Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-Forwarded-For behind CDN and AWS NLB #9898

Closed
2 tasks done
yongzhang opened this issue May 18, 2023 · 1 comment
Closed
2 tasks done

X-Forwarded-For behind CDN and AWS NLB #9898

yongzhang opened this issue May 18, 2023 · 1 comment
Labels
resolution/duplicate status/5-frozen-due-to-age

Comments

@yongzhang
Copy link

yongzhang commented May 18, 2023
edited
Loading

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

I have infra like this:

CDN -> AWS NLB (listen on 443 and do TLS termination) > Traefik

Proxy proto v2 enabled in target group and traefik.

Traefik deployed in AWS EKS using VPC cni plugin, so IPs of traefik pods are VPC IPs, and these IPs will be registered into target group directly by AWS load balancer controller.

I have a service whoami behind traefik, when requesting this domain, I got:

RemoteAddr: 10.120.28.211:59468
X-Forwarded-For: 123.123.123.123  < this is cdn node IP, not my internet outbound IP
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Real-Ip: 123.123.123.123  < this is cdn node IP, not my internet outbound IP

What did you see instead?

I see only CDN node IP in X-Forwarded-For: 123.123.123.123.

I updated my access log configure and keep X-Forwarded-For field. I see no such field when receiving requests. I already added 10.120.0.0/16 which is my vpc cidr in trustedIPs, should it be enough?

I would expect:

X-Forwarded-For: 111,111,111,111, 123.123.123.123   < suppose 111.111.111.111 is my real client ip
X-Real-Ip: 111,111,111,111

And seems like X-Forwarded-Port and X-Forwarded-Proto are also not correct (separate issue maybe).

What version of Traefik are you using?

v2.9.10

What is your environment & configuration?

[global]
  checkNewVersion = false
  sendAnonymousUsage = false

[log]
  level = "INFO"
  format = "json"

[accesslog]
  format = "json"
  [accessLog.fields]
    [accessLog.fields.headers]
      [accessLog.fields.headers.names]
        "X-Forwarded-For" = "keep"

[api]
  insecure = true
  dashboard = true

[entryPoints]
  [entryPoints.traefik]
    address = ":8081"
    [entryPoints.traefik.proxyProtocol]
      trustedIPs = ["127.0.0.1/32", "10.120.0.0/16"]
  [entryPoints.web]
    address = ":8080"
    [entryPoints.web.proxyProtocol]
      trustedIPs = ["127.0.0.1/32", "10.120.0.0/16"]
    [entryPoints.web.forwardedHeaders]
      trustedIPs = ["127.0.0.1/32", "10.120.0.0/16"]

[providers]
...

If applicable, please paste the log output in DEBUG level

No response
@nmengin
Copy link
Contributor

nmengin commented May 25, 2023

Hello @yongzhang,

I mark this issue as a duplicate of #9757.
Even if the other issue describes an issue with other headers, in our opinion, the fix required will solve the issue for all the headers.

@nmengin nmengin closed this as completed May 25, 2023
@traefik traefik locked and limited conversation to collaborators Jun 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
resolution/duplicate status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nmengin @yongzhang @traefiker