If you are running Traefik in Docker and you are monitoring incoming traffic you will see all incoming connections are using IP addresses from the Docker ingress network. If you need the real IP of clients in Traefik connecting to your Traefik reverse proxy running in a Docker Swarm environment you will need to publish Traefik’s entrypoints of your Docker container to the host network.
Why I needed to show the real IP of clients in Traefik
I found a Grafana dashboard that used Loki to scrape Traefik’s access.log to allow almost real time viewing of connections coming through my Traefik reverse proxy. Unfortunately the dashboard’s documentation was written half in Chinese but after some digging in I managed to get it up and running. I then found all the IP addresses in the logs were internal to Docker.
Traefik access.log behind Docker Ingress Network
{"ClientAddr":"10.0.0.2:56038","ClientHost":"10.0.0.2","ClientPort":"56038","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":777860,"OriginContentSize":19,"OriginDuration":67647,"OriginStatus":404,"Overhead":710213,"RequestAddr":"health.local.ebnet.us","RequestContentSize":0,"RequestCount":1,"RequestHost":"health.local.ebnet.us","RequestMethod":"GET","RequestPath":"/socket.io/?EIO=4\u0026transport=websocket","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2022-03-30T22:20:28.909894281-04:00","StartUTC":"2022-03-31T02:20:28.909894281Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2022-03-30T22:20:28-04:00"}How to publish your Traefik entrypoints in Docker Swarm
In your docker-compose file for Traefik, the ports section needs to look like this:
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: hostRecycle your Traefik container
Traefik access.log having entrypoints published to the host network
{"ClientAddr":"192.168.0.34:58622","ClientHost":"192.168.0.34","ClientPort":"58622","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":304,"Duration":7366997,"OriginContentSize":0,"OriginDuration":6389597,"OriginStatus":304,"Overhead":977400,"RequestAddr":"health.local.ebnet.us","RequestContentSize":0,"RequestCount":23127,"RequestHost":"health.local.ebnet.us","RequestMethod":"GET","RequestPath":"/assets/index.b500f6e0.css","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"RouterName":"uptime-kuma-secure@docker","ServiceAddr":"10.0.7.204:3001","ServiceName":"uptime-kuma@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.0.7.204:3001","Path":"","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2022-03-31T02:28:21.91697327-04:00","StartUTC":"2022-03-31T06:28:21.91697327Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2022-03-31T02:28:21-04:00"}
