Traefik Kubernetes Ingress and X-Forwarded- Headers

Or, how to get nginx’ proxy_pass_request_headers or proxy_set_header X-Forwarded-Proto working in Traefik

If you have an exposed HTTPS endpoint, but proxying traffic to internal applications through HTTP, the default configuration of the Traefik Kubernetes ingress controller (at least if you’ve deployed it via helm and/or k3s) won’t work, and your applications see http as the scheme instead of https. Which can confuse some applications and result in errors.

If you’re coming from nginx and find yourself dealing with Traefik now, what you want is the equivalent of nginx’

proxy_pass_request_headers      on;

feature. This ensures that all x-forwarded- headers are set/proxied in the right way to the destination.

I have considered going back to nginx. I don’t understand the hype around Traefik, I think it’s very complicated to configure, the docs assume one needs to understand the codebase, examples are incomplete or not available at all.
This is my opinion, and I’m open to change. There might be features available in Traefik which aren’t available in nginx. However, I have yet to find them.

I’m sticking to Traefik since it’s part of k3s, while Traefik can be disabled during setup, I want to go as native as possible without doing a lot of changes.

I spent way too long to add nginx’s proxy_pass_request_headers to Traefik (which turned out to be quite easy, but getting to this point was very painful).

What does proxy_pass_request_headers do?

Assume you have a web server with HTTPS configured but are proxying requests to a web application in your docker / kubernetes cluster which are just listening on HTTP? You still want to let the server know that the protocol you’re coming from is HTTPS, so the application can respond with this scheme.

It’s not just about the scheme, it’s also about all other x-forwarded- headers, and we’re mostly concerned about x-forwarded-proto here.

Update the Traefik deployment

In order to make Traefik forward the x-forwarded- headers to the destination, follow along. This is specific to k3s to update things automatically, if you’ve deployed Traefik via helm, you can just take the values from the valuesContentblock down below and apply them to the helm values config:

  • create this file
  • add the custom helm chart config, the important bits are proxyProtocol and forwardedHeaders
kind: HelmChartConfig
name: traefik
namespace: kube-system
valuesContent: |-
- "--entryPoints.web.proxyProtocol.insecure"
- "--entryPoints.web.forwardedHeaders.insecure"
  • k3s will automatically pick this file up and restart the Traefik pod(s). You should be able to use your application(s) now.

Instead of using insecure, there are ways to limit this to IP ranges as well, but I haven’t experimented with this yet.

I guess there’s also a case to be made to proxy traffic to https based endpoints end-to-end.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Add Google Calendar in Notion

Why we should teach coding to kids?

Teaching kids to <code>

Firebase Authentication with Email and Password in Flutter

Mecha Master First Giveaway on Jun 20th, 2022

Use git submodules to share files between multiple git repositories

A little about who I am

IBM Observability by Instana Version 1.0.225 Now Available


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Kubernetes RBAC — Update default ClusterRoles without editing them

Create KIND cluster/multi-node cluster on WSL2(Ubuntu 20.04)

Xavki’s Links : 20220103 week

Shell completion for plugins with Helm 3.8