How to properly apply Geoblock plugin to traefik setup

mixpc · January 24, 2024, 2:31pm

Hi,

I'm trying to install locally GeoBlock plugin by Pascal Minder in my traefik setup

Only US ip addresses should be allowed. With my current setup I am able to access the website from a different country so something must be broken...
traefik+crowdsec+portainer are currently installed via docker compose.

I have read guides+watched YouTube videos on docker+traefik+crowdsec but not found a solution to my issue. Apologies in advance as I have just stepped into the traefik world which I find, amazing!

In order to install the plugin...

cd /home/pi/docker/traefik/
wget https://github.com/PascalMinder/geoblock/archive/refs/tags/v0.2.7.zip
unzip v0.2.7.zip
mv geoblock-0.2.7/ geoblock

And then, link to data-compose.yml traefik.yaml config.yml (new user, not allowed to include so much code)

Following:

sudo docker stop traefik
sudo docker compose up -d --force-recreate
sudo docker logs traefik

Apparently traefik log shows no errors:

sudo docker logs traefik
time="2024-01-24T14:53:21+01:00" level=info msg="Configuration loaded from file: /traefik.yml"

Still, if I access the website via VPN via eg. France the site traefik-dashboard.website.com is accessible, and it shouldn't be.

Plus, it there are more websites, eg earth dot website dot com mars dot website dot com they should be blocked as well unless accessed from the US. Should the same setup (that I fail to properly configure) be replicated for each container?
eg. apply geoblock to container earth yml files as in traefik dashboard so that the geoblock is also applied to earth dot website dot com?

Feedback is much appreciated.

bluepuma77 · January 24, 2024, 4:51pm

Share your full Traefik static and dynamic config.

mixpc · January 24, 2024, 6:43pm

@bluepuma77 Thank you for your interest. Please, find the link below (fixed):
There are three files:
docker-compose.yml
traefik.yaml
config.yml

mixpc · January 24, 2024, 6:53pm

Even if I add reference to mygeoblock@file in each entrypoint:

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
      middlewares:
        - crowdsec-bouncer@file
        - mygeoblock@file
  https:
    address: ":443"
    http:
      middlewares:
        - crowdsec-bouncer@file
        - mygeoblock@file

log will report:

INFO: GeoBlock: 2024/01/24 19:47:50 allow local IPs: true
INFO: GeoBlock: 2024/01/24 19:47:50 log local requests: false
INFO: GeoBlock: 2024/01/24 19:47:50 log allowed requests: false
INFO: GeoBlock: 2024/01/24 19:47:50 log api requests: true
INFO: GeoBlock: 2024/01/24 19:47:50 API uri: https://get.geojs.io/v1/ip/country/{ip}
INFO: GeoBlock: 2024/01/24 19:47:50 API timeout: 750
INFO: GeoBlock: 2024/01/24 19:47:50 cache size: 15
INFO: GeoBlock: 2024/01/24 19:47:50 force monthly update: true
INFO: GeoBlock: 2024/01/24 19:47:50 allow unknown countries: false
INFO: GeoBlock: 2024/01/24 19:47:50 unknown country api response: nil
INFO: GeoBlock: 2024/01/24 19:47:50 blacklist mode: false
INFO: GeoBlock: 2024/01/24 19:47:50 add country header: false
INFO: GeoBlock: 2024/01/24 19:47:50 countries: [US]
INFO: GeoBlock: 2024/01/24 19:48:06 Get "https://get.geojs.io/v1/ip/country/1.2.3.4": tls: failed to verify certificate: x509: certificate is valid for blah.bleh.traefik.default, not get.geojs.io
INFO: GeoBlock: 2024/01/24 19:48:20 Get "https://get.geojs.io/v1/ip/country/1.2.3.4": tls: failed to verify certificate: x509: certificate is valid for blah.bleh.traefik.default, not get.geojs.io
INFO: GeoBlock: 2024/01/24 19:48:38 Get "https://get.geojs.io/v1/ip/country/1.2.3.4": tls: failed to verify certificate: x509: certificate is valid for blah.bleh.traefik.default, not get.geojs.io
INFO: GeoBlock: 2024/01/24 19:49:06 Get "https://get.geojs.io/v1/ip/country/1.2.3.4": tls: failed to verify certificate: x509: certificate is valid for blah.bleh.traefik.default, not get.geojs.io
INFO: GeoBlock: 2024/01/24 19:49:21 Get "https://get.geojs.io/v1/ip/country/1.2.3.4": tls: failed to verify certificate: x509: certificate is valid for blah.bleh.traefik.default, not get.geojs.io
INFO: GeoBlock: 2024/01/24 19:49:38 Get "https://get.geojs.io/v1/ip/country/1.2.3.4": tls: failed to verify certificate: x509: certificate is valid for blah.bleh.traefik.default, not get.geojs.io

bluepuma77 · January 24, 2024, 8:11pm

It seems there is an open issue about that.

Go into your Traefik container and try

wget https://get.geojs.io/v1/ip/country/

If it does not work, your network might block or force-proxy it.

