HowTo Forward Real-IP

Ziti Overlay
1

Hello everyone,

I have been using OpenZiti as an overlay network for some time now and am very satisfied.

There is one Traefik per host, which distributes requests to the services behind it. Now I would like to introduce rate limits. Traefik allows rate limiting based on the requesting IP, the problem: All requests that come via the OpenZiti tunneler are listed in the Traefik access log under the IP “::1” (localhost) and not under their OpenZiti tunnel IP.

Jun 05 09:10:33 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:33 +0000] "GET / HTTP/2.0" 200 14130 "-" "-" 92 "forgejo@file" "http://forgejo:3000" 85ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/js/webcomponents.js?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 51741 "-" "-" 93 "forgejo@file" "http://forgejo:3000" 5ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/js/index.js?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 385318 "-" "-" 96 "forgejo@file" "http://forgejo:3000" 8ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/css/theme-forgejo-auto.css?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 4674 "-" "-" 94 "forgejo@file" "http://forgejo:3000" 9ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/css/index.css?v=8.0.3~gitea-1.22.0 HTTP/2.0" 200 72325 "-" "-" 97 "forgejo@file" "http://forgejo:3000" 10ms
Jun 05 09:10:34 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:34 +0000] "GET /assets/img/logo.svg HTTP/2.0" 200 289 "-" "-" 95 "forgejo@file" "http://forgejo:3000" 11ms
Jun 05 09:10:35 homebox systemd-traefik[61419]: ::1 - - [05/Jun/2025:07:10:35 +0000] "GET /assets/img/favicon.svg HTTP/2.0" 200 289 "-" "-" 98 "forgejo@file" "http://forgejo:3000" 4ms
Jun 05 09:15:01 homebox systemd-traefik[71522]: ::1 - - [05/Jun/2025:07:15:01 +0000] "GET / HTTP/2.0" 403 0 "-" "-" 47 "forgejo@file" "-" 0ms

Is there somewhere to set this so that the tunnel addresses of the identities appear in the AccessLog?

Thanks for your help :slight_smile:

2

Is this for zitified apps?

Not know if this what you looking for but...
I have public haproxy (VPS) which forward traffic to internal reverse proxy through ziti network and there I use proxy protocol. The proxy protocol is supported variety of proxies and web servers and it pass real source ip of request to internal proxy server.

Check https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol

3

No, the apps run as podman containers behind a reverse proxy on the host and an Openziti tunneler then forwards the services to localhost:80 (on which Traefik listens).

When requests via the local subnet hit port 80 of the host, I see the real IP in the AccessLog, e.g. 192.168.178.2, but all requests from the OpenZiti network are hidden behind the ::1.