WebSockets, X-Forwarded-For and X-Real-IP spoofing

I'm using traefik 1.7 as my kubernetes ingress controller, and found several specific issues detailed below. I'm wondering whether upgrading to traefik 2 will solve these issues, or maybe whether they can be solved under 1.7.

  • With every incoming HTTP request, traefik automatically adds the client IP address to the HTTP headers X-Forwarded-For and X-Real-IP. When the incoming request already have these headers, traefik appends the new client IP to X-Forwarded-For, but keeps X-Real-IP unchanged. This allows clients to spoof X-Real-IP.

  • When the request is a WebSocket request, traefik does not add X-Forwarded-For, only X-Real-IP.

These two issues combined means I have no reliable way of retrieving the real client IP address for WebSocket requests. I can't use X-Forwarded-For because it's not there, and I can't use X-Real-IP because it can be trivially spoofed by the client.

Ultimately, I just need to get client IP addresses for incoming WebSocket requests. Can traefik do that, either with 1.x or 2.x?