How to configure externally and Internally accessible containers via Traefik?

Traefik Traefik v2
1

Hello,

I have installed traefik, portainer and a media server in docker containers running in Debian 12 on a Raspberry Pi.
Traefik is managing the creation of certificates via Let's Encrypt.
The three URLs were accessible both internally (within the LAN) as externally (from the Internet) until I made use of IP Whitelist. Still the three should not be externally accessible by default.
Bind9 is acting as DNS server.

I would like to restrict access to

https://traefik.server.domain.com
https://portainer.server.domain.com

so that only to IPs in the local LAN (192.168.10.0/24) so that it is accessible only internally.

And

https://media.server.domain.com

should be accessible both internally as well as externally.

I have read several topics and articles such as eg.

Or also:
https://www.reddit.com/r/Traefik/comments/qi2435/traefik_v2_mixed_and_both_internal_and_external/

Also, about IP Whitelisting

With my current configuration:

made up of three files:

  • docker/traefik/docker-compose.yml
  • docker/traefik/data/config.yml
  • docker/traefik/docker-compose.yml

internally and externally, I can access the SSL websites and see on the screen:
404 page not found

Please, any indication on how to properly configure IP Whitelisting or any piece of advice is much appreciated.

2

If you are running all 3 domains through Traefik, and not all should be IP restricted, then you need to assign the ipwhitelist middleware on the router level, not globally on entrypoint.

3

Thank you for your feedback.
I have run several unsuccessful attempts already. As traefik and portainer should be accessible only internally, this is my action:

docker-compose.yml not edited
config.yml added two routers and services, traefik and portainer

http:
  routers:
    traefik:
      entryPoints:
        - "https"
      rule: "Host(`traefik.server.domain.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
        - default-whitelist
      tls: {}
      service: traefik
    portainer:
      entryPoints:
        - "https"
      rule: "Host(`portainer.server.domain.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
        - default-whitelist
      tls: {}
      service: portainer
  services:
    traefik:
      loadBalancer:
        servers:
          - url: "http://192.168.10.15:8080"
        passHostHeader: true
    portainer:
      loadBalancer:
        servers:
          - url: "http://192.168.10.16:9000"
        passHostHeader: true
  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "192.168.10.0/24"
        - "172.18.0.0/16"
    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers
    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true
    mygeoblock:
      plugin:
        geoblock:
          silentStartUp: false
          allowLocalRequests: true
          logLocalRequests: false
          logAllowedRequests: false
          logApiRequests: true
          api: "https://get.geojs.io/v1/ip/country/{ip}"
          apiTimeoutMs: 750                                 # optional
          cacheSize: 15
          forceMonthlyUpdate: true
          allowUnknownCountries: false
          unknownCountryApiResponse: "nil"
          blackListMode: false
          addCountryHeader: false
          countries:
            - US

traefik.yaml removed reference to default-whitelist in the two entrypoints

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
      middlewares:
        - crowdsec-bouncer@file
        - mygeoblock@file
  https:
    address: ":443"
    http:
      middlewares:
        - crowdsec-bouncer@file
        - mygeoblock@file
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  duckdns:
    acme:
      email: myemail
      storage: acme.json
      dnsChallenge:
        provider: duckdns
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
log:
  level: "INFO"
  filePath: "/var/log/traefik/traefik.log"
accessLog:
  filePath: "/var/log/traefik/access.log"

sudo docker exec traefik cat /var/log/traefik/traefik.log
shows no errors.
traefik and portainer can be accessed internally: good

However, both can be accessed externally (from internet as well): bad
sudo docker exec traefik tail -f /var/log/traefik/access.lo

Being 1.2.3.4 the external (from the internet connection from my mobile via 4G data, not home Wi-Fi:

1.2.3.4 - - [26/Jan/2024:09:04:50 +0000] "GET / HTTP/1.1" 301 17 "-" "-" 135 "http-to-https@internal" "-" 324ms
1.2.3.4 - - [26/Jan/2024:09:04:51 +0000] "GET / HTTP/2.0" 200 8731 "-" "-" 136 "portainer-secure@docker" "http://172.18.0.5:9000" 118ms
1.2.3.4 - - [26/Jan/2024:09:04:51 +0000] "GET / HTTP/2.0" 200 8731 "-" "-" 137 "portainer-secure@docker" "http://172.18.0.5:9000" 116ms
1.2.3.4 - - [26/Jan/2024:09:04:52 +0000] "GET /runtime.942fa683274b3d3c26cf.js HTTP/2.0" 200 1340 "-" "-" 138 "portainer-secure@docker" "http://172.18.0.5:9000" 169ms
1.2.3.4 - - [26/Jan/2024:09:04:52 +0000] "GET /vendor.b4533442c1cbb18b98a1.css HTTP/2.0" 200 121920 "-" "-" 141 "portainer-secure@docker" "http://172.18.0.5:9000" 1792ms
1.2.3.4 - - [26/Jan/2024:09:04:52 +0000] "GET /main.7d6053e1c574421c1788.css HTTP/2.0" 200 544979 "-" "-" 142 "portainer-secure@docker" "http://172.18.0.5:9000" 3537ms
1.2.3.4 - - [26/Jan/2024:09:04:52 +0000] "GET /main.712d6f30396f42406a3d.js HTTP/2.0" 200 777758 "-" "-" 140 "portainer-secure@docker" "http://172.18.0.5:9000" 4419ms
1.2.3.4 - - [26/Jan/2024:09:04:52 +0000] "GET /vendor.c6c227160a59d929ec43.js HTTP/2.0" 200 1036648 "-" "-" 139 "portainer-secure@docker" "http://172.18.0.5:9000" 5124ms
1.2.3.4 - - [26/Jan/2024:09:04:58 +0000] "GET /locales/en/translation.json HTTP/2.0" 200 328 "-" "-" 144 "portainer-secure@docker" "http://172.18.0.5:9000" 132ms
1.2.3.4 - - [26/Jan/2024:09:04:58 +0000] "GET /api/settings/public HTTP/2.0" 200 435 "-" "-" 146 "portainer-secure@docker" "http://172.18.0.5:9000" 136ms
1.2.3.4 - - [26/Jan/2024:09:04:58 +0000] "GET /api/system/status HTTP/2.0" 200 142 "-" "-" 145 "portainer-secure@docker" "http://172.18.0.5:9000" 144ms
1.2.3.4 - - [26/Jan/2024:09:04:58 +0000] "GET /locales/en-GB/translation.json HTTP/2.0" 404 43 "-" "-" 143 "portainer-secure@docker" "http://172.18.0.5:9000" 320ms
1.2.3.4 - - [26/Jan/2024:09:04:58 +0000] "GET /api/settings/public HTTP/2.0" 200 435 "-" "-" 147 "portainer-secure@docker" "http://172.18.0.5:9000" 111ms
1.2.3.4 - - [26/Jan/2024:09:04:58 +0000] "GET /api/users/admin/check HTTP/2.0" 204 0 "-" "-" 148 "portainer-secure@docker" "http://172.18.0.5:9000" 114ms

And for traefik, briefed (401 because pending basic auth, not error per se):
1.2.3.4 - - [26/Jan/2024:09:14:16 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 190 "traefik-secure@docker" "-" 199ms

IP whitelist is set to

        - "192.168.68.0/24"
        - "172.18.0.0/16"

172.18.0.0/16 comprises from 172.18.0.1 to 172.18.255.254
so
http://172.18.0.5
matches the whitelist. I would expect whitelist to notice 1.2.3.4 is not in the whitelist and so not allow external access.

Please, feedback is much appreciated.
Much appreciated.