I would like to restrict the traffic to some docker containers based on the IP of the connecting client. The containers are auto-discovered.
The general setup is a server running the docker hosts placed in a LAN (
192.168.10.2). Port 80 and 443 from Internet are forwarded by the firewall to that host.
The general setting I am trying to achieve is :
- global default: anything on
192.168.20.24/24can access any container (traffic from the LAN)
- global default: deny everything else
- specific setting: for a given container, allow traffic coming "from Internet" (that is the traffic forwarded). I believe that the incoming IP will be the public IP of the client on Internet.
How should I generally approach these problems?
I tried to use https://docs.traefik.io/middlewares/ipwhitelist/ in order to allow/block access to a selected container. Beside the fact that this does not solve the "global default" above, I did not manage to have it working (the relevant parts of my docker-compose are below):
radarr: (...) labels: - "traefik.http.routers.radarr.rule=Host(`radarr.mydomain`)" - "traefik.http.routers.radarr.entrypoints=web" - "traefik.http.middlewares.radarr.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.50.0/24" traefik: # The official v2.0 Traefik docker image image: traefik:v2.0 container_name: traefik # Enables the web UI and tells Traefik to listen to docker command: --api.insecure=true --providers.docker=true --entrypoints.web.address=:80 ports: # The HTTP port - "15085:80" # The Web UI (enabled by --api.insecure=true) - "18085:8080" volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock
No matter what I put in the
sourcerange, I can always access the service at