Help ipallowlist for silverbullet. Working for whoami

MartinMSPedersen · July 31, 2024, 10:42pm

I am trying to limit the access to my silverbullet container using ipallowlist.
It is working for the whoami container.

Here is the full docker-compose.yml that I am using except I have removed some letsencrypt secrets with

services:
  traefik:
    restart: always
    image: "traefik:v3.0"
    container_name: "traefik"
    command:
      - "--log.level=INFO"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.address=:80"
      - "--providers.docker.exposedbydefault=false"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=<REDACTED>"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--global.sendAnonymousUsage"
      - "--accesslog=true"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    networks:
      - traefiknet
    dns:
      - 8.8.8.8
      - 8.8.4.4
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.20dage.dk`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.routers.api.tls.certresolver=myresolver"
      - "traefik.http.middlewares.auth.basicauth.users=martin:$$2y$$05$$<REDACTED>"
      - "traefik.http.routers.redirs.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

  whoami:
    networks:
      - traefiknet
    restart: always
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.20dage.dk`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
      - "traefik.http.routers.whoami-http.rule=Host(`whoami.20dage.dk`)"
      - "traefik.http.routers.whoami-http.entrypoints=web"
      - "traefik.http.routers.whoami-http.middlewares=whoami-https-redirect"
      - "traefik.http.middlewares.whoami-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.whoami.middlewares=whoami-ipallowlist"
      - "traefik.http.middlewares.whoami-ipallowlist.ipallowlist.sourcerange=10.0.0.0/8"

  silverbullet:
    restart: always
    image: zefhemel/silverbullet:latest
    container_name: "silverbullet"
    volumes:
      - "/var/www/html/silverbullet/:/space/"
    networks:
      - traefiknet
    labels:
      - traefik.enable=true
      - "traefik.http.routers.silverbullet-https.rule=Host(`silverbullet.20dage.dk`)"
      - "traefik.http.routers.silverbullet-https.entrypoints=websecure"
      - "traefik.http.routers.silverbullet-https.tls.certresolver=myresolver"
      - "traefik.http.routers.silverbullet-http.rule=Host(`silverbullet.20dage.dk`)"
      - "traefik.http.routers.silverbullet-http.entrypoints=web"
      - "traefik.http.routers.silverbullet-http.middlewares=silverbullet-https-redirect"
      - "traefik.http.middlewares.silverbullet-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.silverbullet.middlewares=silverbullet-ipallowlist"
      - "traefik.http.middlewares.silverbullet-ipallowlist.ipallowlist.sourcerange=10.0.0.0/8"

  
networks:
  traefiknet:
    external: true

bluepuma77 · August 1, 2024, 6:49am

I would start by simplifying the dynamic config, move the http-to-https redirect and TLS globally to entrypoint, you can save a lot of labels, see simple Traefik example.

bluepuma77 · August 1, 2024, 6:51am

It’s not working because you assign the middleware to a non-existing router name (because of all the -http and -https mess )

MartinMSPedersen · August 1, 2024, 2:35pm

Thanks.
Like this?

command:
- --log.level=INFO
- --api.insecure=true
- --accesslog=true
- --providers.docker.network=traefik_traefiknet
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=martin@20dage.dk
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json

MartinMSPedersen · August 1, 2024, 2:37pm

bluepuma77:

MartinMSPedersen:
      - "traefik.http.routers.silverbullet.middlewares=silverbullet-ipallowlist"
It’s not working because you assign the middleware to a non-existing router name (because of all the -http and -https mess )

Thanks! Can you help a bit more?
It is still working perfect for whoami but not for silverbullet?

services:
traefik:
restart: always
image: "traefik:v3.0"
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- traefiknet
container_name: "traefik"
command:
- --log.level=INFO
- --api.insecure=true
- --accesslog=true
- --providers.docker.network=traefik_traefiknet
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(traefik.20dage.dk)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users="
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./letsencrypt:/letsencrypt"
dns:
- 8.8.8.8
- 8.8.4.4

whoami:
image: traefik/whoami
networks:
- traefiknet
restart: always
container_name: whoami
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(whoami.20dage.dk) || Host(www.whoami.20dage.dk)
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.middlewares.iprestrict.ipallowlist.sourcerange=10.0.0.0/8
- traefik.http.routers.mywhoami.middlewares=mywwwredirect,iprestrict

silverbullet:
restart: always
image: zefhemel/silverbullet:latest
container_name: silverbullet
volumes:
- /var/www/html/silverbullet/:/space/
networks:
- traefiknet
labels:
- traefik.enable=true
- traefik.http.routers.silverbullet.rule=Host(silverbullet.20dage.dk) || Host(www.silverbullet.20dage.dk)
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.middlewares.iprestrict.ipallowlist.sourcerange=10.0.0.0/8
- traefik.http.routers.silverbullet.middlewares=mywwwredirect,iprestrict

networks:
traefiknet:

bluepuma77 · August 1, 2024, 4:09pm

Use 3 backticks before and after code/config to make it more readable and keep the spacing, which is important for yaml.

MartinMSPedersen · August 1, 2024, 6:43pm

It actually worked. It was the browser caching a old version.
But I am still open for any suggestions for improvements, best practice etc.

Thanks for all help!

services:
  traefik:
    restart: always
    image: "traefik:v3.1"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    networks:
      - traefiknet
    container_name: "traefik"
    command:
      - --log.level=INFO
      - --api.insecure=true
      - --accesslog=true
      - --providers.docker.network=traefik_traefiknet
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=<REDACTED>
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --global.sendAnonymousUsage
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.20dage.dk`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=martin:<REDACTED>"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    dns:
      - 8.8.8.8
      - 8.8.4.4

  whoami:
    image: traefik/whoami
    networks:
      - traefiknet
    restart: always
    container_name: whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.20dage.dk`) || Host(`www.whoami.20dage.dk`)
      - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
      - traefik.http.middlewares.iprestrict.ipallowlist.sourcerange=10.0.0.0/8
      - traefik.http.routers.mywhoami.middlewares=mywwwredirect,iprestrict

  silverbullet:
    restart: always
    image: zefhemel/silverbullet:latest
    container_name: silverbullet
    volumes:
      - /var/www/html/silverbullet/:/space/
    networks:
      - traefiknet
    labels:
      - traefik.enable=true
      - traefik.http.routers.silverbullet.rule=Host(`silverbullet.20dage.dk`) || Host(`www.silverbullet.20dage.dk`)
      - traefik.http.middlewares.silverredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.silverredirect.redirectregex.replacement=https://$${1}
      - traefik.http.middlewares.silveriprestrict.ipallowlist.sourcerange=10.0.0.0/8
      - traefik.http.routers.silverbullet.middlewares=silverredirect,silveriprestrict

networks:
  traefiknet:

bluepuma77 · August 1, 2024, 7:51pm

Note that insecure is insecure (doc), it will open port 8080 and bypass auth middleware.

system · August 4, 2024, 7:52pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Working example of traefikv2 setup with whoami and secure dashboard Traefik v2 docker	2	2425	August 13, 2021
Could use a macro or something like that Traefik v2 docker	0	347	April 11, 2020
ipAllowList doesn't allowing an allowed IP Traefik v3 (latest) middleware	3	82	October 28, 2024
How to use Traefik v1.7 with Let's Encrypt and Docker? Traefik v1 docker , letsencrypt-acme	0	857	January 2, 2020
Traefik v2.6 - dynamic configuration Traefik v2 docker , letsencrypt-acme , cli	4	1949	March 19, 2022

Help ipallowlist for silverbullet. Working for whoami

Related topics