I'm using traefik 1.7 as my kubernetes ingress controller, and found several specific issues detailed below. I'm wondering whether upgrading to traefik 2 will solve these issues, or maybe whether they can be solved under 1.7.
-
With every incoming HTTP request, traefik automatically adds the client IP address to the HTTP headers
X-Forwarded-ForandX-Real-IP. When the incoming request already have these headers, traefik appends the new client IP toX-Forwarded-For, but keepsX-Real-IPunchanged. This allows clients to spoofX-Real-IP. -
When the request is a WebSocket request, traefik does not add
X-Forwarded-For, onlyX-Real-IP.
These two issues combined means I have no reliable way of retrieving the real client IP address for WebSocket requests. I can't use X-Forwarded-For because it's not there, and I can't use X-Real-IP because it can be trivially spoofed by the client.
Ultimately, I just need to get client IP addresses for incoming WebSocket requests. Can traefik do that, either with 1.x or 2.x?