Plugin Catalog
Install a Plugin
Create a Plugin
Plugins
/Traefik Get Real IP

Traefik Get Real IP

67
v1.0.3

Traefik Get Real IP address

When traefik is deployed behind multiple load balancers, this plugin can be used to detect different load balancers and extract the real IP from different header fields, then output the value to the x-real-ip header.

This plugin can prevent IP spoofing by checking if the values form the received header information of the load balancer match before extracting the IP address.

For example, in the configuration of CloudFlare load balancer shown below, we configure it to only accept the header x-from-cdn with a value equal to cf-foo, and extract the IP address from the Cf-Connecting-Ip header. Since users never know about the existence of the x-from-cdn header or its required value cf-foo, it remains secure πŸ›‘οΈ. To increase complexity and avoid being guessed, you can use a random string :)

 CloudFlare
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚         β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ί  β”Œβ”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ x-from-cdn:cf-foo                 β”‚       β”‚        β”‚
            Cf-Connecting-Ip: realip          β”‚       β”‚        β”‚
 CDN2                                         β”‚       β”‚        β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”                                   β”‚       β”‚ paxxs'sβ”‚
β”‚         β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ί  β”‚traefikβ”‚        β”‚ x-real-ip:realip
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ x-from-cdn:mf-bar                 β”‚       β”‚Get-rea β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ί
            Client-iP: realip                 β”‚       β”‚ l-ip   β”‚
 CDN3                                         β”‚       β”‚Plugin  β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”                                   β”‚       β”‚        β”‚
β”‚         β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ί   β”‚       β”‚        β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ x-from-cdn:mf-fun                 β””β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”˜
            x-forwarded-for: realip,x.x.x.x
                           (truthedIP)          β–²  β–²
                                                β”‚  β”‚
 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”                                     β”‚  β”‚
 β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
   "*"                                             β”‚
 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”                RemoteAddr/etc..        β”‚
 β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

CDN Configuration

E.g. Cloudflare:

Rules > Transform Rules > HTTP Request Header Modification > Add

  • Set static Header: X-From-Cdn
    • Value: cf-foo

image

image

Traefik Configuration

Static

Plugin Info:

  • moduleName: github.com/Paxxs/traefik-get-real-ip
  • version: v1.0.2

Traefik Configuration:

  • yml
  • toml
  • docker-labels
pilot:
  token: [REDACTED]


experimental:
  plugins:
    real-ip:
      moduleName: github.com/Paxxs/traefik-get-real-ip
      version: [Please fill the latest version !]

Dynamic

  • yml
  • toml
  • docker labels
  • Kubernetes
http:
  middlewares:
    real-ip-foo:
      plugin:
        real-ip:
          Proxy:
            - proxyHeadername: X-From-Cdn
              proxyHeadervalue: mf-fun
              realIP: X-Forwarded-For
            - proxyHeadername: X-From-Cdn
              proxyHeadervalue: mf-bar
              realIP: Client-Ip
              OverwriteXFF: true # default: false, v1.0.2 or above
            - proxyHeadername: X-From-Cdn
              proxyHeadervalue: cf-foo
              realIP: Cf-Connecting-Ip
              OverwriteXFF: true # default: false, v1.0.2 or above
            - proxyHeadername: "*"
              realIP: RemoteAddr


  routers:
    my-router:
      rule: Host(`localhost`)
      middlewares:
        - real-ip-foo
      service: my-service


  services:
    my-service:
      loadBalancer:
        servers:
          - url: 'http://127.0.0.1'