X Forwarded For Header added by Traefik

At what point does Traefik add the XFF header when there is a middleware modifying it? If it is before the middleware is called, it is not working as expected. If it is after, what should be the trusted hosts configuration so that whatever the middleware adds is kept as such without appending to it?

Right now, no matter what, traefik adds the XFF after the middleware sets it, making the last IP which is considered by the application to be traefik's IP. Also, regardless of adding that set value to the trusted hosts, I still see it appended.

If I do not understand wrongly. The X-Forwarded-* are set via the EntryPoint: Forwarded Headers [1]

Forwarded Headers

You can configure Traefik to trust the forwarded headers information ( X-Forwarded-* ).

forwardedHeaders.trustedIPs: Trusting Forwarded Headers from specific IPs.

forwardedHeaders.insecure: Insecure Mode (Always Trusting Forwarded Headers).

[1] Traefik EntryPoints Documentation - Traefik

Yes. I tried setting as such:

  websecure:
    address: :443
    forwardedHeaders:
      insecure: true

No change, the XFF was still being appended to by traefik's host IP. Not the container IP. That is what surprised me as well.