IP filtering works randomly

3xpirience · February 10, 2024, 5:25pm

Hello,

I would like to set up an IP filtering on my DokuWiki container. For this, I have implemented the configuration below, but the filtering works randomly. Sometimes the filtering works, but after a container restart, it no longer works, then after another restart, it sometimes works again.

Here is my docker-compose.yml file:

version: "3"

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik-data/traefik.yml:/traefik.yml:ro
      - ./traefik-data/acme.json:/acme.json
      - ./traefik-data/configurations:/configurations
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"

  dokuwiki:
    image: lscr.io/linuxserver/dokuwiki:latest
    container_name: dokuwiki
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    volumes:
      - /home/Traefik/dokuwiki/config:/config
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dokuwiki.rule=Host(`wiki.domain.com`)"
      - "traefik.http.routers.dokuwiki-https.rule=Host(`wiki.domain.com`)"
      - "traefik.http.routers.wokuwiki-https.entrypoints=websecure"
      - "traefik.http.routers.dokuwiki-https.tls=true"
      - "traefik.http.routers.dokuwiki.middlewares=filter-ipwhitelist@file"
    networks:
      - proxy

networks:
  proxy:
    external: true

My traefik.yml file :


api:
  dashboard: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure

  websecure:
    address: :443
    http:
      middlewares:
        - secureHeaders@file
        - user-auth@file
      tls:
        certResolver: letsencrypt

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      email: mail@gmail.com
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: web

and my dynamic.yml file :

# Dynamic configuration
http:
  middlewares:
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
    filter-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "X.X.X.X/32"
    user-auth:
      basicAuth:
        users:
          - "admin:********************************"

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

If I have forgotten any important details that would help you assist me, please do not hesitate to let me know. Thank you in advance

bluepuma77 · February 12, 2024, 12:04pm

Does it continuously not work or just during a small time window like 30 seconds (which would be bad enough)?

3xpirience · February 12, 2024, 8:00pm

It doesn't work all the time.

I think I've found the reason, so I analyzed the access_log file.

When filtering works, I had this request:

X.X.X.X - - [11/Feb/2024:20:06:57 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 363 "websecure-dokuwiki@docker" "-" 0ms
X.X.X.X - - [11/Feb/2024:20:06:58 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 364 "websecure-dokuwiki@docker" "-" 0ms

When filtering didn't work I had this request:

X.X.X.X - - [11/Feb/2024:20:14:27 +0000] "GET / HTTP/2.0" 200 12948 "-" "-" 476 "websecure-dokuwiki-https@docker" "http://172.22.0.10:80" 54ms
X.X.X.X - - [11/Feb/2024:20:14:28 +0000] "GET /lib/images/license/button/cc-by-sa.png HTTP/2.0" 200 379 "-" "-" 479 "websecure-dokuwiki-https@docker" "http://172.22.0.10:80" 1ms
X.X.X.X - - [11/Feb/2024:20:14:28 +0000] "GET /lib/exe/css.php?t=dokuwiki&tseed=9865b10d17da203d18628985c5890089 HTTP/2.0" 200 108086 "-" "-" 477 "websecure-dokuwiki-https@docker" "http://172.22.0.10:80" 85ms

So I left the following labels and it works:

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dokuwiki.rule=Host(`wiki.domain.com`)"
      - "traefik.http.routers.dokuwiki.middlewares=filter-ipwhitelist@file"

Since I made this change, it works every time.

Topic		Replies	Views
Traefik in Docker gets Docker network ip instead of real one randomly Traefik v2 docker	7	602	March 30, 2024
Traefik.docker.network = doesnt work. It's always random Traefik v2 docker , file	2	321	January 8, 2024
Traefik 2 - 2 rules, each with own ipwhitelist, only one applied to all rules Traefik v2 docker-swarm , middleware	1	867	February 7, 2023
Traefik+docker socket proxy / doesn't seems to work Traefik v2 docker	34	1015	April 8, 2024
How to filter one specific container by IP address, and have a default filtering for all containers? Traefik v2 docker , middleware	0	1950	November 26, 2019

IP filtering works randomly

Related Topics