Traefik: v3.3.4
Chart: v34.4.1
I had (almost) same issue:
...
X-Forwarded-For: 49.12.ccc.ddd, 34.128.ccc.ddd, 10.0.0.19
X-Forwarded-Host: whoami.mydomain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-574cb6b4c5-xjtsr
X-Real-Ip: 10.0.0.19 <<<----------
...
I've tried lot of settings, but none of them worked. Solution was to start using the RealIP Plugin:
github.com/soulbalz/traefik-real-ip
that will proper populate the X-Real-Ip header.
Bellow are my adjustments on helm chart:
- TrustedIPs from my VPC subnet
ports:
web:
...
forwardedHeaders:
trustedIPs:
- "10.0.0.0/8"
insecure: false
...
- Plugin install
experimental:
plugins:
real-ip:
moduleName: "github.com/soulbalz/traefik-real-ip"
version: "v1.0.3"
- Middleware for this plugin, as a
extraObjects
extraObjects:
...
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: real-ip
namespace: traefik
spec:
plugin:
real-ip:
excludednets:
# Load balancer IPs
# - "34.128.ccc.ddd/32"
# or dummy IP
- "1.1.1.1/32"
Note: I've added my reserved IP Address (that's attached to GCP Load Balancer) in the excludednets because I have a chain of 3 IPs in X-Forwarded-For.
In your case, with only 2 IP's, use the dummy one, in order to be able to create the Middleware.
- Apply Middleware to all services
additionalArguments:
...
- "--entrypoints.web.http.middlewares=traefik-real-ip@kubernetescrd"
...
- Proper output
X-Forwarded-For: 49.12.ccc.ddd, 34.128.ccc.ddd, 10.0.0.19
X-Forwarded-Host: whoami.mydomain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-574cb6b4c5-xjtsr
X-Real-Ip: 49.12.ccc.ddd
...
Hope this will help.