How to limit Internet traffic to some containers only?

I host on a docker server several services. Some of these services are intended for internal use only, some are exposed to Internet.

My current solution for this is to:

  • forward the port 443 exposed on Internet to my Traefik instance (which also runs in a docker container)
    • for the containers which are exposed to Internet: enable TLS (and use Let's Encrypt for the certificates) → they are immediately made available to Internet traffic
    • for containers intended to be LAN-only: do not use HTTPS

This works but is just a hack (and it means I do not have HTTPS in the LAN which is not a real problem but still annoying).

What I would like to achieve is the ability to filter containers based on the IP of the requester (which I see as X-Real-IP in Traefik logs):

  • all traffic would be limited to the LAN IP ranges only
  • containers expected to receive Internet traffic would be explicitly allowed (via a label I believe).

This is a basic requirement for a web proxy but for some reason I cannot find any relavant documentation or question on the topic.

I had hopes in the IpWhitelist middleware but I never managed to get it to work. It may be the fact that I do not have a X-Forwarded-For header in my requests? (I do not see it in the logs, but X-Real-IP is there). Beside that, I would like a default "LAN only" approach and explicit "Internet allowed" which I do not know how to even approach.