I understand that a philosophical decision was made to not implement a block list in Traefik 1. I also noticed there are a few different plugins available which implement this functionality 234. I'm curious if anyone is using those plugins (or some other one) successfully, or has a different approach to blocking specific IPs?
In our case we have NLB forwarding to Traefik in EKS. NACLs seems to be one possible approach, or implementing a network firewall, but it'd really be ideal to handle this in a middlware.
What do you mean by blocking? In a system like k8s you can't simply "block" an IP, many components are involved with a request, you would need to do that on the first component that receives a connection, potentially the firewall.
But you should be able to not serve a page by using Traefik rule Host() && !ClientIP().
Or create a dummy service with higher priority (>1000) and a rule specific for the ClientIP().
By blocking I mean the opposite of an IPAllowList. We occasionally identify specific clients behaving poorly that we'd like to discourage. I know I'm not the only person looking for this functionality since there are multiple plugins and pull requests to Traefik over the years. Unfortunately the plugins I Identified previously (fail2ban etc) don't seem to be able to use X-Forwarded-For or X-Real-Ip for blocking.
Yes, a firewall is a good option, but fairly expensive.
AFAICT it's not possible to block an IP at the NLB level unfortunately as the security groups that it uses are also allow based rules. I understand that if we block the requests in Traefik it wouldn't prevent the connection entirely, but if we can drop it before it reaches a backend service that's usually enough. In some services we maintain a separate block list where possible, eg NGINX, Apache, Tomcat have this functionality built in.
NACLs at the VPC level seem like they would work, but they have a soft quota.
I like the idea of a service matching on ClientIP, essentially a 'blackhole' approach. I can't seem to find any info about how many rules are supported in a a single router, but this could work.