add traefik bouncer section

he2ss · he2ss · commit 06a354e34d9e · 2025-08-26T16:40:45.000+02:00
diff --git a/crowdsec-docs/unversioned/bouncers/traefik.mdx b/crowdsec-docs/unversioned/bouncers/traefik.mdx
@@ -128,3 +128,29 @@ Now, you can install the remediation component:
 ```bash
 kubectl apply -f bouncer-middleware.yaml
 ```
+
+### Treafik Behind an Upstream Proxy or Load Balancer
+
+When Traefik operates behind another proxy (such as a load balancer, CDN, etc ...), the source IP seen by Traefik may be the wrong one instead of the real client.
+To ensure Crowdsec applies decisions correctly based on the real client IP, it's crucial to properly forward and trust headers.
+
+First you configure Treafik to trust the upstream forwarded headers. Traefik has [`forwardedHeaders.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/?utm_source=chatgpt.com#forwarded-headers) and [`proxyProtocol.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/?utm_source=chatgpt.com#forwarded-headers) directives.
+
+
+Then, you need to configure the middleware to trust as well the IP:
+
+```yaml
+spec:
+  plugin:
+    bouncer:
+      forwardedheaderstrustedips: <trusted-cidr>
+```
+
+When using `proxyProtocol.trustedIPs` Traefik replaces `X-Real-Ip`, you can also add :
+
+```yaml
+spec:
+  plugin:
+    bouncer:
+      forwardedHeadersCustomName: X-Real-Ip
+```
