ipAllowList doesn't allowing an allowed IP

xcassanello · October 26, 2024, 9:58am

Hello,

I'm using this tag on my pi-hole container to filter request comming from other docker networks (where i have my VPN):
- "traefik.http.middlewares.pi-hole-ipallowlist.ipallowlist.sourcerange=172.18.0.0/24"
I get 403 forbidden anyway, if i use or i dont use my VPN.
Without VPN, my real IP is logged by traefik:

{
  "ClientAddr": "91.xx.xx.xx:40692",
  "ClientHost": "91.xx.xx.xx",
  "ClientPort": "40692",
  "DownstreamContentSize": 341,
  "DownstreamStatus": 403,
  "Duration": 4409630,
  "OriginContentSize": 341,
  "OriginDuration": 4257301,
  "OriginStatus": 403,
  "Overhead": 152329,
  "RequestAddr": "my.domain.com",
  "RequestContentSize": 0,
  "RequestCount": 47,
  "RequestHost": "my.domain.com",
  "RequestMethod": "GET",
  "RequestPath": "/",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "RouterName": "pi-hole@docker",
  "ServiceAddr": "172.19.1.3:80",
  "ServiceName": "pi-hole@docker",
  "ServiceURL": "http://172.19.1.3:80",
  "StartLocal": "2024-10-26T09:42:56.22315496Z",
  "StartUTC": "2024-10-26T09:42:56.22315496Z",
  "TLSCipher": "TLS_AES_128_GCM_SHA256",
  "TLSVersion": "1.3",
  "downstream_Content-Length": "341",
  "downstream_Content-Type": "text/html",
  "downstream_Date": "Sat, 26 Oct 2024 09:42:56 GMT",
  "downstream_Server": "lighttpd/1.4.59",
  "entryPointName": "https",
  "level": "info",
  "msg": "",
  "origin_Content-Length": "341",
  "origin_Content-Type": "text/html",
  "origin_Date": "Sat, 26 Oct 2024 09:42:56 GMT",
  "origin_Server": "lighttpd/1.4.59",
  "request_Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8",
  "request_Accept-Encoding": "gzip, deflate, br, zstd",
  "request_Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
  "request_Cookie": "PHPSESSID=####",
  "request_Priority": "u=0, i",
  "request_Sec-Fetch-Dest": "document",
  "request_Sec-Fetch-Mode": "navigate",
  "request_Sec-Fetch-Site": "none",
  "request_Sec-Fetch-User": "?1",
  "request_Te": "trailers",
  "request_Upgrade-Insecure-Requests": "1",
  "request_User-Agent": "REDACTED",
  "request_X-Forwarded-Host": "my.domain.com",
  "request_X-Forwarded-Port": "443",
  "request_X-Forwarded-Proto": "https",
  "request_X-Forwarded-Server": "830654571df4",
  "request_X-Real-Ip": "91.xx.xx.xx",
  "time": "2024-10-26T09:42:56Z"
}

And if i Use VPN:

{
  "ClientAddr": "172.18.0.1:35062",
  "ClientHost": "172.18.0.1",
  "ClientPort": "35062",
  "DownstreamContentSize": 341,
  "DownstreamStatus": 403,
  "Duration": 1846845,
  "OriginContentSize": 341,
  "OriginDuration": 1758575,
  "OriginStatus": 403,
  "Overhead": 88270,
  "RequestAddr": "my.domain.com",
  "RequestContentSize": 0,
  "RequestCount": 52,
  "RequestHost": "my.domain.com",
  "RequestMethod": "GET",
  "RequestPath": "/",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "RouterName": "pi-hole@docker",
  "ServiceAddr": "172.19.1.3:80",
  "ServiceName": "pi-hole@docker",
  "ServiceURL": "http://172.19.1.3:80",
  "StartLocal": "2024-10-26T09:45:07.241544857Z",
  "StartUTC": "2024-10-26T09:45:07.241544857Z",
  "TLSCipher": "TLS_AES_128_GCM_SHA256",
  "TLSVersion": "1.3",
  "downstream_Content-Length": "341",
  "downstream_Content-Type": "text/html",
  "downstream_Date": "Sat, 26 Oct 2024 09:45:07 GMT",
  "downstream_Server": "lighttpd/1.4.59",
  "entryPointName": "https",
  "level": "info",
  "msg": "",
  "origin_Content-Length": "341",
  "origin_Content-Type": "text/html",
  "origin_Date": "Sat, 26 Oct 2024 09:45:07 GMT",
  "origin_Server": "lighttpd/1.4.59",
  "request_Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8",
  "request_Accept-Encoding": "gzip, deflate, br, zstd",
  "request_Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
  "request_Cookie": "PHPSESSID=####",
  "request_Priority": "u=0, i",
  "request_Sec-Fetch-Dest": "document",
  "request_Sec-Fetch-Mode": "navigate",
  "request_Sec-Fetch-Site": "none",
  "request_Sec-Fetch-User": "?1",
  "request_Te": "trailers",
  "request_Upgrade-Insecure-Requests": "1",
  "request_User-Agent": "REDACTED",
  "request_X-Forwarded-Host": "my.domain.com",
  "request_X-Forwarded-Port": "443",
  "request_X-Forwarded-Proto": "https",
  "request_X-Forwarded-Server": "830654571df4",
  "request_X-Real-Ip": "172.18.0.1",
  "time": "2024-10-26T09:45:07Z"
}

I'm getting 403 even through IP 172.18.0.1 is within 172.18.0.0/24 network. I've also tried 172.18.0.1/24 with not success, also 172.18.0.1/32. What am i missing?

Thank you.

bluepuma77 · October 26, 2024, 4:30pm

Did you try 172.18.0.1 (without range) just for fun?

xcassanello · October 28, 2024, 10:25am

My apologies, it actually was the container (pihole) who was returning 403 in root path ("/"). i get a 200 response in /admin. Now my issue is that the ipAllowList is not filtering out the IP addresses not in the list (i've keep the configuration but i can access from anywhere to my pihole management), but i guess that's another topic

system · October 31, 2024, 10:25am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IpWhileList Middleware Traefik v3 (latest) docker , middleware	0	24	February 25, 2025
IPAllowList limits allowed requests based on the client IP Traefik v3 (latest) docker , middleware	3	118	November 10, 2024
Ip_whitelist.go:70 > Rejecting IP 172.28.0.1 Traefik v3 (latest) docker , middleware	18	513	January 25, 2025
Middleware ipAllowList SOMETIMES returns 403 Forbidden on local network Traefik v3 (latest) file , middleware	13	981	July 23, 2024
Assistance with setting up ipAllowList Traefik v3 (latest) docker	1	92	February 11, 2025

ipAllowList doesn't allowing an allowed IP

Related topics