防止traefik转发客户端IP
Prevent traefik from forwarding client IP
我使用 traefik 作为我的 Docker 主机的反向反向代理。另外,我想设置一个到外部服务器的静态代理。这是我当前的配置:
defaultEntryPoints = ["http", "https"]
debug = false
logLevel = "ERROR"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[api]
[docker]
domain = "myhost.com"
watch = true
exposedByDefault = false
[file]
[backends]
[backends.otherhost]
[backends.otherhost.servers]
[backends.otherhost.servers.server0]
url = "http://otherhost.com"
[frontends]
[frontends.otherhost]
entryPoints = ["http", "https"]
backend = "otherhost"
[frontends.otherhost.routes]
[frontends.otherhost.routes.route0]
rule = "Host:subdomain.myhost.com"
[frontends.otherhost.headers.customRequestHeaders]
X-Forwarded-For = "foo"
X-Real-Ip = "foo"
将 headers 设置为空字符串没有任何作用。通过这些设置,X-Real-Ip 变为 foo,但 X-Forwarded-For 变为 foo, <my real IP>。我可以防止 traefik 将客户端 IP 泄漏到外部后端,同时仍然在我的 Docker 环境中吗?
Traefik 2.x
使用中间件覆盖 X-Forwarded-For header 怎么样?找到文档 here。
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Forwarded-For = "foo"
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Forwarded-For = "foo"
然后您可以将特定的中间件应用到您的路由器,如下所示:
[http.routers]
[http.routers.router1]
service = "myService"
middlewares = ["testHeader"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Forwarded-For = "foo"
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Forwarded-For = "foo"
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
参考文献:
- 中间件概述 - https://docs.traefik.io/v2.0/middlewares/overview/
- Middwlare headers - https://docs.traefik.io/v2.0/middlewares/headers/
我使用 traefik 作为我的 Docker 主机的反向反向代理。另外,我想设置一个到外部服务器的静态代理。这是我当前的配置:
defaultEntryPoints = ["http", "https"]
debug = false
logLevel = "ERROR"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[api]
[docker]
domain = "myhost.com"
watch = true
exposedByDefault = false
[file]
[backends]
[backends.otherhost]
[backends.otherhost.servers]
[backends.otherhost.servers.server0]
url = "http://otherhost.com"
[frontends]
[frontends.otherhost]
entryPoints = ["http", "https"]
backend = "otherhost"
[frontends.otherhost.routes]
[frontends.otherhost.routes.route0]
rule = "Host:subdomain.myhost.com"
[frontends.otherhost.headers.customRequestHeaders]
X-Forwarded-For = "foo"
X-Real-Ip = "foo"
将 headers 设置为空字符串没有任何作用。通过这些设置,X-Real-Ip 变为 foo,但 X-Forwarded-For 变为 foo, <my real IP>。我可以防止 traefik 将客户端 IP 泄漏到外部后端,同时仍然在我的 Docker 环境中吗?
Traefik 2.x
使用中间件覆盖 X-Forwarded-For header 怎么样?找到文档 here。
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Forwarded-For = "foo"
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Forwarded-For = "foo"
然后您可以将特定的中间件应用到您的路由器,如下所示:
[http.routers]
[http.routers.router1]
service = "myService"
middlewares = ["testHeader"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Forwarded-For = "foo"
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Forwarded-For = "foo"
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
参考文献:
- 中间件概述 - https://docs.traefik.io/v2.0/middlewares/overview/
- Middwlare headers - https://docs.traefik.io/v2.0/middlewares/headers/