Or the service has changed the API, which can be set in config

api: "https://get.geojs.io/v1/ip/country/{ip}"

mixpc · January 24, 2024, 8:35pm

Thank you @bluepuma77 once more. I think the issue is on their side. Their domain is related to three different IPs.

pi@raspberrypi:~/docker/traefik $ ping 104.26.1.100
PING 104.26.1.100 (104.26.1.100) 56(84) bytes of data.
64 bytes from 104.26.1.100: icmp_seq=1 ttl=58 time=116 ms
64 bytes from 104.26.1.100: icmp_seq=2 ttl=58 time=67.5 ms

pi@raspberrypi:~/docker/traefik $ ping 172.67.70.233
PING 172.67.70.233 (172.67.70.233) 56(84) bytes of data.
64 bytes from 172.67.70.233: icmp_seq=1 ttl=58 time=37.1 ms
64 bytes from 172.67.70.233: icmp_seq=2 ttl=58 time=31.8 ms
64 bytes from 172.67.70.233: icmp_seq=3 ttl=58 time=36.9 ms

pi@raspberrypi:~/docker/traefik $ ping 104.26.1.100
PING 104.26.1.100 (104.26.1.100) 56(84) bytes of data.
64 bytes from 104.26.1.100: icmp_seq=1 ttl=58 time=24.2 ms
64 bytes from 104.26.1.100: icmp_seq=2 ttl=58 time=26.3 ms

But, as per their own documentation:

pi@raspberrypi:~/docker/traefik $ wget https://get.geojs.io/v1/ip/country/8.8.8.8
--2024-01-24 21:32:14--  https://get.geojs.io/v1/ip/country/8.8.8.8
Resolving get.geojs.io (get.geojs.io)... 0.0.0.0, 2606:4700:20::681a:164, 2606:4700:20::ac43:46e9, ...
Connecting to get.geojs.io (get.geojs.io)|0.0.0.0|:443... connected.
ERROR: The certificate of ‘get.geojs.io’ is not trusted.
ERROR: The certificate of ‘get.geojs.io’ doesn't have a known issuer.
The certificate's owner does not match hostname ‘get.geojs.io’

bluepuma77 · January 24, 2024, 8:44pm

Here is the thing: I can successfully call this with my web browser without a TLS error.

https://get.geojs.io/v1/ip/country

So it might be a network issue on your side. You run something like PiHole or AdGuard? Your own DNS server?

mixpc · January 24, 2024, 10:56pm

Thank you. Yes, I'm running AdGuard+unbound on a different server (static 192.168.1.10). The router is configured to forward DNS requests to 192.168.1.10 (Router has setting 192.168.1.10 as Primary DNS, no secondary DNS set) and AdGuard is blocking ads LAN-wide so all good.

From Firefox in my mobile connected to WiFi and Primary DNS set to 192.168.1.10
https://get.geojs.io/v1/ip/country
produces an error

From Firefox in my mobile connected to WiFi, If primary DNS is set to 1.1.1.1
https://get.geojs.io/v1/ip/country
shows
US

The issue is then in my AdGuard+unbound setup which, strangely enough, blocks all sorts of ads alright.

So, AdGuard server (192.168.1.10) shutdown and Primary DNS 1.1.1.1 in router.

So now, from the other server:

pi@raspberrypi:~/docker/traefik $ wget https://get.geojs.io/v1/ip/country
--2024-01-24 23:20:21--  https://get.geojs.io/v1/ip/country
Resolving get.geojs.io (get.geojs.io)... 104.26.0.100, 172.67.70.233, 104.26.1.100, ...
Connecting to get.geojs.io (get.geojs.io)|104.26.0.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘country’

country                                                         [ <=>                                                                                                                                     ]       3  --.-KB/s    in 0s

2024-01-24 23:20:21 (402 KB/s) - ‘country’ saved [3]

pi@alpha:~/docker/traefik $ cat country
US

So good. Time to troubleshoot what's going on with AdGuard, not here, different community. I think I'll reply to the GitHub message as it may be of help.

Thank you very much for your kind attention.

bluepuma77 · January 25, 2024, 5:44am

You probably need to whitelist the domain get.geojs.io.

johnw · January 25, 2024, 8:11am

I had the same problem and whitelisting this domain instantly fixed the issue. Thanks!

mixpc · January 25, 2024, 3:05pm

@bluepuma77 Thank you for your indication. Action taken - issue fixed

system · January 28, 2024, 3:06pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Geoblock plugin throwing errors in traefik log Traefik v2 docker	4	299	December 25, 2023
How to install Traefik Plugin in Kubernetes? Traefik v2 kubernetes-crd , kubernetes-ingress , middleware , plugin	8	4253	October 20, 2021
Why is my GeoBlock middleware not working for a Docker container? Traefik v2 docker , middleware , plugin	4	1599	February 23, 2022
Geoblock - Blocklisted country correctly blocked with 403 code via browser, however can still access via a Nikto test with 404 code Traefik v3 (latest) docker , file , middleware , cli , plugin	2	44	July 2, 2024
Custom HTTP codes when geoblocked Traefik v3 (latest) middleware , plugin	7	38	August 11, 2024

How to properly apply Geoblock plugin to traefik setup

Related topics