X-Forwarded-For missing

I installed k3s and Traefik is the default Ingress controller there. However, when forwarding requests from external network into internal Kubernetes, X-Forwarded-For header is missing. X-Real-IP exists but Forwarded-For is missing. If I add X-Forwarde-For header manually (for example with Postman), then the value is shown. So I know Traefik doesn't remove the header value but it doesn't seem to add the header value either.

Does Traefik add X-Forwarded-For header to all forwarded requests? Can anyone show in the code where it is done? Which file, method? I'd like to understand what I am doing wrong.

Hi @Margus,
Thanks for your interest in Traefik.

Traefik always add X-Forwarded-* headers to forwarded requests. You can find all of them here.

Internally, it is done thanks to a middleware which is added to all routers. You can find the middleware here.

Feel free to ask if you need more help on the subject.


Thank you for the quick answer!

I read the code and I see, that X-Forwarded-For header is only added when it is present in incoming request. But in cases where Traefik is used as the only load balancer and is internet facing, then the X-Forwarded-For header is not added to the request. This make ip_whitelist middleware usage tricky as ipwhitelist uses X-Forwaded-For header.

I would love, if X-Forwarded-For header is added the same way that X-Real-IP is added (added if not present). This would make it possible to use ipwhitelist.

Is it possible to use ipwhitelist with X-Real-IP header?

Hi @Margus,

Thanks for sharing me more details about your use case.

Yes you are right, we are not adding the X-Forwarded-For header, I discovered it aswell.
The reason is that this header is added by the go's ReverseProxy just before forwarding the request.
So the header is not available in the middleware, except if Traefik is not the first element of the chain of proxy.

If I understand correctly, your Traefik is the first element, and so you should configure the IPWhitelist middleware to use the remote addresses. It can be done by configuring only the sourcerange.
It is not explicit in the doc, but you can find the details here.