On the Apache access logs I get as IP the kubernetes' node IP, not the Client IP.
What's the best way to implement both TCP on docker, HTTP on kubernetes and Apache to register the proper Client IP? Is there a proper guide/walkthrough?
By default, a reverse proxy using http will include headers with the original IP. If you use plain TCP, I think the only option is ProxyProtocol on each sender and receiver side (which will prefix any TCP connection with the origination IP).
I tryied to add proxyProtocol to the TCP traefik, and it breaked the Cloudflare SSL handshake.
Without it, all of the proxy hops work, without the client IP.
" If you're the owner of this website:
It appears that the SSL configuration used is not compatible with Cloudflare. This could happen for a several reasons, including no shared cipher suites."
time="2024-04-15T18:20:28+02:00" level=debug msg="Handling TCP connection from 172.69.58.110:40934 to KubernetesIP:443"
time="2024-04-15T18:20:28+02:00" level=debug msg="Handling TCP connection from 172.70.231.67:16092 to KubernetesIP:443"
time="2024-04-15T18:20:29+02:00" level=debug msg="Error while setting TCP connection deadline: set tcp 192.168.4.3:33792: use of closed network connection"
time="2024-04-15T18:20:29+02:00" level=debug msg="Error while setting TCP connection deadline: set tcp 192.168.4.3:33794: use of closed network connection"
time="2024-04-15T18:20:29+02:00" level=debug msg="Handling TCP connection from 162.158.148.219:16606 to KubernetesIP:443"
time="2024-04-15T18:20:29+02:00" level=debug msg="Handling TCP connection from 162.158.148.218:9788 to KubernetesIP:443"
time="2024-04-15T18:20:29+02:00" level=debug msg="Error while setting TCP connection deadline: set tcp 192.168.4.3:33798: use of closed network connection"
time="2024-04-15T18:20:30+02:00" level=debug msg="Handling TCP connection from 162.158.129.199:18400 to KubernetesIP:443"
time="2024-04-15T18:20:32+02:00" level=debug msg="Handling TCP connection from 172.69.6.94:34286 to KubernetesIP:443"
time="2024-04-15T18:20:32+02:00" level=debug msg="Error while setting TCP connection deadline: set tcp 192.168.4.3:33802: use of closed network connection"
I think I'm not able to use CF ProxyProtocol as I'm not on an Enterprise Plan.
As an aside, shouldn't the IP be one of cloudflare's IPs instead of the last traefik IP in the line? it seems like every step in the line (first traefik tcp proxy, second traefik http proxy) rewrites the IP.
added: - --entrypoints.websecure.forwardedHeaders.trustedIPs=<list of Cloudflare's IPs from https://www.cloudflare.com/ips-v4/#> to the first Traefik instance