I'm running a setup, where there's a default-middlewares chain, on the websecure enpoint, that is applied to all compose services:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls: {}
middlewares:
- default-middlewares@file
providers:
file:
directory: /etc/traefik/dynamic
watch: true
docker:
endpoint: unix:///var/run/docker.sock
watch: true
exposedByDefault: false
defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.mydomain.net`)"
The dynamic/dynamic.yaml looks like this:
tls:
stores:
default:
defaultCertificate:
certFile: /certs/mydomain.net/fullchain.pem
keyFile: /certs/mydomain.net/privkey.pem
http:
middlewares:
services-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "10.0.0.0/24"
- "10.0.1.0/24"
services-compress:
compress: {}
default-middlewares:
chain:
middlewares:
- services-ipwhitelist
- services-compress
The general idea, is to keep the docker-compose modification to a minimum. Here's en example service:
whoami:
image: containous/whoami
container_name: whoami
labels:
- "traefik.enable=true"
Now - for some services, I'd like to add additional IP range to be allowed, and I want to achieve this by simply adding some label to a particular container definition, but without the need to modify any other. How could I achieve this?
So far, I attempted to create another ipWhiteList middleware definition:
services-ipwhitelist-guest:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "10.0.0.0/24"
- "10.0.1.0/24"
- "192.168.1.0/24"
And added it to the whoami container via label:
- "traefik.http.routers.whoami.middlewares=services-ipwhitelist-guest@file"
Unfortunately, both middlewares are applied, and the services-ipwhitelist makes the page Forbidden from 192.168.1.0/24 network.
Any ideas on how to make it work?