I needed to do a setup where Nginx is in front, proxying content to Traefik running in Kubernetes via k3s, which passes requests to an ASP.NET Core application. I wanted also to see the real IP of the requester in the ASP.NET application. This proved to be a bit complicated.
First, there's a file /var/lib/rancher/k3s/server/manifests/traefik-config.yaml that you can modify to give parameters to the Traefik installation that comes with k3s. The documentation that I had suggested doing this:
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
externalTrafficPolicy: Local
proxyProtocol:
enabled: true
trustedIPs:
- 10.0.0.0/8
forwardedHeaders:
enabled: true
trustedIPs:
- 10.0.0.0/8
Unfortunately this didn't really help me. Traefik still didn't give the proper chain of proxying to the ASP.NET application, all it saw was 10.42.0.1. So I dug and wondered and found that I should also add
globalArguments:
- "--serversTransport.insecureSkipVerify=true"
This also didn't help. So then I figured it must be a problem with the trusted IPs etc not getting through so I tried giving them also in the commant line. So it ended up being like this:
documentation that I had suggested doing this:
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
externalTrafficPolicy: Local
globalArguments:
- "--serversTransport.insecureSkipVerify=true"
- "--entrypoints.web.forwardedheaders.trustedips=10.0.0.0/8"
- "--entrypoints.web.proxyprotocol.trustedips=10.0.0.0/8"
- "--entrypoints.web.proxyprotocol=true"
And surprise surprise, it worked! Somehow the settings didn't get through unless they were in the command line.
After this I also needed to tell ASP.NET Core that there are multiple proxies in the front (the X-Forwarded-For header will include all proxies before) by setting this:
services.Configure(options =>
{
options.ForwardLimit = 3;
});
And finally the information is correct.