-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double proxy X-Real-Ip incorrect #2619
Comments
I would love to go live with our test setup but this turns out to be a blocking issue for us. Unfortunately I'm no good with Go to debug this but if there is anything I can do to gather more information that can help to resolve the issue; let me know. I'm more than happy to help. |
But I think an explanation is missing in the documentation |
@juliens thanks for your feedback. Unfortunately there's no RFC covering either of them. I don't believe X-Real-Ip was meant to be used for the previous proxy though. It doesn't add up as you would have headers for that already. It's use is arbitrary but I would expect X-Real-Ip to be the IP of the client. Either way, there's still something out of the ordinary here. We're using ProxyProtocol.TrustedIPs and that doesn't work for us. That's where the issue originates from. Case 1: By external I mean a proxy that runs outside Docker Swarm. Internal means the proxy runs within the same cluster as Traefik. Case 1 works. X-Real-Ip gives back the IP address of the client and ProxyProtocol.TrustedIPs allows us to get to Case 2 fails. X-Real-Ip gives back the IP address of Is this a misconfiguration on our end or a bug in Traefik? |
@ju5t you have put the same case, could you edit? |
@ldez I'm sorry, I don't understand what you mean there. It was also described in the original post though with a little less text. What do you need to me to clear up? |
I think there might be a bug in Inside Oxy's |
@ju5t Looking at Based on your explanation, where you state that as soon as you move HAProxy out of the docker container and onto a real VM/host, things start working, I would actually advise to inspect the HAProxy settings, as it is what sets the |
@aantono thanks for the thorough digging and explanation. In our test case we kept HaProxy inside a Docker container. Instead of running it within the same Docker Swarm setup as Traefik it ran from my local machine without any changes to its configuration. I just found a setting called
It may be that HaProxy isn't sending the |
It turns out If you believe this is not a bug in Traefik but a configuration error on our end feel free to close the issue and let me know. In that case I'll take the discussion to Slack. |
@ju5t Can you do a TCP packet capture to see the raw request going out? The |
@aantono sure.
172.17.0.2 is the IP address of the container running HaProxy. PUBLIC_IP_SERVER is the public address to which we're sending traffic. Apparently HaProxy gets it wrong. I don't always trust Docker's iptables-magic so for now I put the blame on that. |
A basic installation of HaProxy works. It sends the correct Thanks so much for all input. This turns out to be an external configuration issue and has nothing to do with Traefik. I will close the issue. |
Do you want to request a feature or report a bug?
A (potential) bug.
What did you do?
Our setup:
HaProxy is running inside Docker Swarm.
This means we are proxying traffic twice. The X-Forwarded-For header is passed on according to the tests we do with
emilevauge/whoami
.What did you expect to see?
What did you see instead?
X-Forwarded-For headers are generally appended, which means the original IP is on the left, as is the case here. Traefik seems to use 172.18.0.1 and as a result our whitelisting doesn't work.
But as soon as we move HaProxy out of Docker Swarm it seems like Traefik changes the XFF order where the IP on the right is the IP address of the client and it sets X-Real-Ip to 172.18.0.1. I think that it's Traefik because HaProxy has no knowledge of other proxies and only sets XFF to the original IP address.
Output of
traefik version
: (What version of Traefik are you using?)What is your environment & configuration (arguments, toml, provider, platform, ...)?
We don't use toml.
The text was updated successfully, but these errors were encountered: