X-Real-Ip is distorted when tcp routes witjh tls passthrough is used

JamborJan · January 18, 2022, 8:38pm

I have a setup as described and discussed in this topic: Traefik dispatcher infront of other traefik instances. For easy understanding I copy the same overview image here:

The problem I encounter is: all traffic arriving in environment B has the HTTP X-Real-Ip header set to the internal IP address of instance A. This makes some middle-wares, like IP whitelists, unusable in that scenario. All incoming traffic is allowed as the whitelist always sees an internal IP address from an allowed address range.

Is there anything I can do about that? Any options I can change when forwarding the TCP traffic from environment A to B to preserve the original real IP from the incoming traffic?

RooSoft · September 30, 2022, 12:38pm

Same problem here.. have you found a solution?

ryanm · May 5, 2023, 3:03pm

Hi, I had the same issue and the solution was using 'proxyProtocol'.

On the upstream Traefik instance enable proxyProtocol in your dynamic config where you have set up the SNI passthrough (you'll need to reformat if you use yaml instead of toml) - the key bit is loadBalancer.proxyProtocol and the version.

[tcp.routers]
  [tcp.routers.sni-passthrough]
      entryPoints = ["http","https"]
      rule = "HostSNIRegexp(`<YOUR_DOMAIN>`, `{subdomain:[a-zA-Z0-9-]+}.<YOUR_DOMAIN>`)"
      service = "sni-passthrough-svc"
      [tcp.routers.sni-passthrough.tls]
        passthrough = true

[tcp.services]
  [tcp.services.sni-passthrough-svc]
    [tcp.services.sni-passthrough-svc.loadBalancer]
      [tcp.services.sni-passthrough-svc.loadBalancer.proxyProtocol]
        # Required to enable real IP passthrough to secondary Traefik instance.
        # Add 'entryPoints.https.proxyProtocol.trustedIPs' to secondard instance docker config.
        version = 2
      [[tcp.services.sni-passthrough-svc.loadBalancer.servers]]
        address = "192.168.0.20:443"

# HTTP router and services are unchanged

Then in the second Traefik instance I had to enable 'trustedIPs' for proxyProtocol (note, I use commands to do all of my Traefik config, you may be using a static config file instead so might have to amend to suit your file's syntax) - add the IP address of your upstream proxy and also the localhost address (per the Traefik doc's example):

  traefik:
    command:
      # ProxyProtocol runs at the TCP layer and adds some additional support for identifying the real client IP
      # Enable this to allow the upstream Traefik to pass real IP to second Traefik instance
      # Specify any load balancer/proxy addresses, and add proxyProtocol entry in dynamic config on 'primary' Traefik (Or use all RFC1918 reserved IP ranges: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16)
      - --entryPoints.https.proxyProtocol.trustedIPs=127.0.0.1/32,192.168.0.254

Topic		Replies	Views
X-Forwarded-For ipwhitelist middleware Traefik v3 (latest) docker , middleware	1	100	September 19, 2024
TLS passthrough and IP forwarding? Traefik v2 tcp	1	360	February 21, 2024
Real IP and Host Header Traefik v2 docker , cli	9	19323	September 26, 2023
Why does traffic coming in from Tailscale appear to be coming from the Docker network when using ipwhitelist? Traefik v2 docker	6	91	August 27, 2024
TCP SNI passthrough with "wildcard" routing? Traefik v2 tcp	7	2917	December 20, 2021

X-Real-Ip is distorted when tcp routes witjh tls passthrough is used

Related topics