Client IP Whitelisting with AWS ALB (with HTTP-> HTTPS redirection)

vikas027 · October 1, 2021, 2:27am

Environment

AWS ALB (with SSL Certificate and HTTP->HTTPS redirection)
Traefik v2.5.3

Problem

I am trying to enable IP whitelisting on a particular router using middleware ipWhiteList. This is what I have which is not working

## Entrypoint
[entryPoints]
  [entryPoints.http]
    address = ":80"
    proxyprotocol = true     # <-- Makes no effect
    insecure = true          #

## Middleware
    [http.middlewares.vpn.ipWhiteList]
      sourceRange = ["X.X.X.X/X"]
      [http.middlewares.vpn.ipWhiteList.ipStrategy]
        depth = 2

## Router
  [http.routers.prometheus]
    rule = "Host(`prometheus.example.com`)"
    entrypoints = "http"
    service = "prometheus@internal"
    middlewares = ["vpn"]  # <-- Endpoint works fine without the middleware

In the logs, I cannot see the client IPs

time="2021-10-01T01:48:44Z" level=debug msg="rejecting request &{Method:GET URL:/ Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept:[*/*] User-Agent:[curl/7.68.0] X-Amzn-Trace-Id:[Root=1-615668fc-497f21f738e6ad28438a42a7] X-Forwarded-Host:[prometheus.example.com] X-Forwarded-Port:[80] X-Forwarded-Proto:[http] X-Forwarded-Server:[72846edb5917] X-Real-Ip:[172.30.3.171]] Body:0xc000ad3350 GetBody:<nil> ContentLength:0 TransferEncoding:[] Close:false Host:prometheus.example.com Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr:172.30.3.171:16674 RequestURI:/ TLS:<nil> Cancel:<nil> Response:<nil> ctx:0xc000495a70}: empty IP address" middlewareName=vpn@file middlewareType=IPWhiteLister

{"ClientAddr":"172.30.3.171:16674","ClientHost":"172.30.3.171","ClientPort":"16674","ClientUsername":"-","DownstreamContentSize":9,"DownstreamStatus":403,"Duration":238635,"OriginContentSize":9,"OriginDuration":131562,"OriginStatus":403,"Overhead":107073,"RequestAddr":"prometheus.example.com","RequestContentSize":0,"RequestCount":3462,"RequestHost":"prometheus.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"prometheus@file","StartLocal":"2021-10-01T01:48:44.476195623Z","StartUTC":"2021-10-01T01:48:44.476195623Z","entryPointName":"http","level":"info","msg":"","time":"2021-10-01T01:48:44Z"}

I have looked at the other threads and documentation which talks about enabling proxyProtocol but that too didn't work for me.

Topic		Replies	Views
X-Forwarded-For ipwhitelist middleware Traefik v3 (latest) docker , middleware	1	559	September 19, 2024
Whitelist Configuration Traefik v2 middleware	4	1590	March 28, 2022
IPWhitelist not working Traefik v2 docker , middleware	2	4379	August 1, 2021
IpWhileList Middleware Traefik v3 (latest) docker , middleware	0	33	February 25, 2025
Traefik v2.1.4: X-Forwarded-For header doet not pass visitor IP when using IPv6 Traefik v2 docker , middleware	8	12490	January 5, 2022

Client IP Whitelisting with AWS ALB (with HTTP-> HTTPS redirection)

Environment

Problem

Related Threads

Related topics