Running Traefik 3.6.8 as a Docker Container with Suricata 8.0.3 inspecting in detect only mode.
This network has IPv4 and IPv6 for internal FQDNs, and all of the Traefik file configured services addresses are all mapped to local FQDNs (example a service configured to nginx01.homelab.home and it has an IPv4 and IPv6 address, both work).
Oddity:
When Traefik routes traffic to a service and adds an XFF header to the request, it seems to always add the IPv6 address to the XFF even when it actually uses IPv4 to accomplish its goal.
Minor detail maybe, within some level of controls that means it isn’t doing what it says it is doing.
This next bit is barely related, but ideally XFF is doing everything as it should/etc and I want to make sure I understand XFF…
I have a message into Suricata’s board because, if the XFF config in Suricata is set to “reverse” and a request is going from Traefik to Nginx, and Suricata alerts on the traffic then XFF appears to get parsed incorrectly (two IPs, it chooses the wrong one, the last one).
Yet, if the response from the Nginx server is where the alert hits, the XFF appears to be parsed correctly (one IP, it chooses correctly) by Suricata.
I realize that I’m asking about one issue and adding a barely related second issue, and further, my intent is to better understand how XFF is to be used as it is used across the hosts that interact with it.