I host on a docker server several services. Some of these services are intended for internal use only, some are exposed to Internet.
My current solution for this is to:
- forward the port
443exposed on Internet to my Traefik instance (which also runs in a docker container)
- for the containers which are exposed to Internet: enable TLS (and use Let's Encrypt for the certificates) → they are immediately made available to Internet traffic
- for containers intended to be LAN-only: do not use HTTPS
This works but is just a hack (and it means I do not have HTTPS in the LAN which is not a real problem but still annoying).
What I would like to achieve is the ability to filter containers based on the IP of the requester (which I see as
X-Real-IP in Traefik logs):
- all traffic would be limited to the LAN IP ranges only
- containers expected to receive Internet traffic would be explicitly allowed (via a label I believe).
This is a basic requirement for a web proxy but for some reason I cannot find any relavant documentation or question on the topic.
I had hopes in the
IpWhitelist middleware but I never managed to get it to work. It may be the fact that I do not have a
X-Forwarded-For header in my requests? (I do not see it in the logs, but
X-Real-IP is there). Beside that, I would like a default "LAN only" approach and explicit "Internet allowed" which I do not know how to even approach.