How to whitelist dynamic host IP

The ipwhitelist middleware nicely provides access control via white-list IPs and IP ranges, but it does not access or handle hostnames.

I'd like to whitelist the IP, which a dyndns domain name points to, which is dynamically assigned by a provider, ie the IP my.host.com resolves to at the time traefik receives a request to my service.

Is there a way to achieve this?

Apache seems to do this like so:

<RequireAny>
  Require forward-dns my.host.com
  Require forward-dns my.otherhost.com
</RequireAny>

IPwhitelist middleware is configured via dynamic configuration. You can use a provider.file in your static Traefik configuration to load it. This can be watched and automatically reloaded. With that enabled you can create a simple automatic script with cron to create and update your IP configuration.

Thanks for that contribution @bluepuma77, your work-around is working, two comments:

  1. When updating the new dynamic config provider file, I was careful to do this in a way that will not change the inode of the existing file, as that could break traefik's watch mechanism:
      sed "s/$entry/$new_entry/" < $DYN_FILE > $TMP_FILE
      cat $TMP_FILE > $DYN_FILE
  1. While the solution is quite neat, it still introduces a max delay of 5 mins (cron job interval) before an IP change becomes visible to traefik (on top of the duration taken to propagate the change to DNS servers). During this time users of the app will see a 404-page. If traefik were to perform the lookup when a page is requested, this delay disappears (at the cost of the lookup on every access). In my view this would be the 'correct' solution, as apache has implemented.

Something like allowing a Host entry (as used in router rule) in ipwhitelist would be nice:

- "traefik.http.middlewares.my-ipwhitelist.ipwhitelist.sourcerange=Host(`my.host.com`), 218.43.18.0/24"

Cron can run every minute, alternatively you run your script continuously with a sleep 10 seconds.

DNS is a beast because data is passed though a hierarchy and even though there is usually a TTL, not every DNS server in the chain will respect a very short time. So the response might be cached and old, despite the target IP already being a different one. Dyn-DNS is not for high availability.