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false
  network = "traefik"

#Integration with Traefik Pilot
[pilot]
    token = "XXX-XXX-XXX-XXX"

#Used for Fail2Ban
[accessLog]
  filePath = "/var/log/access.log"

[log]
  filePath = "/var/log/traefik.log"
  level = "INFO"

dynamic.toml:

[tls.options]
  [tls.options.default]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    ]


#Used to prevent DDOS attacks
#The following config allows 20 requests/second for a period of 20 seconds before starting to block requests
#see: https://github.com/traefik/traefik/issues/4549
[http.middlewares]
  [http.middlewares.reqlimit.rateLimit]
    average = "100"
    burst = "200"
    period = "10s"

docker-compose-labels for wordpress:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.router1.rule=Host(`domain.internet.com`)"
      - "traefik.http.routers.router1.entrypoints=web-secure"
      #Limits Requests; Defined in dynamic.toml
      - "traefik.http.routers.router1.middlewares=reqlimit@file"
      #Label to autoupdate this container via watchtower
      - "com.centurylinklabs.watchtower.enable=true"

tommoulard · February 17, 2022, 8:19am

Hello @leonfilser,

Can you provide your static/dynamic configuration ?

leonfilser · February 17, 2022, 11:10am

Yes sure. I updated the original request

leonfilser · February 17, 2022, 1:32pm

Looks like i figured it out:
Traefik was using a bridged docker network which doesn't forward the client IP by default.
So all i had to do to fix this was to add network_mode: host to the docker-compose.yml so that traefik uses the host network.
Now my accesslogs finally show the real client IP.
Hope it helps anyone who is facing this issue in the future.

system · February 20, 2022, 1:33pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Only see docker IP in logs Traefik v2 docker	3	1204	May 7, 2023
Traefik v2.3.2 - Pass IPv6 IP in Logs and Header Traefik v2 docker	1	1880	December 21, 2020
Issues with Real Client IP in Traefik Traefik v3 (latest) docker , file	3	875	June 1, 2024
Cannot get real IP of clients in a Traefik running in a Docker container Traefik v3 (latest) docker	5	100	February 28, 2025
Forward Rela Traefik IP and Header Logs Traefik v2 docker	2	801	April 4, 2024

Traefik Accesslog doesn't show Clients IP Address

Related topics