Apply middleware to specific client IP

Hello,

I am trying to not apply a forward-auth middleware to a specific IP that hits the API. The middleware works fine otherwise.

I tried a few combinations like in which the most promising on was the following but I still get redirected when accessing the endpoint from 192.168.1.63.

  - match: Host(`test.domain`)
    kind: Rule
    services:
    - kind: Service
      name: test-svc
      namespace: test
      port: webui
    middlewares:
      - name: traefik-forward-auth
        namespace: kube-system
  - match: Host(`test.domain`) && ClientIP("192.168.1.63/32")
    kind: Rule
    services:
    - kind: Service
      name: test-svc
      namespace: test
      port: webui
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-forward-auth
  namespace: kube-system
spec:
  forwardAuth:
    address: http://traefik-forward-auth:4181
    authResponseHeaders:
      - X-Forwarded-User

I am new to Traefik so mostly tinkering at this point.

You probably need to use backticks instead of " (doc).

It is the same with back ticks.
I enabled debug logs in traefik and I'm not getting anything.

EDIT: Ok it seems the issue is due to the fact that Traefik only sees the IP address of the CNI's bridge interface 10.42.0.1 a.k.a. cni0. The solution will be to find how/if I can pass the client's IP to traefik.

I fixed it by setting externalTrafficPolicy: local on the traefik service (running in K3s) which preserves the client source IP..

  - match: 'Host(`test.domain`) && !ClientIP("192.168.1.63/32")'
    kind: Rule
    services:
    - kind: Service
      name: test-svc
      namespace: test
      port: webui
    middlewares:
      - name: traefik-forward-auth
        namespace: kube-system
  - match: 'Host(`test.domain`) && ClientIP("192.168.1.63/32")'
    kind: Rule
    services:
    - kind: Service
      name: test-svc
      namespace: test
      port: webui

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.