问题
My setup is as follows:
Load Balancer → nginx → Traefik
The load balancer in place does not support Proxy Protocol. Instead it adds the real IP of the client to the TCP options field (yikes, I know! Details). That's something Traefik does not support.
To get the real IP to Traefik, I added an nginx inbetween that does nothing more than accepting connections on ports 80 and 443 and adding Proxy Protocol when using SSL. Traefik is configured for Proxy Protocol. Things work as expected.
However I'd like to set the X-Real-IP header to the correct IP when Proxy Protocol is used. When I try setting the header manually through curl, that one is used, so clients can overwrite it.
How can I tell Traefik to always set X-Real-IP to the IP as adviced by Proxy Protocol?
回答1:
I solved my problem and can see clearer now. It depdends on which node in your configuration (Load Balancer → nginx → Traefik) terminates the clients request. In my setup (Load Balancer → Traefik) the Load Balancer uses NATing to send the request to the Traefik. Traefik then takes the client´s request and sends a new request to the corresponding backend. So I had to configure Traefik to never trust the X-Real-Ip header but always set the request´s source ip in the X-Real-Ip header. Configuration is something like this:
[entryPoints.http.proxyProtocol]
insecure = true
trustedIPs = ["10.10.10.1", "10.10.10.2"]
[entryPoints.http.forwardedHeaders]
trustedIPs = ["10.10.10.1", "10.10.10.2"]
The mostly found configuration (I think) would be that the Load Balancer takes the client´s request and then sends a new request to nginx (reverse proxy load balancer). In this case the Load Balancer must set the X-Real-Ip Header, nginx must propagate the header to Traefik and Traefik must be configured to trust nginx as source for the X-Real-Ip header.
回答2:
I just looked into the source code because of a similar problem. Traefik sets the header X-Real-Ip with the source IP address of the request being forwarded. If the header X-Real-Ip already exists, it will be passed through unchanged. I hope that answers the question.
if req.Header.Get (XRealIp) == "" {
req.Header.Set (XRealIp, clientIP)
}
来源:https://stackoverflow.com/questions/53757089/can-x-real-ip-be-set-when-using-proxy-protocol