Hey there! Let's walk through getting that real source IP properly passed to your Kubernetes pods when using Traefik with a DigitalOcean Load Balancer (DO LB) that has Proxy Protocol enabled. First, let's break down your current setup and fix the gaps that might be blocking the IP passthrough.

First, the good news: You're already doing two critical things right #

• You've enabled Proxy Protocol on your DO LB via the Service annotation service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
• You set externalTrafficPolicy: Local on your Traefik Service, which prevents Kubernetes from SNAT-ing the traffic (a common cause of lost source IPs)

Now let's fix the configuration issues in your Traefik ConfigMap #

There are two key problems in your current setup:

1. Incorrect trustedIPs format: You've listed all IPs in a single string, but Traefik expects an array of individual IP strings.
2. Missing Proxy Protocol config for the HTTP entrypoint: Your DO LB is sending Proxy Protocol traffic for both port 80 and 443, but you only configured it for HTTPS.

Here's the corrected ConfigMap snippet:

[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
# Add Proxy Protocol config for HTTP (since DO LB uses it for port 80 too)
[entryPoints.http.proxyProtocol]
trustedIPs = ["LOAD_BALANCER_PUBLIC_IP", "WORKER_NODE_PRIVATE_IP_1", "WORKER_NODE_PRIVATE_IP_2"]
[entryPoints.http.redirect]
entryPoint = "https"

[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/client_co.crt"
KeyFile = "/ssl/tls.key"
[entryPoints.https.proxyProtocol]
# Fix: Each IP is a separate quoted string in the array
trustedIPs = ["LOAD_BALANCER_PUBLIC_IP", "WORKER_NODE_PRIVATE_IP_1", "WORKER_NODE_PRIVATE_IP_2"]
[entryPoints.https.redirect]
regex = "^https://(?:www\\.)(.*)"
replacement = "https://$1"
permanent = true

Next steps to verify and apply the fix #

1. Update your ConfigMap: Apply the corrected ConfigMap with kubectl apply -f <your-configmap-file>.yaml -n kube-system
2. Restart Traefik: Traefik doesn't hot-reload ConfigMap changes automatically, so restart its pods:

   kubectl rollout restart deployment/traefik-ingress-lb -n kube-system
   # Or if using a DaemonSet:
   kubectl rollout restart daemonset/traefik-ingress-lb -n kube-system
   

3. Check Traefik logs: Ensure there are no errors related to Proxy Protocol (e.g., untrusted IPs sending Proxy Protocol headers):

   kubectl logs -l k8s-app=traefik-ingress-lb -n kube-system --follow
   

4. Validate the source IP in your backend pods: In your application pods, check the X-Forwarded-For request header. It should now show the real client IP instead of the DO LB or worker node IP.

Quick additional check #

If you're running Traefik as a DaemonSet (the recommended setup for ingress controllers), make sure every worker node has a Traefik pod running. The externalTrafficPolicy: Local setting routes traffic directly to nodes with Traefik pods, so missing pods on nodes could cause unexpected behavior.

内容的提问来源于stack exchange，提问作者Rutnet