Traefik ECS 提供商未使用 AWS ALB 转发客户端 IP

Traefik ECS provider is not forwarding client IP with AWS ALB

过去 2 天我一直在尝试解决此问题,但我不知道如何解决。我想使用 traefik 代理在应用程序上捕获客户端 IP。

设置:

R53 --> ALB -->(Traefik 代理 --> 应用程序)ECS

我 运行 我在 ECS 上的应用程序并利用 ECS 提供商。

我尝试过的:

根据文档将以下标签添加到 traefik:

--entrypoints.http.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.https.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.http.forwardedheaders.insecure=true
--entrypoints.https.forwardedheaders.insecure=true

一起尝试过所有这些,也单独尝试过,但每次我添加这些配置时,traefik 都停止工作,没有任何有用的日志。

我观察到的:

如果我通过跳过 Loadbalancer 直接访问 trafik IP,则无需添加任何这些配置,我就可以看到我的 IP(客户端 IP)。这是否意味着我需要在 AWS-ALB 中进行更改?

通过LB:

Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-620e68b5-121181407c9ceadf6c8f0a25
X-Forwarded-For: 172.31.22.81
X-Forwarded-Host: infra.**********.nl
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 172.31.22.81

直接IP命中:

Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 80.***.***.61
X-Forwarded-Host: 3.71.93.123
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 80.***.***.61

在阅读了大量的文档和测试后,我终于找到了实现这一目标的方法。

这适用于 ECS 提供商:

任务定义:

Traefik

        "traefik",
        "--providers.ecs.clusters=application",
        "--log.level=DEBUG",
        "--providers.ecs.region=us-west-2",
        "--api.insecure",
        "--entryPoints.web.address=:80",
        "--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
        "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,<VPC-CIDR>",

application:

        "traefik.http.routers.app.rule": "pathprefix(`/`)",
        "traefik.enable": "true",
        "traefik.http.services.service-app-app.loadbalancer.healthcheck.timeout": "10",
        "traefik.http.services.service-app-app.loadbalancer.sticky.cookie": "true",
        "traefik.http.services.service-app-app.loadbalancer.healthcheck.port": "8080",
        "traefik.http.services.service-app-app.loadbalancer.healthcheck.interval": "30",
        "traefik.http.services.service-app-app.loadbalancer.healthcheck.path": "/ping",
        "traefik.http.services.service-app-app.loadbalancer.sticky.cookie.name": "app-cookie"

使用 Who-ami 容器:

Hostname: ip-172-31-29-79.us-east-2.compute.internal
IP: 127.0.0.1
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-623af218-525fa18d4d17e1ef431bb2b9
X-Forwarded-For: 8*******5, 172.31.12.125
X-Forwarded-Host: ecs-*****.us-east-2.elb.amazonaws.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-15-101.us-east-2.compute.internal
X-Real-Ip: <loadbalancer-IP>

此 PR 很好地概述了前向 header 的工作原理 https://github.com/traefik/traefik/pull/7875/files

工作原理:

X-Forwarded-For: <client_ip>, <alb_ip>
X-Real-Ip: <alb_ip>