I would like to restrict the traffic to some docker containers based on the IP of the connecting client. The containers are auto-discovered.
The general setup is a server running the docker hosts placed in a LAN (192.168.10.2). Port 80 and 443 from Internet are forwarded by the firewall to that host.
The general setting I am trying to achieve is :
- global default: anything on
192.168.10/24and192.168.20.24/24can access any container (traffic from the LAN) - global default: deny everything else
- specific setting: for a given container, allow traffic coming "from Internet" (that is the traffic forwarded). I believe that the incoming IP will be the public IP of the client on Internet.
How should I generally approach these problems?
I tried to use https://docs.traefik.io/middlewares/ipwhitelist/ in order to allow/block access to a selected container. Beside the fact that this does not solve the "global default" above, I did not manage to have it working (the relevant parts of my docker-compose are below):
radarr:
(...)
labels:
- "traefik.http.routers.radarr.rule=Host(`radarr.mydomain`)"
- "traefik.http.routers.radarr.entrypoints=web"
- "traefik.http.middlewares.radarr.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.50.0/24"
traefik:
# The official v2.0 Traefik docker image
image: traefik:v2.0
container_name: traefik
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker=true --entrypoints.web.address=:80
ports:
# The HTTP port
- "15085:80"
# The Web UI (enabled by --api.insecure=true)
- "18085:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
No matter what I put in the sourcerange, I can always access the service at http://radarr.mydomain:15085