Traefik Kubernetes Ingress and X-Forwarded- Headers
Or, how to get nginx’
proxy_set_header X-Forwarded-Proto working in Traefik
If you have an exposed HTTPS endpoint, but proxying traffic to internal applications through HTTP, the default configuration of the Traefik Kubernetes ingress controller (at least if you’ve deployed it via helm and/or k3s) won’t work, and your applications see
http as the scheme instead of
https. Which can confuse some applications and result in errors.
If you’re coming from nginx and find yourself dealing with Traefik now, what you want is the equivalent of nginx’
feature. This ensures that all
x-forwarded- headers are set/proxied in the right way to the destination.
I have considered going back to nginx. I don’t understand the hype around Traefik, I think it’s very complicated to configure, the docs assume one needs to understand the codebase, examples are incomplete or not available at all.
This is my opinion, and I’m open to change. There might be features available in Traefik which aren’t available in nginx. However, I have yet to find them.
I’m sticking to Traefik since it’s part of k3s, while Traefik can be disabled during setup, I want to go as native as possible without doing a lot of changes.
I spent way too long to add nginx’s
proxy_pass_request_headers to Traefik (which turned out to be quite easy, but getting to this point was very painful).
Assume you have a web server with HTTPS configured but are proxying requests to a web application in your docker / kubernetes cluster which are just listening on HTTP? You still want to let the server know that the protocol you’re coming from is HTTPS, so the application can respond with this scheme.
It’s not just about the scheme, it’s also about all other
x-forwarded- headers, and we’re mostly concerned about
Update the Traefik deployment
In order to make Traefik forward the
x-forwarded- headers to the destination, follow along. This is specific to k3s to update things automatically, if you’ve deployed Traefik via helm, you can just take the values from the
valuesContentblock down below and apply them to the helm values config:
- create this file
- add the custom helm chart config, the important bits are
- k3s will automatically pick this file up and restart the Traefik pod(s). You should be able to use your application(s) now.
Instead of using
insecure, there are ways to limit this to IP ranges as well, but I haven’t experimented with this yet.
I guess there’s also a case to be made to proxy traffic to
https based endpoints end-to-end.