Hello friends!
I would appreciate it if you could help me set up ipAllowList.
(ClientIP works, but I want to use ipAllowList).
Everything works fine, but I want to restrict access to some of my services using ipAllowList.
Traefik is running through a Cloudflare tunnel (proxied).
So, here's what I'm doing:
dynamic_conf.yml
http:
routers:
whoami:
rule: Host(`whoami.example.com`)
service: whoami-service
entryPoints:
- websecure
middlewares:
- local-ip
services:
whoami-service:
loadBalancer:
servers:
- url: "https://192.168.0.58:9443/"
serversTransport: insecure
passHostHeader: true
serversTransports:
insecure:
insecureSkipVerify: true
middlewares:
local-ip:
ipAllowList:
sourceRange:
- 127.0.0.1/32 # localhost
- 10.0.0.0/8 # private class A
- 172.16.0.0/12 # private class B
- 192.168.0.0/24 # private class C
- 192.168.1.0/24 # private class C
# ipStrategy:
# depth: 1 #(2)
crowdsec:
plugin:
bouncer:
enabled: true
defaultDecisionSeconds: 60
crowdsecMode: live
crowdsecAppsecEnabled: true
crowdsecAppsecHost: crowdsec:7422
crowdsecAppsecFailureBlock: true
crowdsecAppsecUnreachableBlock: true
crowdsecLapiKey: XXXXXXXXXXXXXXXXXXXXXXXXXXX
crowdsecLapiHost: crowdsec:8080
crowdsecLapiScheme: http
crowdsecLapiTLSInsecureVerify: false
forwardedHeadersTrustedIPs:
- 172.19.0.0/16
clientTrustedIPs:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/24
- 192.168.1.0/24
After that, nothing happens. Access is available both from the local network and from the internet.
If I specify:
ipStrategy:
depth: 1 #(2)
Access is completely unavailable. (It blocks all networks, both the internet and the local network.)
traefik.yml
global:
checkNewVersion: false
sendAnonymousUsage: false
api:
insecure: false
dashboard: true
entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs: &trustedIps
- 172.19.0.0/16
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
forwardedHeaders:
trustedIPs: *trustedIps
http3:
advertisedPort: "443"
http:
tls:
certResolver: letsencrypt
domains:
- main: "example.com"
sans:
- "*.example.com"
- "*.sub.example.com"
middlewares:
- crowdsec@file
log:
level: INFO
accessLog:
format: json
filters:
statusCodes:
- "200-299
- "400-599"
bufferingSize: 0
fields:
headers:
defaultMode: drop
names:
User-Agent: keep
providers:
docker:
exposedByDefault: false
file:
filename: "/etc/traefik/dynamic_conf.yml"
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: XXX@gmail.com
storage: /certs/acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
experimental:
plugins:
bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.4.0
I hope for your help.
Best regards, Alexander.