Basic Auth + IP AllowList on Ingress

Traefik Traefik v3 (latest)
,
1

Hiya! I was trying to add a basic auth and an ip allowlist/whitelist so those users don’t have the basic auth on a website, but I can’t find a way to do it. Can anyone help me with this problem? And is it even possible?

2

You can create two routers. One with rule Host() and auth middleware and another one for Host() && ClientIP() (doc). The second rule is longer, therefore has higher priority, is matched first. If the IP matches, it will forward, otherwise the next router is used, then with auth.

3

If you are using ingressNginx resources with traefik, I’ve got to work this way.

Run the command `helm upgrade --install traefik traefik/traefik --namespace traefik --create namespace -f values.yaml`

# values.yaml
image:
  tag: v3.6.2

logs:
  general:
    level: DEBUG

service:
  type: LoadBalancer

additionalArguments:
  - --providers.kubernetesIngressNGINX

Then create an ipallowlist middleware in the traefik namespace. kubectl apply -f middlewares.yaml

# middlewares.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: ip-allowlist
  namespace: traefik
spec:
  ipAllowList:
    sourceRange:
      - "192.168.0.0/16"
      - "10.0.0.0/8"
      - "172.16.0.0/12"

Then create your ingress; annotated to use the middleware. kubectl apply -f ingress.yaml

# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    
    # traefik middleware annotation
    traefik.ingress.kubernetes.io/router.middlewares: traefik-ip-allowlist@kubernetescrd
  generation: 1
  name: guestbook
  namespace: default
spec:
  ingressClassName: traefik
  rules:
  - host: guestbook.domain.co
    http:
      paths:
      - backend:
          service:
            name: guestbook-ui
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - guestbook.domain.co
    secretName: guestbook-ui-tls-cert

This shouws only allowlist middle ware. But you can try creating another auth middleware using the docs and adding it to the ingress annotation.

Note for multiple middlewares, you include them in the same annotaiton but separeate them via commas.

eg) `traefik.ingress.kubernetes.io/router.middlewares: traefik-ip-allowlist@kubernetescrd,traefik.ingress.kubernetes.io/router.middlewares: traefik-auth@kubernetescrd`

Also note the naming convention of the middleware in the ingress annotations is in the pattern of `${middleware-Namespace}-${middlewareName}@kubernetescrd`

4

@bluepuma77 @yemaney I am not using nginx, just traefik with ingress.

Unfortunately, when I create an IngressRoute, the whole domain gets a 404 from Traefik. I don’t know why…