hi folks, maybe someone have similar issue and can help me with solution.
my infrastructure look like
AWS load balancer -> AWS ec2 -> docker swarm -> treafik -> fastAPI server. my treafik docker look like
traefik:
image: traefik:v2.8.7
deploy:
placement:
constraints: [ node.role == manager ]
labels:
- traefik.enable=true
- traefik.http.routers.traefik.rule=Host(`lb.${DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.entrypoints=websecure
# - traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=le
# required by swarm but not used
- traefik.http.services.traefik.loadbalancer.server.port=888
# TLS configuration middlewares
- traefik.http.routers.traefik.middlewares=secured_traefik
- traefik.http.middlewares.secured_traefik.headers.framedeny=true
- traefik.http.middlewares.secured_traefik.headers.browserxssfilter=true
- traefik.http.middlewares.secured_traefik.headers.contentTypeNosniff=true
- traefik.http.middlewares.secured_traefik.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.secured_traefik.headers.stsPreload=true
- traefik.http.middlewares.secured_traefik.headers.stsSeconds=31536000
# basic auth middlewares
- traefik.http.routers.traefik.middlewares=admin
- traefik.http.middlewares.admin.basicauth.users=$BASIC_ADMIN_AUTH
- traefik.http.middlewares.secured_traefik.ipwhitelist.ipstrategy.depth=2
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.forwardedHeaders.trustedIPs=0.0.0.0/0
- --entryPoints.web.forwardedHeaders.insecure
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.web.http.redirections.entrypoint.priority=1000
- --providers.docker=true
- --providers.docker.swarmMode=true
- --providers.docker.exposedByDefault=false
- --providers.file.filename=/dynamic.yaml
- --api=true
- --api.insecure=true
- --accesslog=true
- --log.level=DEBUG
- --certificatesresolvers.le.acme.httpchallenge=true
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.le.acme.email=$LETSENCRYPT_EMAIL
- --certificatesresolvers.le.acme.storage=/acme.json
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- target: 80
published: 80
mode: host
protocol: tcp
# Listen on port 443, default for HTTPS
- target: 443
published: 443
mode: host
protocol: tcp
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./etc/acme.json:/acme.json
- ./etc/dynamic.yaml:/dynamic.yaml
networks:
- default
logging:
driver: awslogs
options:
awslogs-group: dev-traefik
awslogs-region: us-east-1
and on whoami I'm getting
Hostname: 2be96f26564e
IP: 127.0.0.1
IP: ::1
IP: 10.0.3.61
IP: fe80::42:aff:fe00:33d
IP: 172.18.0.12
IP: fe80::42:acff:fe12:c
IP: 10.0.1.143
IP: fe80::42:aff:fe00:18f
RemoteAddr: 10.0.1.154:49230
GET / HTTP/1.1
Host: whoami.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9,ru;q=0.8
Cache-Control: max-age=0
Priority: u=0, i
Sec-Ch-Ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-664cf981-35d64af43b9dac2c77ae602d
X-Forwarded-For: 172.31.37.160
X-Forwarded-Host: whoami.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 8445b0679841
X-Real-Ip: 172.31.37.160
so how I need to setup to see client real ip ?