5

When using Traefik and Docker-compose, I would like to get the container IP to perform IP-based filtering but instead get the docker network gateway IP.

Here is the results of a curl request from the curl-client container:

docker-compose exec curl-client curl https://whoami.domain.name

Hostname: 608f3dcaf7d9
IP: 127.0.0.1
IP: 172.18.0.2
GET / HTTP/1.1
Host: whoami.domain.name
User-Agent: curl/7.58.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.18.0.1
X-Forwarded-Host: whoami.domain.name
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 88756553599b
X-Real-Ip: 172.18.0.1

Here, 172.18.0.1 is the gateway for the traefik_net network. Instead, I would expect to see 172.18.0.9 in the X-Forwarded-For field, as it is the IP of the curl-client container:

docker-compose exec curl-client cat /etc/hosts

172.18.0.9      34f7b6e5472f

I've also tried using the 'traefik.frontend.whiteList.useXForwardedFor=true' option without success.

traefik.toml

logLevel = "ERROR"

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.dashboard]
    address = ":8080"
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]

[api]
entrypoint="dashboard"

[acme]
email = "[email protected]"
storage = "acme.json"
entryPoint = "https"
  [acme.dnsChallenge]
  provider = "ovh"
  delayBeforeCheck = 0

[[acme.domains]]
  main = "*.domain.name"

[docker]
domain = "domain.name"
watch = true
network = "traefik_net"

docker-compose.yml

version: '3'

services:

  traefik_proxy:
    image: traefik:alpine
    container_name: traefik
    networks:
      - traefik_net
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.toml:/traefik.toml
      - ./acme.json:/acme.json
    restart: unless-stopped
    environment:
      - OVH_ENDPOINT=ovh-eu
      - OVH_APPLICATION_KEY=secretsecret
      - OVH_APPLICATION_SECRET=secretsecret
      - OVH_CONSUMER_KEY=secretsecret
    labels:
      - 'traefik.frontend.rule=Host:traefik.domain.name'
      - 'traefik.port=8080'
      - 'traefik.backend=traefik'


  whoami:
    image: containous/whoami
    container_name: whoami
    networks:
      - traefik_net
    labels:
      - 'traefik.frontend.rule=Host:whoami.domain.name'


  curl-client:
    image: ubuntu
    networks:
      - traefik_net
    command: sleep infinity



networks:
  traefik_net:
    external: true

Edit: The domain name is resolved using the following dnsmasq.conf:

domain-needed
expand-hosts
bogus-priv

interface=eno1
domain=domain.name
cache-size=1024
listen-address=127.0.0.1
bind-interfaces

dhcp-range=10.0.10.10,10.0.10.100,24h
dhcp-option=3,10.0.10.1

dhcp-authoritative

server=208.67.222.222
server=208.67.220.220

address=/domain.name/10.0.10.3
Improve this question
2
  • What are you actually trying to do with this information? What will you do if a container restarts and its IP address changes? How does your client know how to resolve the whoami.domain.name DNS name? Commented Jan 2, 2019 at 23:29
  • @DavidMaze I have a container running openVPN, so I would like to whitelist connections originating from this container to other services based on its IP using traefik. Its IP will not change as it is specified directly in the corresponding docker-compose: networks: traefik_net: ipv4_address: xxx.xx.xx.xx The domain name is resolved locally using dnsmasq (dnsmasq.conf added in the original post). Note that I am open to other solutions to achieve my goal of whitelisting connections from local network and openvpn container. Commented Jan 3, 2019 at 9:56

2 Answers 2

Reset to default
2

After some investigation it seems that Traefik is not the problem here, the inability to access the container IP is due to the way Docker manages its internal network (see the following comments: https://github.com/containous/traefik/issues/4352 and https://github.com/docker/for-mac/issues/180).

I was able to achieve my goal of whitelisting internal connections by running my openvpn container in nework_host mode, this way the client is assigned an IP by the system directly.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Setting the ports configuration of the docker-compose file as follows should work:

    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host

This ports capability is only available for docker-compose file format =>3.2

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.