Fixing Traefik Proxy Issues

Mar 18 2022

After changing my proxy from NGINX to Traefik, I noticed that some of my services started misbehaving.

In particular, my instance of BirdsiteLive (birdsite.slashdev.space) had issues forwarding tweets to the Fediverse.

The only difference between my old NGINX and my Traefik config were the headers. I didn't think that that's what's causing the issue, but after digging around a bit I figured out what's wrong. I still can't wrap my head around it entirely, but it has something to do with forwarding external https requests to internal http services, since the x-forwarded- headers where missing in the forwarded requests.

In the world of NGINX, we can instruct the proxy to forward all headers using this directive:

proxy_pass_request_headers      on;

which takes care of the issue. In Traefik, it's a bit more convoluted. Traefik can use a combination of "Entrypoints" and middleware to route traffic around. In my setup, I use a webSecure entrypoint listening for SSL/TLS traffic, and a web entrypoint that just redirects to webSecure:

entryPoints:
    web:
        address: :80
        http:
            redirections:
                entryPoint:
                    to: "websecure"
                    scheme: "https"

    websecure:
        address: :443

Apparently, some services send requests to the web entrypoint, and the x-forwarded-for headers are dropped. To prevent this, you can set the proxyProtocol and forwardedHeaders in the web entrypoint to insecure, like so:

entryPoints:
    web:
        address: :80
        proxyProtocol:
            insecure: true
        forwardedHeaders:
            insecure: true
        # ...
# ...

I'm sure there's a reason why this is marked as insecure, but it behaves just like the NGINX counterpart, so I didn't bother digging deeper into the matter. Maybe one day I'll come back to properly fix this.

If you want to read more, check out this article on Medium. It explains the issue in more detail.


This is post 025 of #100DaysToOffload.


Reply via E-Mail