How can I add middleware with cloudflare plugin to traefik dashbord itself?

Traefik Traefik v3 (latest)
,
1

Now all my containers work fine and receive the real request IPs after passing through the Cloudflare proxy. However, I can't figure out how to add middleware with the Cloudflare plugin to the Traefik dashboard itself, so that the dashboard also sees the real IPs. I’ve tried adding it via the entry point and directly as middleware. Can someone give me a hint? Now my traefik docker-compose looks like that:

services:
  traefik:
    image: "traefik:latest"
    container_name: traefik

    ports:
      - 80:80
      - 443:443

    networks:
      proxy:
        ipv4_address: 172.18.0.250

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/acme.json:/acme.json
      - ./data/custom/:/custom/:ro
      - ./logs/:/var/log/
      - /etc/localtime:/etc/localtime:ro

    command:
      - --api.dashboard=true

      # Adding cloudflare plugin
      - --experimental.plugins.cloudflare.modulename=github.com/agence-gaya/traefik-plugin-cloudflare
      - --experimental.plugins.cloudflare.version=v1.2.0

      - --log.level=DEBUG
      - --log.filepath=/var/log/traefik_error.log

      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log

      - --providers.file.directory=/custom
      - --providers.file.watch=true

      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true 

      - --entrypoints.websecure.http.tls.certresolver=letsEncrypt
      - --certificatesresolvers.letsEncrypt.acme.email=${ACME_MAIL}

      - --entrypoints.websecure.http.tls.domains[0].main=${ACME_HOST}
      - --entrypoints.websecure.http.tls.domains[0].sans=*.${ACME_HOST}

      - --certificatesresolvers.letsEncrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsEncrypt.acme.storage=acme.json
      - --certificatesresolvers.letsEncrypt.acme.dnschallenge.provider=${ACME_PROVIDER}


    env_file:
      - .env

    labels:
      - com.centurylinklabs.watchtower.enable=true

      - traefik.enable=true

      - traefik.http.routers.mydashboard.rule=Host(`${DOMAIN}`) && (ClientIP(`192.168.1.0/24`) || ClientIP(`ip1`) || ClientIP(`ip2`))
      - traefik.http.routers.mydashboard.service=api@internal

      - traefik.http.routers.mydashboardwithauth.middlewares=cloudflare@file

      - traefik.http.routers.mydashboardwithauth.rule=Host(`${DOMAIN}`)
      - traefik.http.routers.mydashboardwithauth.service=api@internal
      - traefik.http.routers.mydashboardwithauth.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=xxxxxxxxxx:xxxxxxxxxxxxxxxxx

  whoami:
    image: traefik/whoami:v1.10
    container_name: whoami
    networks:
      proxy:

    labels:
      - traefik.enable=true
      - traefik.http.services.${WHO_SRV_NAME}-service.loadbalancer.server.port=${WHO_SRV_PORT}
      - traefik.http.routers.${WHO_SRV_NAME}.rule=Host(`${WHO_DOMAIN}`)
      - traefik.http.routers.${WHO_SRV_NAME}.service=${WHO_SRV_NAME}-service

      - traefik.http.routers.${WHO_SRV_NAME}.tls=true
      - traefik.http.routers.${WHO_SRV_NAME}.tls.certresolver=letsEncrypt
      - traefik.docker.network=proxy

      - traefik.http.routers.${WHO_SRV_NAME}.middlewares=cloudflare@file

networks:
  proxy:
    name: proxy
    external: true
2

Wrong, because it's overwriting:

Correct:

- traefik.http.routers.mydashboardwithauth.middlewares=cloudflare@file,myauth
3

Thanks for your reply. But can you tell me if there is any way to bypass authentication for specific IPs? I'm referring to this fragment:

      - traefik.http.routers.mydashboard.rule=Host(`${DOMAIN}`) && (ClientIP(`192.168.1.0/24`) || ClientIP(`ip1`) || ClientIP(`ip2`))
      - traefik.http.routers.mydashboard.service=api@internal
4

You need to create a separate router (different name) without the middleware and with the same target service

5

I'm sorry, but I cant understand. I'm already have 2 different routes, with different names and with the same target - Host(${DOMAIN}).

      - traefik.http.routers.mydashboard.rule=Host(`${DOMAIN}`) && (ClientIP(`192.168.1.0/24`) || 
...
      - traefik.http.routers.mydashboardwithauth.rule=Host(`${DOMAIN}`)

And one of this routes is without any middlewares, and the 2nd with auth middleware. Am I wrong? Or should I create 3rd route?

6

Then you got it already. If you want to bypass auth, you need a router without the middleware.

Longer rules will be tried to be match first. So first the rule with ClientIP will be checked. If it’s a non-matching IP, Traefik will test the next rule.

7

Wait, but I started with this question!

  1. I have two routes: one with bypass authentication for specific IPs, and another with authentication for all other IPs.

  2. After switching to Cloudflare filtering, I can't see the real request IPs, so the bypass authentication route stopped working.

  3. I installed a plugin to restore the real IPs.

  4. What I don't understand is how to enable this plugin's middleware for Traefik itself, so I asked about it here.

And you told me, that I need to create 2 routes!

8

Sorry, I ignored the use of Cloudflare.

You probably need to set forwardedHeaders.trustedIPs (doc) to the CF server IPs.