ipAllowList & X-Forwarded-For & X-Real-Ip

rxunique · April 25, 2024, 10:20am

I'm going against a wall with using ipAllowList for my internal services. It's easy enough to setup in the simplest case, but adding in Cloudflare DNS Proxy and Tailscale, it's becoming a massive headache that I couldn't figure out.

Here's my journey so far.

First, adding forwardedHeaders.trustedIPs to entry points has nothing to do with ipAllowList. It is still necessary for accesslog to get the correct IP for Crowdsec.

Case 1: Just CF Proxy

Add ipstrategy.depth = 1 and add WAN IP to sourceRange will work, but all local traffic is now routed through CF proxy

Case 2: CF Proxy + local DNS

For devices using local DNS has to remove ipstrategy.depth = 1
For devices using manually assigned DNS, has to have ipstrategy.depth = 1

to try to solve this conflict, I got this Plugin to work and successfully got correct X-Real-Ip, but ipAllowList does seems to use X-Real-Ip at all. Is there a better solution?

Case 3 remote via tailscale + CF Proxy + magic DNS + split DNS + realip plug in

My TS client is via docker on the same network as Traefik, and I got below header

X-Forwarded-For: 172.18.0.1
X-Forwarded-Host: whoami.domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Real-Ip: 172.18.0.1

172.18.0.1 is the docker traefik network IP. I think this will change over time, and I don't know enough about docker to tell if its a good idea to whitelist this IP and what range it might change into?

rxunique · April 25, 2024, 10:31am

Here are my configs, all pretty basic

entry points & plugin

  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs: *trustedIps #all CF IP delcared earlier


experimental:
  plugins:
    traefik-get-real-ip:
      moduleName: "github.com/Paxxs/traefik-get-real-ip"
      version: "v1.0.3"

router

    whoami:
      entryPoints:
        - "https"
      rule: "Host(`whoami.domain.com`)"
      middlewares:
        - realip
        #- local-only
      tls: {}
      service: whoami

services

    whoami:
      loadBalancer:
        servers:
          - url: "http://a.b.c.d"
        passHostHeader: true

middlewares:

    realip:
      plugin:
        traefik-get-real-ip:
          Proxy:
            - proxyHeadername: X-From-Cdn
              proxyHeadervalue: mf-fun #define here
              realIP: CF-Connecting-Ip
              OverwriteXFF: true # default: false, v1.0.2 or above
            - proxyHeadername: "*"
              realIP: RemoteAddr

    local-only:
      ipallowlist: # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/
        sourceRange:
          - "127.0.0.1/32" # localhost
          - "my.local.ip.here" 
          - "my.wan.ip.here"
        # ipstrategy: # enable this when cloudflare proxy in use
        #   depth: 1 # depth 1 when cloudflare proxy in use

Topic		Replies	Views
IPAllowList doesn't work with Cloudflare proxy Traefik v3 (latest) kubernetes-ingress , middleware	0	97	September 6, 2024
Cloudflare Proxy IPAllowList Config Example, and Question on how to improve with Split DNS Traefik v2 middleware	0	543	April 21, 2024
Setting up both forwardedHeaders and ipWhiteList (or: how to trust IP and whitelist the proxy, not the end user?) Traefik v2 file	1	2519	February 7, 2023
Traefik v2 ipWhitelist/depth with Cloudflare and local network Traefik v2 docker , tcp , middleware	2	1888	July 12, 2022
X-Forwarded-For ipwhitelist middleware Traefik v3 (latest) docker , middleware	1	115	September 19, 2024

ipAllowList & X-Forwarded-For & X-Real-Ip

Related topics