Not seeing the real IP in X-Forwarded-For with the basic setup of Traefik in Docker?

Question

Fell in love with Traefik's presentation on youtube, so I've been trying to set it up. My docker server is on 192.168.0.23.

Even when querying from another host from my LAN (192.168.0.144), I am always getting the internal IP in the X-Forwarded-For...

curl -H Host:whoami.docker.localhost http://192.168.0.23:8880

shows

Hostname: 20f76fbc038e
IP: 127.0.0.1
IP: 172.22.0.2
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: curl/7.51.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.22.0.1
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: c40ba22259b6
X-Real-Ip: 172.22.0.1

The same thing happens when calling from another network through the public IP, still seeing X-Forwarded-For: 172.22.0.1

My docker-compose is one of the basic examples...

version: '3'

services:
  reverse-proxy:
    image: traefik
    command: --api --docker
    ports:
      - "8880:80"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  whoami:
    image: containous/whoami
    labels:
      - "traefik.frontend.rule=Host:whoami.docker.localhost"
      - "traefik.frontend.passHostHeader=true"

Am I missing something? I'd expect to at least get the IP of the host initiating the request in the list of X-Forwarded-For, as I've been seeing all over examples in the web...

The weird thing is that the IP that shows in the forwarded field is the IP of the server in the docker network, which would make sense when the curl is executed from the server itself, not from another host in the same network or through the internet...

Answer 1

We had the same issue in kubernetes. We however solved the problem by adding the following global arguments.

globalArguments:
  - "--api.insecure=true"
  - "--entryPoints.web.forwardedHeaders.insecure"
  - "--entryPoints.websecure.forwardedHeaders.insecure"