Running k3s Traefik behind a reverse proxy

In some configurations, you end up running your k3s cluster behind a additional ingress proxy (e. g. for caching, inspection, logging, WAF, etc.). As you want some special proxy headers at your application (e. g. X-Forwarded-*), you need to tell Traefik (2.x) to not override those headers.

To activate this functions in your k3s Traefik, create an override yaml file in the location, where rancher stores the manifests for integrated services. The default location is /var/lib/rancher/k3s/server/manifests.

Create a new file called traefik.override.yaml with the following content:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    additionalArguments:
      - "--entryPoints.web.proxyProtocol.insecure"
      - "--entryPoints.web.forwardedHeaders.insecure"

This file has to be created on every server node of your k3s cluster. After creating and saving the file, k3s will automatically update traefik and you’re ready to go!