How to properly use X-Forwarded-For in v2?

I'm having issues getting a x-forwarded-for IP address from Traefik. I have a Nextcloud instance setup but its reporting that my reverse proxy header is not configured right. I can see in v1 where "useXForwardedFor" was an option for the entrypoints. but I cannot figure out how that translates to v2s model. below is the relevant sections of my configuration files.

In this example, 10.0.0.14 is a web server that responds to foo.bar and www.foo.bar, and data.foo.bar is my nexcloud instance n 10.0.0.3. I added the stsSeconds header and that cleared one alert i was having in Nextcloud, so I think I'm on the right track. My Traefik server is NOT behind another reverse proxy of any sort, its facing the public internet.

traefik.toml (Truncated):

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[certificatesResolvers.foobar.acme]
        email = "foobar@foobar.com"
        storage = "/root/acme.json"
        [certificatesResolvers.foobar.acme.dnsChallenge]
                provider = "cloudflare"
                delayBeforeCheck = 0
[providers]
        [providers.file]
                filename="/config/dynamic_conf.toml"

dynamic_conf.toml:

[http]
        [http.routers]
                [http.routers.redirecttohttps]
                        entryPoints = ["web"]
                        middlewares = ["httpsredirect"]
                        rule = "HostRegexp(`{host:.+}`)"
                        service = "noop"
                [http.routers.web]
                        rule = "Host(`foo.bar`) || Host(`www.foo.bar`)"
                        service = "web"
                        [http.routers.web.tls]
                                certResolver = "foobar"
                [http.routers.data]
                        middlewares = ["headermods"]
                        rule = "Host(`data.foo.bar`)"
                        service = "data"
                        [http.routers.data.tls]
                                certResolver = "foobar"
        [http.middlewares]
                [http.middlewares.httpsredirect.redirectScheme]
                        scheme = "https"
                [http.middlewares.headermods.headers]
                        stsSeconds = 15552000
                        hostsProxyHeaders = ["X-Forwarded-For"]
        [http.services]
                [http.services.noop.loadBalancer]
                        [[http.services.noop.loadBalancer.servers]]
                                url = "http://1.1.1.1"
                [http.services.web.loadBalancer]
                        [[http.services.web.loadBalancer.servers]]
                                url = "http://10.0.0.14"
                [http.services.data.loadBalancer]
                        [[http.services.data.loadBalancer.servers]]
                                url = "http://10.0.0.5"

Hello,

in v1, useXForwardedFor is an option of the whitelisting system:

• https://docs.traefik.io/v1.7/configuration/entrypoints/#white-listing

in v2, the whitelisting system is a middleware:

• https://docs.traefik.io/v2.1/middlewares/ipwhitelist/#ipstrategy
• https://docs.traefik.io/v2.1/middlewares/overview/

Note, in v1 the X-Forwarded-* headers are "trusted" by default, but in v2 they are not "trusted" by default, because it can be a security issue.

• https://docs.traefik.io/v2.1/routing/entrypoints/#forwarded-header
• https://docs.traefik.io/v1.7/configuration/entrypoints/#forwarded-header

Ahh OK, i misunderstood what useXForwardedFor was used for then. My problem is I don't believe "x-forwarded-for" is being added to the headers from my Traefik install to my NextCloud install.

Any other ideas that i might be able to try?

What can of security issue could we have? Do you have any reference talking about this?

I have a PHP application managing security by IP by itself, but the security check is not working because the only IP it has is the Traefik one.

It looks like the only solution is to added trusted ip directly to the entrypoint, but my Traefik instance is not serving only this project.

EDIT: Nevermind. The header containing the real ip ARE currently transmitted to my PHP app, but it does not care because 172.16.0.0/12 is not a trusted IP for my app.

See also: https://symfony.com/doc/current/deployment/proxies.html

This may help you @Rombus.

I was struggling with this for a configuration that was behind an Amazon application load balancer. The solution is simple, but for some reason I never got the combination of config items correct until today. Here's what we're using, where 10.0.0.0/16 is our VPC subnet.

  web:
    address: ":80"
    proxyProtocol:
      trustedIPs:
        - "10.0.0.0/16"
    forwardedHeaders:
      trustedIPs:
        - "10.0.0.0/16"
  websecure:
    address: ":443"
    proxyProtocol:
      trustedIPs:
        - "10.0.0.0/16"
    forwardedHeaders:
      trustedIPs:
        - "10.0.0.0/16"