You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For weeks, I have been trying to solve this problem. The problem is that the X-Forwarded-For header does not contain the IP address of my client computer. Instead it shows 10.200.0.1 which is the gateway of the pod network of my (single node) Kubernetes K3s cluster.
I installed k3s using the following commands, which installed (and enabled) traefik (2.10) automatically. Operating system is Fedora 40, though that should not matter.
I don't see the IP address of my client in the X-Forwarded-For and/or X-Real-Ip .
The IP of my home computer is:
$ curl -4 ifconfig.io
46.46.192.119
I searched the internet, and there are lots of complaints about this problem, with no clear solution. Some people suggest to use the following, without any explanation of why these IPs, and why in this order, etc.
I tried these too, (of-course -I adjusted IPs according to my setup), but no avail. Unfortunately the documentation on this is not clear, and I see lots of forums full of frustration.
I recently removed k3s from this server, and installed plain docker (and docker-compose) with Traefik 2.11, and it worked. Notice that I used bare minimum CLI arguments to start traefik. OS is still Fedora. (OS was not re-installed).
$ cat whoami-http-ingress.yaml
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: whoami
namespace: dev
annotations:
kubernetes.io/ingress.className: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
# Ensure that the DNS address points to the public IP of this server/k3s cluster.
- host: whoami.dgh.witlineinfra.tech
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
If applicable, please paste the log output in DEBUG level
$ kubectl -n kube-system logs -f traefik-56495f9946-dckjf
time="2024-05-10T16:00:54Z" level=info msg="Configuration loaded from flags."
time="2024-05-10T16:00:54Z" level=info msg="Traefik version 2.10.7 built on 2023-12-06T15:54:59Z"
time="2024-05-10T16:00:54Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"metrics\":{\"address\":\":9100/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"traefik\":{\"address\":\":9000/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":8000/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{\"insecure\":true},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":8443/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{\"insecure\":true},\"http\":{\"tls\":{}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"kubernetesIngress\":{\"ingressEndpoint\":{\"publishedService\":\"kube-system/traefik\"}},\"kubernetesCRD\":{}},\"api\":{\"dashboard\":true},\"metrics\":{\"prometheus\":{\"buckets\":[0.1,0.3,1.2,5],\"addEntryPointsLabels\":true,\"addServicesLabels\":true,\"entryPoint\":\"metrics\"}},\"ping\":{\"entryPoint\":\"traefik\",\"terminatingStatusCode\":503},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"
time="2024-05-10T16:00:54Z" level=info msg="Stats collection is enabled."
time="2024-05-10T16:00:54Z" level=info msg="Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration."
time="2024-05-10T16:00:54Z" level=info msg="Help us improve Traefik by leaving this feature on :)"
time="2024-05-10T16:00:54Z" level=info msg="More details on: https://doc.traefik.io/traefik/contributing/data-collection/"
time="2024-05-10T16:00:54Z" level=debug msg="Configured Prometheus metrics" metricsProviderName=prometheus
time="2024-05-10T16:00:54Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-05-10T16:00:54Z" level=debug msg="Starting TCP Server" entryPointName=metrics
time="2024-05-10T16:00:54Z" level=debug msg="Starting TCP Server" entryPointName=web
time="2024-05-10T16:00:54Z" level=debug msg="Starting TCP Server" entryPointName=websecure
time="2024-05-10T16:00:54Z" level=debug msg="Starting TCP Server" entryPointName=traefik
time="2024-05-10T16:00:54Z" level=info msg="Starting provider *ingress.Provider"
time="2024-05-10T16:00:54Z" level=debug msg="*ingress.Provider provider configuration: {\"ingressEndpoint\":{\"publishedService\":\"kube-system/traefik\"}}"
time="2024-05-10T16:00:54Z" level=info msg="ingress label selector is: \"\"" providerName=kubernetes
time="2024-05-10T16:00:54Z" level=info msg="Creating in-cluster Provider client" providerName=kubernetes
time="2024-05-10T16:00:54Z" level=info msg="Starting provider *crd.Provider"
time="2024-05-10T16:00:54Z" level=debug msg="*crd.Provider provider configuration: {}"
time="2024-05-10T16:00:54Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-05-10T16:00:54Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2024-05-10T16:00:54Z" level=warning msg="CRDs API Group \"traefik.containo.us\" is deprecated, and its support will end starting with Traefik v3. Please use the API Group \"traefik.io\" instead." providerName=kubernetescrd
time="2024-05-10T16:00:54Z" level=warning msg="CRDs API Version \"traefik.io/v1alpha1\" will not be supported in Traefik v3 itself. However, an automatic migration path to the next version will be available." providerName=kubernetescrd
time="2024-05-10T16:00:54Z" level=info msg="label selector is: \"\"" providerName=kubernetescrd
