I'm running traefik on a raspberry pi with docker-compose. I want to use the IP Whitelist feature to limit access to certain routers for local home-network traffic only while having public routes from the internal as well.
Unfortunately, the ClientAddr for local home-network traffic onto the 443/80 entryPoints on a 192.168.0.0/24 network is never recognized as coming from my home network but rather shows my WAN IP (31.17.x.y). I debugged this using accessLogs as well as using the whoami tool. Contrary, when making a request to the 8080 traefik api, it correctly shows the ClientAddr of a home-network client.
curl -v 192.168.0.50:80
Laptop (192.168.0.100) -> Raspberry-Pi/Traefik (192.168.0.50)
=> ClientAddr: WAN IP (31.17.x.y)
curl -v 192.168.0.50:8080
Laptop (192.168.0.100) -> Raspberry-Pi/Traefik (192.168.0.50)
=> ClientAddr: LAN IP (192.168.0.100)
Docker-Compose Config:
traefik:
container_name: traefik
image: traefik:v3.2.3
ports:
- "80:80/tcp"
- "443:443/tcp"
- "443:443/udp"
- "8087:8080/tcp" # WebUI
environment:
CLOUDFLARE_DNS_API_TOKEN: "${CLOUDFLARE_DNS_API_TOKEN}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro
- ./traefik/conf/:/etc/traefik/conf/
- ./traefik/certs/:/etc/traefik/certs/
restart: unless-stopped
networks:
- main
traefik.yaml
entryPoints:
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
http3: {}
https:
address: :443
http:
tls:
certResolver: production
http3: {}
providers:
docker:
exposedByDefault: false
endpoint: 'unix:///var/run/docker.sock'
watch: true
file:
directory: /etc/traefik/conf/
watch: true