• Home
  • Docker
  • How to show real IP of clients in Traefik access.log in Docker

How to show real IP of clients in Traefik access.log in Docker

Published by on

Traefik Logo

If you are running Traefik in Docker and you are monitoring incoming traffic you will see all incoming connections are using IP addresses from the Docker ingress network. If you need the real IP of clients in Traefik connecting to your Traefik reverse proxy running in a Docker Swarm environment you will need to publish Traefik’s entrypoints of your Docker container to the host network.

Why I needed to show the real IP of clients in Traefik

I found a Grafana dashboard that used Loki to scrape Traefik’s access.log to allow almost real time viewing of connections coming through my Traefik reverse proxy. Unfortunately the dashboard’s documentation was written half in Chinese but after some digging in I managed to get it up and running. I then found all the IP addresses in the logs were internal to Docker.

Traefik-Via-Loki-Dashboard
Grafana Traefik Via Loki Dashboard

Traefik access.log behind Docker Ingress Network

{"ClientAddr":"10.0.0.2:56038","ClientHost":"10.0.0.2","ClientPort":"56038","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":777860,"OriginContentSize":19,"OriginDuration":67647,"OriginStatus":404,"Overhead":710213,"RequestAddr":"health.local.ebnet.us","RequestContentSize":0,"RequestCount":1,"RequestHost":"health.local.ebnet.us","RequestMethod":"GET","RequestPath":"/socket.io/?EIO=4\u0026transport=websocket","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2022-03-30T22:20:28.909894281-04:00","StartUTC":"2022-03-31T02:20:28.909894281Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2022-03-30T22:20:28-04:00"}

How to publish your Traefik entrypoints in Docker Swarm

In your docker-compose file for Traefik, the ports section needs to look like this:

    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host

Recycle your Traefik container

Traefik access.log having entrypoints published to the host network

{"ClientAddr":"192.168.0.34:58622","ClientHost":"192.168.0.34","ClientPort":"58622","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":304,"Duration":7366997,"OriginContentSize":0,"OriginDuration":6389597,"OriginStatus":304,"Overhead":977400,"RequestAddr":"health.local.ebnet.us","RequestContentSize":0,"RequestCount":23127,"RequestHost":"health.local.ebnet.us","RequestMethod":"GET","RequestPath":"/assets/index.b500f6e0.css","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"RouterName":"uptime-kuma-secure@docker","ServiceAddr":"10.0.7.204:3001","ServiceName":"uptime-kuma@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.0.7.204:3001","Path":"","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2022-03-31T02:28:21.91697327-04:00","StartUTC":"2022-03-31T06:28:21.91697327Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2022-03-31T02:28:21-04:00"}

If you enabled access logging for Traefik running in Docker check out my post about rotating logs for Docker containers here.

Posted in DockerSoftwareTraefik

Tags - DockerDocker SwarmTraefik