Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requests coming from zerotier-one don't preserve Source IP #65

Open
davidfrickert opened this issue Mar 26, 2024 · 1 comment
Open

Requests coming from zerotier-one don't preserve Source IP #65

davidfrickert opened this issue Mar 26, 2024 · 1 comment

Comments

@davidfrickert
Copy link

davidfrickert commented Mar 26, 2024
edited
Loading

I'm trying to implement IP whitelisting using traefik in my cluster for requests coming from my zerotier-one network but facing an issue - klipper-lb seems to not preserve the IP address when traffic is from the zerotier-one interface.

I have no issues on traffic coming from local network or from external home IP, those seem to be preserved fine. But when zerotier-one network is used, the X-Forwarded-For header contains the node IP address.

Using the traefik/whoami app to debug below:

Example local access:

Hostname: web-65f84c6bc4-m9js7
IP: 127.0.0.1
IP: ::1
IP: 10.42.1.78
IP: fe80::5051:71ff:fe04:34e
RemoteAddr: 10.42.0.131:40592
GET / HTTP/1.1
Host: whoami.k3s.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Dnt: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.2.12
X-Forwarded-Host: whoami.k3s.local
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-68ccf99dcd-7lttf
X-Real-Ip: 192.168.2.12

Example zerotier-one access:

Hostname: web-65f84c6bc4-m9js7
IP: 127.0.0.1
IP: ::1
IP: 10.42.1.78
IP: fe80::5051:71ff:fe04:34e
RemoteAddr: 10.42.0.131:56840
GET / HTTP/1.1
Host: whoami.k3s.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Dnt: 1
Pragma: no-cache
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 10.42.0.245
X-Forwarded-Host: whoami.k3s.local
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-68ccf99dcd-7lttf
X-Real-Ip: 10.42.0.245

Any ideas on how to fix this with klipper?

Note:
I already have externalTrafficPolicy: Local and affinity to ensure traefik pod is in the same node as klipper.

I guess I can just use 10.42.0.0/24 in the IP whitelist and it should work but would prefer to have the correct IP forwarded!
@manuelbuil
Copy link
Contributor

Would this perhaps help? https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manuelbuil @davidfrickert