How to configure Traefik to restrict incoming traffic exclusively to my office's IP address

Hi all,

I have a few services that I would like to allow incoming traffic only from my office public IP, any idea how can it be done?

Use rule with ClientIP() (doc).

It doesn't seem to be working. When I used this approach, it gave me a "404 Page Not Found" error.

  • Request completely sent off
    < HTTP/2 404
    < content-type: text/plain; charset=utf-8
    < x-content-type-options: nosniff
    < content-length: 19
    < date: Mon, 10 Mar 2025 14:58:02 GMT
    <
    404 page not found
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: rabbitmq
  namespace: rabbitmq
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`mq.xxx.io`) && ClientIP(`x.x.x.x`)
      kind: Rule
      middlewares:
        - name: rabbitmq-headers
          namespace: rabbitmq
      services:
        - name: rabbitmq-management
          port: 15672
  tls: {}

You can use the IpAllowList middleware.

You can add this middleware via a dynamic provider (eg. Files or Redis) and traefik will reload the middleware and allowed ips if it changes.

Now you just have to automate getting the office ip and updateing the file or whatever dynmaic traefik provider.