time="2024-05-10T16:00:54Z" level=info msg="Creating in-cluster Provider client" providerName=kubernetescrd
time="2024-05-10T16:00:54Z" level=info msg="Starting provider *traefik.Provider"
time="2024-05-10T16:00:54Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2024-05-10T16:00:54Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"ping\":{\"entryPoints\":[\"traefik\"],\"service\":\"ping@internal\",\"rule\":\"PathPrefix(`/ping`)\",\"priority\":2147483647},\"prometheus\":{\"entryPoints\":[\"metrics\"],\"service\":\"prometheus@internal\",\"rule\":\"PathPrefix(`/metrics`)\",\"priority\":2147483647}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{},\"ping\":{},\"prometheus\":{}},\"models\":{\"websecure\":{\"tls\":{}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2024-05-10T16:00:54Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"kube-system-traefik-dashboard-d012b7f875133eeab4e5\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/dashboard`) || PathPrefix(`/api`)\"}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=kubernetescrd
time="2024-05-10T16:00:54Z" level=debug msg="Skipping ingress status update" namespace=dev ingress=whoami
time="2024-05-10T16:00:54Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"dev-whoami-pserver1-dgh-witlineinfra-tech\":{\"entryPoints\":[\"web\"],\"service\":\"dev-whoami-80\",\"rule\":\"Host(`pserver1.dgh.witlineinfra.tech`) \\u0026\\u0026 PathPrefix(`/`)\"}},\"services\":{\"dev-whoami-80\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.200.0.10:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=kubernetes
time="2024-05-10T16:00:54Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-05-10T16:00:54Z" level=debug msg="Added outgoing tracing middleware ping@internal" routerName=ping@internal entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-05-10T16:00:54Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" routerName=prometheus@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=metrics
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=metrics
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=web middlewareName=metrics-entrypoint
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" middlewareType=Metrics middlewareName=metrics-entrypoint entryPointName=websecure
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" entryPointName=metrics middlewareName=metrics-entrypoint middlewareType=Metrics
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=metrics-entrypoint middlewareType=Metrics
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=web middlewareName=metrics-entrypoint
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=metrics-entrypoint middlewareType=Metrics
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=metrics middlewareName=metrics-entrypoint
time="2024-05-10T16:00:54Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=traefik middlewareName=metrics-entrypoint
time="2024-05-10T16:00:55Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" routerName=dev-whoami-pserver1-dgh-witlineinfra-tech@kubernetes serviceName=dev-whoami-80 middlewareName=pipelining middlewareType=Pipelining entryPointName=web
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareType=Metrics middlewareName=metrics-service entryPointName=web routerName=dev-whoami-pserver1-dgh-witlineinfra-tech@kubernetes serviceName=dev-whoami-80
time="2024-05-10T16:00:55Z" level=debug msg="Creating load-balancer" serviceName=dev-whoami-80 entryPointName=web routerName=dev-whoami-pserver1-dgh-witlineinfra-tech@kubernetes
time="2024-05-10T16:00:55Z" level=debug msg="Creating server 0 http://10.200.0.10:80" entryPointName=web routerName=dev-whoami-pserver1-dgh-witlineinfra-tech@kubernetes serviceName=dev-whoami-80 serverName=0
time="2024-05-10T16:00:55Z" level=debug msg="child http://10.200.0.10:80 now UP"
time="2024-05-10T16:00:55Z" level=debug msg="Propagating new UP status"
time="2024-05-10T16:00:55Z" level=debug msg="Added outgoing tracing middleware dev-whoami-80" entryPointName=web routerName=dev-whoami-pserver1-dgh-witlineinfra-tech@kubernetes middlewareName=tracing middlewareType=TracingForwarder
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
time="2024-05-10T16:00:55Z" level=debug msg="Added outgoing tracing middleware ping@internal" entryPointName=traefik routerName=ping@internal middlewareName=tracing middlewareType=TracingForwarder
time="2024-05-10T16:00:55Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=kube-system-traefik-dashboard-d012b7f875133eeab4e5@kubernetescrd middlewareName=tracing middlewareType=TracingForwarder
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-05-10T16:00:55Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" middlewareType=TracingForwarder middlewareName=tracing routerName=prometheus@internal entryPointName=metrics
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" entryPointName=metrics middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=metrics-entrypoint middlewareType=Metrics
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=metrics
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint entryPointName=traefik middlewareType=Metrics
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=web
