Cloudflare Proxy IPAllowList Config Example, and Question on how to improve with Split DNS

Traefik Traefik v2
1

I have Cloudflare Proxy --> Router --> Traefik/ IPAllowList setup, and finally got it to work. I saw a few post here asking the same question, so here is a not so perfect example

I only know cloudflare and traefik use different headers for forwarded IP, but not under the hood, tried 2 of the more popular cloudflarewarp & real ip plugin, none worked for me, combination of below config worked.

Traefik.yml

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Cloudflare 2023 09 28 https://www.cloudflare.com/ips
        - "173.245.48.0/20"
        - "103.21.244.0/22"
        - "103.22.200.0/22"
        - "103.31.4.0/22"
        - "141.101.64.0/18"
        - "108.162.192.0/18"
        - "190.93.240.0/20"
        - "188.114.96.0/20"
        - "197.234.240.0/22"
        - "198.41.128.0/17"
        - "162.158.0.0/15"
        - "104.16.0.0/13"
        - "104.24.0.0/14"
        - "172.64.0.0/13"
        - "131.0.72.0/22"
        - "2400:cb00::/32"
        - "2606:4700::/32"
        - "2803:f800::/32"
        - "2405:b500::/32"
        - "2405:8100::/32"
        - "2a06:98c0::/29"
        - "2c0f:f248::/32"
     
  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs: *trustedIps

Config.yml middleware

    local-only:
      ipallowlist: # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/
        sourceRange:
          - "127.0.0.1/32" # localhost
          - "10.0.0.0/8" # private class A
          - "172.16.0.0/12" # private class B
          - "192.168.0.0/16" # private class C
          - "your.wan.ip.here"
        ipstrategy: # enable this when cloudflare proxy in use
           depth: 1 # depth 1 when cloudflare proxy in use

With trustedIPs and ipstrategy.depth=1, I got cf proxy working with IPAllowList. Basically traefik sees local proxied requested as from Wan IP, so whitelisting it worked.

Then I moved to config split DNS on my router to resolve mydomain.com to traefik host local ip. The ipstrategy.depth=1 is becoming an issue and need to be commented out.

I do want to keep cf proxied config setup just in case some local device use manual DNS rather than split DNS. And I think it is possible to create another set of entry points and middleware to handle request from split DNS, but it will be very convoluted configs.

Is there a more elegant solution, a single set of config that works with both local traffic proxied via cf, and local traffic direct from split DNS?