Traefik (v2) block X-Forwarded-* Header

manwern · February 8, 2021, 1:24pm

Problem

I want to block all X-Forwarded-* Headers as soon as they hit traefik.
I tried configuring as mentioned in EntryPoints - Traefik
and
tried to overwrite them as mentioned in Headers - Traefik
Nothing seems to have any effect.
I am struggling to find a solution for my problem for days now.
Is there something I am missing?

Recreating the Problem

Traefik Version: 2.2.11
Docker Version 19.03.13
curl -v -X GET "serviceurl" -H "Forwarded: host=evil.com"
always delivers the forwarded header

Config:

Traefik.toml

[log]

If something goes wrong, changing this to might help you finding out what happens. DEBUG, INFO, WARN, ERROR, FATAL, PANIC

level = "INFO"
format = "common"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
trustedIPs = []
insecure = false
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.forwardedHeaders]
trustedIPs = []
insecure = false
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.forwardedHeaders]
trustedIPs = []
insecure = false
[providers]
[providers.rancher]
watch = true
refreshSeconds = 15
intervalPoll = false
exposedByDefault = false
[providers.file]
filename = "/opt/traefik/config/dynamic_conf.toml"
watch=true
[api]
dashboard = true
debug = true

Configuring a buffer of 100 lines

[accessLog]
filePath = "/opt/traefik/logs/access.log"

dynamic_conf.toml

redirect

[http.middlewares]
[http.middlewares.redirect.redirectscheme]
scheme = "https"
permanent = true

HSTS-Header

[http.middlewares.header.headers]
stsSeconds = 31536000
stsIncludeSubdomains = true
[http.middlewares.header.headers.customRequestHeaders]
X-Forwarded-Host = ""
[http.middlewares.header.headers.customResponseHeaders]
X-Forwarded-Host = ""

gzip compression

[http.middlewares.compress.compress]

global minimum TLS Version

[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
# https://ssl-config.mozilla.org/ - intermediate
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
...

Service Configuration:

version: '2'
services:
service:
mem_limit: 2147483648
image: services.image:version
stdin_open: true
tty: true
labels:
traefik.http.routers.service-web.middlewares: redirect@file
traefik.enable: 'true'
traefik.http.routers.service-web.entrypoints: web
traefik.http.routers.service-websecure.tls: 'true'
traefik.http.routers.service-websecure.rule: Host(service.is2.run)
traefik.http.services.service-websecure.loadbalancer.server.port: '8080'
traefik.http.routers.service-web.rule: Host(service.is2.run)
traefik.http.routers.service-websecure.middlewares: header@file
traefik.http.routers.service-websecure.entrypoints: websecure

Help would be greatly appreciated

Regards

Manwern

Topic		Replies	Views
forwardedHeaders.insecure to true not working Traefik v2 kubernetes-crd , kubernetes-ingress	3	4744	October 7, 2021
Disabling forwarding of X-Forwarded-For header? Traefik v1 kubernetes-ingress	3	3960	April 24, 2020
X-forward/headers for file provider Traefik v2 docker , file	0	297	September 19, 2023
Problem with headers, probably forwarding Traefik v2 docker	14	9671	May 1, 2020
How to configure X-Forwarded-For and X-Forwarded-Proto in v2? Traefik v2 docker , middleware	3	45231	November 12, 2020