Traefik, by default, will not trust the standard Forwarding headers Load Balancers usually populate with the client and proxy IPs.
If your apps don’t need to know the user’s real IP, you don’t need to change any configuration.
However, if you want to use the X-Forwarded-For header, some changes are required.
In your Traefik’s yaml configuration, you need to add the following argument with all the IP CIDRs from your Load Balancers. For example, if your Load Balancer is at 10.0.0.3.
--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.3/32
If you use MicroK8s, the arguments are in the Traefik daemonset resource.
If you don’t know the Load Balancer IPs, you can use 0.0.0.0/0 to trust all IPs, but this is not recommended, as any user can fake this header to bypass security features, such as IP-based rate limiters.
Trusting all IPs at Traefik requires validating the X-Forwarded-For header inside the application.
Top comments (0)