在过去的两天里,我一直在努力解决这个问题,但我不知道如何解决。我想用traefik代理在应用程序上捕获客户机IP。
设置:
R53 -> ALB --> (Traefik proxy --> applocation)
我正在ECS上运行我的应用程序,并利用ECS提供者。
我试过的是:
按照文档向traefik添加以下标签:
--entrypoints.http.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.https.forwardedheaders.trustedips=0.0.0.0/0
--entrypoints.http.forwardedheaders.insecure=true
--entrypoints.https.forwardedheaders.insecure=true
同时也尝试了所有这些配置,但是每次我添加这些配置时,traefik都会停止工作,而不会使用任何有用的日志。
我观察到的:
在不添加任何这些配置的情况下,如果我跳过负载均衡器直接命中trafik IP,我可以看到我的IP (Client)。这是否意味着我需要改变AWS?
通过LB:
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-620e68b5-121181407c9ceadf6c8f0a25
X-Forwarded-For: 172.31.22.81
X-Forwarded-Host: infra.**********.nl
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 172.31.22.81
直接IP命中:
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 80.***.***.61
X-Forwarded-Host: 3.71.93.123
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-8-140.eu-central-1.compute.internal
X-Real-Ip: 80.***.***.61
发布于 2022-03-23 10:14:22
最后,在阅读了大量的文档和测试之后,我找到了一种方法来实现这一点。
这是针对ECS提供者的:
任务定义:
Traefik
"traefik",
"--providers.ecs.clusters=application",
"--log.level=DEBUG",
"--providers.ecs.region=us-west-2",
"--api.insecure",
"--entryPoints.web.address=:80",
"--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
"--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,<VPC-CIDR>",
application
"traefik.http.routers.app.rule": "pathprefix(`/`)",
"traefik.enable": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.timeout": "10",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie": "true",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.port": "8080",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.interval": "30",
"traefik.http.services.service-app-app.loadbalancer.healthcheck.path": "/ping",
"traefik.http.services.service-app-app.loadbalancer.sticky.cookie.name": "app-cookie"
与世界卫生组织的集装箱:
Hostname: ip-172-31-29-79.us-east-2.compute.internal
IP: 127.0.0.1
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests: 1
X-Amzn-Trace-Id: Root=1-623af218-525fa18d4d17e1ef431bb2b9
X-Forwarded-For: 8*******5, 172.31.12.125
X-Forwarded-Host: ecs-*****.us-east-2.elb.amazonaws.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: ip-172-31-15-101.us-east-2.compute.internal
X-Real-Ip: <loadbalancer-IP>
此PR很好地概述了前向头是如何工作的https://github.com/traefik/traefik/pull/7875/files。
它的工作原理:
X-Forwarded-For: <client_ip>, <alb_ip>
X-Real-Ip: <alb_ip>
https://stackoverflow.com/questions/71160913
复制相似问题