I have Cloudflare Proxy --> Router --> Traefik/ IPAllowList setup, and finally got it to work. I saw a few post here asking the same question, so here is a not so perfect example
I only know cloudflare and traefik use different headers for forwarded IP, but not under the hood, tried 2 of the more popular cloudflarewarp & real ip plugin, none worked for me, combination of below config worked.
Traefik.yml
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
forwardedHeaders:
trustedIPs: &trustedIps
# Cloudflare 2023 09 28 https://www.cloudflare.com/ips
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- "2400:cb00::/32"
- "2606:4700::/32"
- "2803:f800::/32"
- "2405:b500::/32"
- "2405:8100::/32"
- "2a06:98c0::/29"
- "2c0f:f248::/32"
https:
address: ":443"
forwardedHeaders:
trustedIPs: *trustedIps
Config.yml middleware
local-only:
ipallowlist: # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/
sourceRange:
- "127.0.0.1/32" # localhost
- "10.0.0.0/8" # private class A
- "172.16.0.0/12" # private class B
- "192.168.0.0/16" # private class C
- "your.wan.ip.here"
ipstrategy: # enable this when cloudflare proxy in use
depth: 1 # depth 1 when cloudflare proxy in use
With trustedIPs and ipstrategy.depth=1, I got cf proxy working with IPAllowList. Basically traefik sees local proxied requested as from Wan IP, so whitelisting it worked.
Then I moved to config split DNS on my router to resolve mydomain.com to traefik host local ip. The ipstrategy.depth=1 is becoming an issue and need to be commented out.
I do want to keep cf proxied config setup just in case some local device use manual DNS rather than split DNS. And I think it is possible to create another set of entry points and middleware to handle request from split DNS, but it will be very convoluted configs.
Is there a more elegant solution, a single set of config that works with both local traffic proxied via cf, and local traffic direct from split DNS?