After changing my proxy from NGINX to Traefik, I noticed that some of my services started misbehaving.
The only difference between my old NGINX and my Traefik config were the headers.
I didn't think that that's what's causing the issue, but after digging around a
bit I figured out what's wrong. I still can't wrap my head around it entirely,
but it has something to do with forwarding external
https requests to internal
http services, since the
x-forwarded- headers where missing in the forwarded
In the world of NGINX, we can instruct the proxy to forward all headers using this directive:
which takes care of the issue. In Traefik, it's a bit more convoluted. Traefik
can use a combination of "Entrypoints" and middleware to route traffic around.
In my setup, I use a
webSecure entrypoint listening for SSL/TLS traffic, and a
web entrypoint that just redirects to
entryPoints: web: address: :80 http: redirections: entryPoint: to: "websecure" scheme: "https" websecure: address: :443
Apparently, some services send requests to the
web entrypoint, and the
x-forwarded-for headers are dropped. To prevent this, you can set the
forwardedHeaders in the
web entrypoint to
entryPoints: web: address: :80 proxyProtocol: insecure: true forwardedHeaders: insecure: true # ... # ...
I'm sure there's a reason why this is marked as
insecure, but it behaves just
like the NGINX counterpart, so I didn't bother digging deeper into the matter.
Maybe one day I'll come back to properly fix this.
If you want to read more, check out this article on Medium. It explains the issue in more detail.
This is post 025 of #100DaysToOffload.