I am using Traefik (v1.7.12, as an Ingress Controller in a kubernetes instance) as a gatekeeper to access another site (through a kubernetes service of type ExternalName) that I don’t control (a private status page on site24x7.eu for the record, that has a very limited configuration regarding IP whitelisting).
I was expecting that the only IP that the target site would see would be the egress Nat IP of my cluster (in the context of a private GKE cluster with a Cloud Nat configuration so that all nodes are private only).
But it looks like the target site is using the X-Forwarded-For header to check the client IP, and for the moment, the values in the X-Forwarded-For header are [“real_client_ip, cluster_nat_ip”] (the real_client_ip is added by the GoogleLB in front of Traefik, the cluster_nat_ip is added by Traefik that sees the GoogleLB with the Google Nat IP)
As the real_client_ip is not whitelisted on the target site, the request is blocked (by the target site).
- I already tried to use
ingress.kubernetes.io/proxy-headersbut the result that I have is that the X-Forwarded-For value is added to existing one
- I checked with the support of the site24x7 target site, and they confirmed they are using values in the X-Forwarded-For headers (/off : does-it only seem weak to me?)
Is there a way to hack (REPLACE and not ADD for instance) the content of the X-Forwarded-For?