Hi there,
maybe someone here can help a noob to figure out on how to get the clients ip in X-Forwarded-For from a external http(s) request using traefik as the reverse proxy.
I found some interesting informations on the following site A Deep Dive into Kubernetes External Traffic Policies — Andrew Sy Kim, which enlightend me to use
externalTrafficPolicy: Local
what i did but this seems not to help in my case. I found many informations on the net but i lack of knowledge on how to interpret them.
What do i have:
- k3s version v1.19.5+k3s2, with no special parameters
I have setup a test deployment with a python httpserver showing me the headers:
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
namespace: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: test
image: fedora:latest
command: [ "/bin/bash", "-c", "--" ]
args: [ "dnf -y install iproute bind-utils iputils nmap procps;mkdir test;cd test;echo -e '' > index.html;echo -e '#!/usr/bin/env python3\nimport http.server as SimpleHTTPServer\nimport socketserver as SocketServer\nimport logging\nPORT = 80\nclass GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\n def do_GET(self):\n logging.error(self.headers)\n SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self)\nHandler = GetHandler\nhttpd = SocketServer.TCPServer((\"\", PORT), Handler)\nhttpd.serve_forever()\n' > test.py; chmod 755 test.py;python3 test.py; while true; do sleep 30; done;" ]
---
apiVersion: v1
kind: Service
metadata:
name: test
namespace: test
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/preserve-host: "true"
spec:
type: NodePort
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: test
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test
namespace: test
spec:
rules:
- host: hop.math.ethz.ch
http:
paths:
- path: /
backend:
serviceName: test
servicePort: 80
But every request comes in with the following headers:
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Cookie: ORA_FPC=id=d389ee4b-32b9-44c3-ab59-ebf3236703e9
If-Modified-Since: Thu, 14 Jan 2021 09:49:43 GMT
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 10.42.1.1
X-Forwarded-Host: hop.math.ethz.ch
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-5dd496474-pcft9
X-Real-Ip: 10.42.1.1
Thank you for reading this!
Yours,
bbk