I installed k3s and Traefik is the default Ingress controller there. However, when forwarding requests from external network into internal Kubernetes, X-Forwarded-For header is missing. X-Real-IP exists but Forwarded-For is missing. If I add X-Forwarde-For header manually (for example with Postman), then the value is shown. So I know Traefik doesn't remove the header value but it doesn't seem to add the header value either.
Does Traefik add X-Forwarded-For header to all forwarded requests? Can anyone show in the code where it is done? Which file, method? I'd like to understand what I am doing wrong.
I read the code and I see, that X-Forwarded-For header is only added when it is present in incoming request. But in cases where Traefik is used as the only load balancer and is internet facing, then the X-Forwarded-For header is not added to the request. This make ip_whitelist middleware usage tricky as ipwhitelist uses X-Forwaded-For header.
I would love, if X-Forwarded-For header is added the same way that X-Real-IP is added (added if not present). This would make it possible to use ipwhitelist.
Is it possible to use ipwhitelist with X-Real-IP header?
Thanks for sharing me more details about your use case.
Yes you are right, we are not adding the X-Forwarded-For header, I discovered it aswell.
The reason is that this header is added by the go's ReverseProxy just before forwarding the request.
So the header is not available in the middleware, except if Traefik is not the first element of the chain of proxy.
If I understand correctly, your Traefik is the first element, and so you should configure the IPWhitelist middleware to use the remote addresses. It can be done by configuring only the sourcerange.
It is not explicit in the doc, but you can find the details here.