HowTo Forward Real-IP

Hello everyone,

I have been using OpenZiti as an overlay network for some time now and am very satisfied.

There is one Traefik per host, which distributes requests to the services behind it. Now I would like to introduce rate limits. Traefik allows rate limiting based on the requesting IP, the problem: All requests that come via the OpenZiti tunneler are listed in the Traefik access log under the IP “::1” (localhost) and not under their OpenZiti tunnel IP.

Jun 05 09:10:33 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:33 +0000] "GET / HTTP/2.0" 200 14130 "-" "-" 92 "forgejo@file" "http://forgejo:3000" 85ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/js/webcomponents.js?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 51741 "-" "-" 93 "forgejo@file" "http://forgejo:3000" 5ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/js/index.js?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 385318 "-" "-" 96 "forgejo@file" "http://forgejo:3000" 8ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/css/theme-forgejo-auto.css?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 4674 "-" "-" 94 "forgejo@file" "http://forgejo:3000" 9ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/css/index.css?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 72325 "-" "-" 97 "forgejo@file" "http://forgejo:3000" 10ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/img/logo.svg HTTP/2.0" 200 289 "-" "-" 95 "forgejo@file" "http://forgejo:3000" 11ms
Jun 05 09:10:35 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:35 +0000] "GET /assets/img/favicon.svg HTTP/2.0" 200 289 "-" "-" 98 "forgejo@file" "http://forgejo:3000" 4ms
Jun 05 09:15:01 homebox systemd-traefik[71522]: ::1 - - [05/Jun/2025:07:15:01 +0000] "GET / HTTP/2.0" 403 0 "-" "-" 47 "forgejo@file" "-" 0ms

Is there somewhere to set this so that the tunnel addresses of the identities appear in the AccessLog?

Thanks for your help

Is this for zitified apps?

Not know if this what you looking for but...
I have public haproxy (VPS) which forward traffic to internal reverse proxy through ziti network and there I use proxy protocol. The proxy protocol is supported variety of proxies and web servers and it pass real source ip of request to internal proxy server.

Check https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol

No, the apps run as podman containers behind a reverse proxy on the host and an Openziti tunneler then forwards the services to localhost:80 (on which Traefik listens).

When requests via the local subnet hit port 80 of the host, I see the real IP in the AccessLog, e.g. 192.168.178.2, but all requests from the OpenZiti network are hidden behind the ::1.

Does anyone else have any ideas?

I do not think, that this is possible.

I guess the ::1 is because you are terminating the service on the same device. So Traefik is using the "real IP".

The question is also what is seen as "real IP" of a device?

If the traffic flows over the OpenZiti network, the IP address is very likely 100.64.0.1, but that is usually the same for all tunnelers. (I might be wrong)

So you would need to pass the IP address of another network interface (and devices might have several other devices, for Ethernet, WLAN, VPN, etc).

These network interfaces are almost always using private IP addresses (RFC 1918). So they are not necessarily unique addresses (many "home networks" may use the same address range). And because the network packet is using another network device, this information is not included. You would need to add this information in one of the higher layers, e.g. as a HTTP header.

So you would maybe need to take also the WAN addresses into consideration.

Is Forgejo allowed to handle anonymous requests? If not, then Forgejo should "know" who is sending and requesting stuff.

Ah, I see, that means the Ziti tunneler performs a NAT of the overlay address to the local subnet?
Would it be possible to use a Ziti router to achieve “routing”?