Traefik JSON parser fails when there is more than one IP in ClientHost

[sidewinder94]

As title says, example of such a log below :

{
  "ClientAddr": "172.71.122.85:11029",
  "ClientHost": "<redacted_ip>,147.161.153.113",
  "ClientPort": "11029",
  "ClientUsername": "-",
  "DownstreamContentSize": 0,
  "DownstreamStatus": 204,
  "Duration": 2337877,
  "OriginContentSize": 0,
  "OriginDuration": 823492,
  "OriginStatus": 0,
  "Overhead": 1514385,
  "RequestAddr": "example.com",
  "RequestContentSize": 0,
  "RequestCount": 2818,
  "RequestHost": "example.com",
  "RequestMethod": "OPTIONS",
  "RequestPath": "/_matrix/client/v3/sync?filter=7\u0026timeout=30000\u0026org.matrix.msc4222.use_state_after=true\u0026set_presence=unavailable\u0026since=s213676_27816316_1_536849_95767_167_5411_668355_0_70_2",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "RouterName": "matrix-synapse-public-client-api@docker",
  "ServiceAddr": "172.16.16.25:8008",
  "ServiceName": "matrix-synapse-client-api@docker",
  "ServiceURL": "http://172.16.16.25:8008",
  "StartLocal": "2025-11-28T09:21:55.645779561Z",
  "StartUTC": "2025-11-28T09:21:55.645779561Z",
  "TLSCipher": "TLS_AES_128_GCM_SHA256",
  "TLSVersion": "1.3",
  "downstream_Access-Control-Allow-Headers": "X-Requested-With, Content-Type, Authorization, Date",
  "downstream_Access-Control-Allow-Methods": "GET, HEAD, POST, PUT, DELETE, OPTIONS",
  "downstream_Access-Control-Allow-Origin": "*",
  "downstream_Access-Control-Expose-Headers": "Synapse-Trace-Id, Server",
  "downstream_Alt-Svc": "h3=\":443\"; ma=2592000",
  "downstream_Content-Length": "0",
  "downstream_Content-Type": "",
  "downstream_Date": "Fri, 28 Nov 2025 09:21:55 GMT",
  "downstream_Server": "Synapse/1.143.0",
  "downstream_Vary": "Accept-Encoding",
  "entryPointName": "web-secure",
  "level": "info",
  "msg": "",
  "origin_Access-Control-Allow-Headers": "X-Requested-With, Content-Type, Authorization, Date",
  "origin_Access-Control-Allow-Methods": "GET, HEAD, POST, PUT, DELETE, OPTIONS",
  "origin_Access-Control-Allow-Origin": "*",
  "origin_Access-Control-Expose-Headers": "Synapse-Trace-Id, Server",
  "origin_Alt-Svc": "h3=\":443\"; ma=2592000",
  "origin_Content-Length": "0",
  "origin_Content-Type": "",
  "origin_Date": "Fri, 28 Nov 2025 09:21:55 GMT",
  "origin_Server": "Synapse/1.143.0",
  "origin_Vary": "Accept-Encoding",
  "request_Accept": "*/*",
  "request_Accept-Encoding": "gzip, br",
  "request_Accept-Language": "fr,fr-FR;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
  "request_Access-Control-Request-Headers": "authorization",
  "request_Access-Control-Request-Method": "GET",
  "request_Cdn-Loop": "cloudflare; loops=1",
  "request_Cf-Connecting-Ip": "147.161.153.113",
  "request_Cf-Ipcountry": "FR",
  "request_Cf-Ray": "9a58cc42bf46d51a-CDG",
  "request_Cf-Visitor": "{\"scheme\":\"https\"}",
  "request_Origin": "https://example.com",
  "request_Sec-Fetch-Dest": "empty",
  "request_Sec-Fetch-Mode": "cors",
  "request_Sec-Fetch-Site": "same-site",
  "request_User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Edg/142.0.0.0",
  "request_X-Forwarded-For": "147.161.153.113",
  "request_X-Forwarded-Host": "example.com",
  "request_X-Forwarded-Port": "443",
  "request_X-Forwarded-Proto": "https",
  "request_X-Forwarded-Server": "9b97189efd2a",
  "request_X-Is-Trusted": "yes",
  "request_X-Real-Ip": "147.161.153.113",
  "time": "2025-11-28T09:21:55Z"
}

I have redacted one IP with "<redacted_ip>" and replaced my domains with "example.com"

This happens when a client is using a proxy to access a service (e.g. ZScaler). And since I don't control it, I don't want to trust it in my traefik config.

[LaurenceJJones]

And since I don't control it, I don't want to trust it in my traefik config.

Then how can we trust it?

edit: just to ask cause I dont use zscaler as your example, so is this proxy infront of traefik? ill be surprised if they are acting a reverse proxy instead of a forward proxy?

edit edit: looks like my presumption of them not being a RP might be incorrect 😮‍💨 but waiting for your feedback if you know more 🤷🏻

[sidewinder94]

No, ZScaler is not a reverse proxy, it's a proxy commonly used by corporate networks to allow access to internal resources and provide internet security by inspecting outbound traffic.

They are in fact, a forward proxy.

A crude representation would be

Client <==> ZScaler <==> Internet <==> Traefik

Edit: I'm not asking that the crowdsec parser trusts an unknown forward proxy, but maybe selecting the last address of the list as the remote address would be acceptable ? It would mean potentially banning all users of said proxy, but I think it's better than reporting / banning the IP an untrusted proxy reports as the origin.

[LaurenceJJones]

So just to confirm you dont use zscaler this is just internet traffic?

[sidewinder94]

Absolutely, I provided that bit of context because this gives a real world example on how and why this case can happen.

It's also a case I can replicate fairly easily, because I have access to a client that is required to use that particular proxy to access internet.