-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect X-FORWARDED-PROTO, X-FORWARDED-PORT for external TLS termination and proxy protocol #9757
Comments
Hello @peterkappelt , I am not done fully analysing the situation, so I do not know whether I agree with you on the final expected output yet, but one thing already strikes me as odd: If the external LB is trusted by traefik (which should be the intent of However, you said that you would expect Btw, you say that your browser is |
Hi @mpl, sorry for the confusion - I wrote this issue after a long day of debugging symptoms that eventually resulted in this specific problem and had way too many snippets in my clipboard.
Yes, it was a typo, I changed it in the initial comment
I didn't really think about this (yet), for now I just cared about I checked
Cheers! |
yeah ok, I think there's a bug. What I believe is happening is that Proxy Protocol changes the result/value of the RemoteAddr() call that is used at some point. In your case, it will return So then, when we get in Hopefully we'll look further into a fix soon. |
expericing the same issue, spent a couple of days struggling with this ... I set
|
👋 Hi, same issue here. I can't see the client IP into mi app k8s when use NLB. i hope resolution |
Hello, We would love community support to address it. If you or another community member would like to build it, let us know and we will work with you to make sure you have all the information needed so that it can be merged. We prefer to work with our community members at the beginning of the design process so that we can make sure that we are aligned and can move quickly with the review and merge process. Let us know here or create a PR before you start and we will work with you there. Don’t forget to check out the contributor docs and to link the PR to this issue. |
I would like to help with this issue, but I am having problems to reproduce it locally. Is it possible to use two instances of Traefik in proxy mode? |
@andsarr Sure, thank you!
Do you mean using two Traefik instances, one proxying the other, and using proxy protocol on both, for producing the proxy protocol headers on one side and reading them on the other? If yes, I think so. |
This is how I created the test environment (I hope I didn't over-complicated it). I created three Docker containers:
The following figure illustrate the setup: Notice that the elb has two network interfaces. I used mkcert to set HTTPS support in the elb. So, when I execute curl this is what I get:
I also double check that the PROXY Header was being sent using If I understood correctly, the issue is that I should get this answer instead:
Could you confirm @peterkappelt, @mpl, @rtribotte ? To reproduce my steps, here the files I am using: I didn't include the SSL certificate, but one can be easily generated using |
I am a bit late, but you can inject your own PROXY protocol header via plain HTTP requests: # Use `printf` command to format a raw HTTP request with plaintext PROXY header prepended,
# then pipe into netcat to send to `localhost:80`:
printf "PROXY TCP4 10.20.30.40 172.16.13.37 12345 44380\r\nGET / HTTP/1.1\r\nHost: http-without-redirect.test\r\n\r\n" | nc -w 1 localhost 80 Within a Docker Compose config, you can quite easily setup containers all within the same network for better IP assignments and minimizing gotchas. For example since you sent the I wrote a little proxy CLI program to do similar to the If no trusted IP is configured, raw TCP is forwarded, so untrusted clients can sneak a header through but I think that's intentional/expected to blindly forward and not make assumptions (since there's a small possibility of the data randomly being a PROXY header but legitimate traffic routed to a destination that doesn't expect a PROXY header, thus discarding by default may be bad?). The docs don't mention this though and the two config options available imply:
Which I think requires adding an IP that shouldn't be a client (but not the subnet gateway IP either of course), if you want to discard any incoming PROXY headers for TCP routers? |
Thanks for the tip @polarathene, it is helping me a lot! |
Welcome!
What did you do?
I think I've discovered an edge case (or myself not completely understanding the docs) that relates to setting the
X-FORWARDED-PROTO
and-PORT
when proxy protocol is enabled.I was able to reproduce the bug with this minimal setup:
80.1.2.3
10.11.0.200
X-Forwarded-Proto https
,X-Forwarded-Port 443
--entrypoints.web.address=:8181/tcp --entrypoints.web.forwardedHeaders.trustedIPs=10.11.0.200 --entrypoints.web.proxyProtocol.trustedIPs=10.11.0.200
I'd expect the sample app to receive those headers:
What did you see instead?
Traefik forwards the headers, except for
X-FORWARDED-PROTO
and-PORT
. The sample app receives:I can get the expected
x-forwarded-proto
andx-forwarded-port
by:forwardedHeaders.trustedIPs=0.0.0.0/0
(orforwardedHeaders.insecure=true
)forwardedHeaders.trustedIPs=80.1.2.3
(my client IP)None of this is really suitable for production.
As it seems, traefik uses the client ip as the source ip when determining whether it is a trusted ip for header forwarding, when proxy protocol is enabled. I'd still expect traefik to use the actual source ip (load balancer).
What version of Traefik are you using?
Version: 2.9.6
Codename: banon
Go version: go1.19.4
Built: 2022-12-07T14:17:58Z
OS/Arch: linux/amd64
What is your environment & configuration?
See description and cases above
If applicable, please paste the log output in DEBUG level
No response
The text was updated successfully, but these errors were encountered: