Traefik ECS 提供商未使用 AWS ALB 转发客户端 IP
Traefik ECS provider is not forwarding client IP with AWS ALB
过去 2 天我一直在尝试解决此问题,但我不知道如何解决。我想使用 traefik 代理在应用程序上捕获客户端 IP。
设置:
R53 --> ALB -->(Traefik 代理 --> 应用程序)ECS
我 运行 我在 ECS 上的应用程序并利用 ECS 提供商。
我尝试过的:
根据文档将以下标签添加到 traefik:
--entrypoints.http.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.https.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.http.forwardedheaders.insecure=true
--entrypoints.https.forwardedheaders.insecure=true
一起尝试过所有这些,也单独尝试过,但每次我添加这些配置时,traefik 都停止工作,没有任何有用的日志。
我观察到的:
如果我通过跳过 Loadbalancer 直接访问 trafik IP,则无需添加任何这些配置,我就可以看到我的 IP(客户端 IP)。这是否意味着我需要在 AWS-ALB 中进行更改?
通过LB:
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-620e68b5-121181407c9ceadf6c8f0a25
X-Forwarded-For: 172.31.22.81
X-Forwarded-Host: infra.**********.nl
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 172.31.22.81
直接IP命中:
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 80.***.***.61
X-Forwarded-Host: 3.71.93.123
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 80.***.***.61
在阅读了大量的文档和测试后,我终于找到了实现这一目标的方法。
这适用于 ECS 提供商:
任务定义:
Traefik
"traefik",
"--providers.ecs.clusters=application",
"--log.level=DEBUG",
"--providers.ecs.region=us-west-2",
"--api.insecure",
"--entryPoints.web.address=:80",
"--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
"--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
application
:
"traefik.http.routers.app.rule": "pathprefix(`/`)",
"traefik.enable": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.timeout": "10",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.port": "8080",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.interval": "30",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.path": "/ping",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie.name": "app-cookie"
使用 Who-ami 容器:
Hostname: ip-172-31-29-79.us-east-2.compute.internal
IP: 127.0.0.1
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-623af218-525fa18d4d17e1ef431bb2b9
X-Forwarded-For: 8*******5, 172.31.12.125
X-Forwarded-Host: ecs-*****.us-east-2.elb.amazonaws.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-15-101.us-east-2.compute.internal
X-Real-Ip: <loadbalancer-IP>
此 PR 很好地概述了前向 header 的工作原理
https://github.com/traefik/traefik/pull/7875/files
工作原理:
X-Forwarded-For: <client_ip>, <alb_ip>
X-Real-Ip: <alb_ip>
过去 2 天我一直在尝试解决此问题,但我不知道如何解决。我想使用 traefik 代理在应用程序上捕获客户端 IP。
设置:
R53 --> ALB -->(Traefik 代理 --> 应用程序)ECS
我 运行 我在 ECS 上的应用程序并利用 ECS 提供商。
我尝试过的:
根据文档将以下标签添加到 traefik:
--entrypoints.http.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.https.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.http.forwardedheaders.insecure=true
--entrypoints.https.forwardedheaders.insecure=true
一起尝试过所有这些,也单独尝试过,但每次我添加这些配置时,traefik 都停止工作,没有任何有用的日志。
我观察到的:
如果我通过跳过 Loadbalancer 直接访问 trafik IP,则无需添加任何这些配置,我就可以看到我的 IP(客户端 IP)。这是否意味着我需要在 AWS-ALB 中进行更改?
通过LB:
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-620e68b5-121181407c9ceadf6c8f0a25
X-Forwarded-For: 172.31.22.81
X-Forwarded-Host: infra.**********.nl
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 172.31.22.81
直接IP命中:
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 80.***.***.61
X-Forwarded-Host: 3.71.93.123
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 80.***.***.61
在阅读了大量的文档和测试后,我终于找到了实现这一目标的方法。
这适用于 ECS 提供商:
任务定义:
Traefik
"traefik",
"--providers.ecs.clusters=application",
"--log.level=DEBUG",
"--providers.ecs.region=us-west-2",
"--api.insecure",
"--entryPoints.web.address=:80",
"--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
"--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
application
:
"traefik.http.routers.app.rule": "pathprefix(`/`)",
"traefik.enable": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.timeout": "10",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.port": "8080",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.interval": "30",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.path": "/ping",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie.name": "app-cookie"
使用 Who-ami 容器:
Hostname: ip-172-31-29-79.us-east-2.compute.internal
IP: 127.0.0.1
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-623af218-525fa18d4d17e1ef431bb2b9
X-Forwarded-For: 8*******5, 172.31.12.125
X-Forwarded-Host: ecs-*****.us-east-2.elb.amazonaws.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-15-101.us-east-2.compute.internal
X-Real-Ip: <loadbalancer-IP>
此 PR 很好地概述了前向 header 的工作原理 https://github.com/traefik/traefik/pull/7875/files
工作原理:
X-Forwarded-For: <client_ip>, <alb_ip>
X-Real-Ip: <alb_ip>