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=websecure middlewareName=metrics-entrypoint
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=metrics
time="2024-05-10T16:00:55Z" level=debug msg="Creating middleware" middlewareType=Metrics middlewareName=metrics-entrypoint entryPointName=traefik
time="2024-05-10T16:00:56Z" level=debug msg="Skipping ingress status update" namespace=dev ingress=whoami
time="2024-05-10T16:00:56Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2024-05-10T16:00:56Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2024-05-10T16:00:56Z" level=debug msg="Skipping ingress status update" ingress=whoami namespace=dev
time="2024-05-10T16:00:56Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2024-05-10T16:00:56Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2024-05-10T16:10:54Z" level=info msg="Anonymous stats sent to https://collect.traefik.io/9vxmmkcdmalbdi635d4jgc5p5rx0h7h8: {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"metrics\":{\"address\":\"xxxx\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250}},\"traefik\":{\"address\":\"xxxx\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250}},\"web\":{\"address\":\"xxxx\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{\"insecure\":true},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250}},\"websecure\":{\"address\":\"xxxx\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{\"insecure\":true},\"http\":{\"tls\":{}},\"http2\":{\"maxConcurrentStreams\":250}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"kubernetesIngress\":{\"ingressEndpoint\":{\"publishedService\":\"xxxx\"}},\"kubernetesCRD\":{}},\"api\":{\"dashboard\":true},\"metrics\":{\"prometheus\":{\"buckets\":[0.1,0.3,1.2,5],\"addEntryPointsLabels\":true,\"addServicesLabels\":true,\"entryPoint\":\"metrics\"}},\"ping\":{\"entryPoint\":\"traefik\",\"terminatingStatusCode\":503},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"
time="2024-05-10T16:10:54Z" level=warning msg="A new release has been found: 3.0.0. Please consider updating."
The text was updated successfully, but these errors were encountered:
At first glance, there may be an issue with your trust IPs, but we think that is not an issue but a question.
To keep the repository focused, we ask that all questions be asked in the community forum. It is pretty active, so you might find that your question has already been answered there.
If not, you can ask and get help from other community members pretty quickly.
The trustedIP thing is just an example of various attempts at the solution which did not work. I am using the .insecure option, in which case it should not matter what IP ranges I have in my setup.
I consider this a bug/defect because Traefik is not working as it is supposed to - according to the documentation. So either the documentation is not complete, or maybe Traefik does not work as it should. Anyhow, I will try to as this in the forums, and see where it goes.
Welcome!
What did you do?
Ran Traefik v2 on K3s on a server on the internet.
What did you see instead?
What version of Traefik are you using?
Traefik v2.10 and v2.11
What is your environment & configuration?
Hello,
For weeks, I have been trying to solve this problem. The problem is that the
X-Forwarded-For
header does not contain the IP address of my client computer. Instead it shows10.200.0.1
which is the gateway of the pod network of my (single node) Kubernetes K3s cluster.I installed k3s using the following commands, which installed (and enabled) traefik (2.10) automatically. Operating system is Fedora 40, though that should not matter.
My IP setup is quite straight forward shown below:
On the DSL router, i have ports 22, 80 and 443 forwarded (DNAT) to my server
192.168.0.241
The traefik pod has the following setup:
I added the CLI arguments myself using following file:
The problem:
When I do
curl whoami.dgh.witlineinfra.tech
from my computer at home, I get the following:I don't see the IP address of my client in the
X-Forwarded-For
and/orX-Real-Ip
.The IP of my home computer is:
I searched the internet, and there are lots of complaints about this problem, with no clear solution. Some people suggest to use the following, without any explanation of why these IPs, and why in this order, etc.
I tried these too, (of-course -I adjusted IPs according to my setup), but no avail. Unfortunately the documentation on this is not clear, and I see lots of forums full of frustration.
I recently removed k3s from this server, and installed plain docker (and docker-compose) with Traefik 2.11, and it worked. Notice that I used bare minimum CLI arguments to start traefik. OS is still Fedora. (OS was not re-installed).
(same server)
Here is the evidence that i see correct IP (of my home computer) in the X-Forwarded-For header, when I access this from my home computer:
It works on Traefik 1.7 too. Not writing details here, because it is the same, and it works.
Why doesn't it work with Traefik v2 on k3s?
Files used by the
whoami
deployment in k3s:If applicable, please paste the log output in DEBUG level
The text was updated successfully, but these errors were encountered: