Traefik is only showing addresses beginning with 172 to other apps when insecure mode is disabled at entryPoints.web.forwardedHeaders

I'm trying to set up Authentik and Nextcloud on my home server running Traefik v3.1.0. And while everything is working, something seems to be wrong with my header forwarding for X-Forwarded-For in my traefik config file. Unless I set the entryPoints insecure option to true, they give back IP addresses like this within Authentik and the Nextcloud logs:

Screenshot 2024-07-15 195720520×641 36.4 KB

This is what I have in my configuration file for traefik entrypoints:

entryPoints:
  web:
    address: :80
    forwardedHeaders:
      trustedIPs:
        - "172.20.0.0/16"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    forwardedHeaders:
      trustedIPs:
        - "172.20.0.0/16"
    http:
      tls:
        certResolver: myresolver
        domains:
          - main: "example.com"
            sans: "*.example.com"

For context. I connect everything to Traefik (including itself, set static to 172.20.1.10) via a bridged network known as traefik-public that moves everything out to the router through a binding on port 80 and 443.

This is what I currently have in my docker-compose file for Traefik:

networks:
  traefik-public:
    name: traefik-public
    ipam:
      config:
        - subnet: 172.20.0.0/16
          gateway: 172.20.0.1
          ip_range: 172.20.1.0/24

services:
  traefik:
      # The official v2 Traefik docker image
      image: traefik:v3.1.0
      container_name: traefik
      restart: unless-stopped
      # Enables the web UI and tells Traefik to listen to docker
      ports:
        # The HTTP port
        - "80:80"
        - "443:443"
      volumes:
        # Allow access to the Docker socket
        - /var/run/docker.sock:/var/run/docker.sock
        
        # Mount the volume to store the certificates
        - /docker/traefik/ssl/letsencrypt:/letsencrypt
        
        # Mount the volume to store Traefik logs
        - /docker/traefik/logs:/var/log
        
        # Mount the file to store static Traefik configuration
        - /docker/traefik/traefik.yml:/etc/traefik/traefik.yml
        # - $PWD/traefik/config.yml:/etc/traefik/config.yml
        
        # Mount the directory to store dynamic Traefik configuration
        - /docker/traefik/config:/etc/traefik/config/
      command: 
        - "--configFile=/etc/traefik/traefik.yml"
      networks:
        traefik-public:
          # Set the static IP for Traefik for any proxying that may need to be done by other containers
          ipv4_address: 172.20.1.10
      environment:
        - "TZ=America/New_York"
        - "CF_API_EMAIL=example@example.com"
        - "CF_API_KEY=${CLOUDFLARE_GLOBAL_API}"

I'm not exactly sure what I am doing wrong. I'm almost wondering if I'm not using the correct subnet prefix or something, but I'm not too sure.

Well, you set

but the forwarded requests come from internal IP 172.70.*.*.

You could try

      trustedIPs:
        - "172.0.0.0/8"

That may have worked actually. I'm hoping that it's more secure than insecure mode. Hopefully it is given that there is still some trust among the internal IP's