ipAllowList & X-Forwarded-For & X-Real-Ip

rxunique · April 25, 2024, 10:20am

I'm going against a wall with using ipAllowList for my internal services. It's easy enough to setup in the simplest case, but adding in Cloudflare DNS Proxy and Tailscale, it's becoming a massive headache that I couldn't figure out.

Here's my journey so far.

First, adding forwardedHeaders.trustedIPs to entry points has nothing to do with ipAllowList. It is still necessary for accesslog to get the correct IP for Crowdsec.

Case 1: Just CF Proxy

Add ipstrategy.depth = 1 and add WAN IP to sourceRange will work, but all local traffic is now routed through CF proxy

Case 2: CF Proxy + local DNS

For devices using local DNS has to remove ipstrategy.depth = 1
For devices using manually assigned DNS, has to have ipstrategy.depth = 1

to try to solve this conflict, I got this Plugin to work and successfully got correct X-Real-Ip, but ipAllowList does seems to use X-Real-Ip at all. Is there a better solution?

Case 3 remote via tailscale + CF Proxy + magic DNS + split DNS + realip plug in

My TS client is via docker on the same network as Traefik, and I got below header

X-Forwarded-For: 172.18.0.1
X-Forwarded-Host: whoami.domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Real-Ip: 172.18.0.1

172.18.0.1 is the docker traefik network IP. I think this will change over time, and I don't know enough about docker to tell if its a good idea to whitelist this IP and what range it might change into?

rxunique · April 25, 2024, 10:31am

Here are my configs, all pretty basic

entry points & plugin

  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs: *trustedIps #all CF IP delcared earlier


experimental:
  plugins:
    traefik-get-real-ip:
      moduleName: "github.com/Paxxs/traefik-get-real-ip"
      version: "v1.0.3"

router

    whoami:
      entryPoints:
        - "https"
      rule: "Host(`whoami.domain.com`)"
      middlewares:
        - realip
        #- local-only
      tls: {}
      service: whoami

services

    whoami:
      loadBalancer:
        servers:
          - url: "http://a.b.c.d"
        passHostHeader: true

middlewares:

    realip:
      plugin:
        traefik-get-real-ip:
          Proxy:
            - proxyHeadername: X-From-Cdn
              proxyHeadervalue: mf-fun #define here
              realIP: CF-Connecting-Ip
              OverwriteXFF: true # default: false, v1.0.2 or above
            - proxyHeadername: "*"
              realIP: RemoteAddr

    local-only:
      ipallowlist: # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/
        sourceRange:
          - "127.0.0.1/32" # localhost
          - "my.local.ip.here" 
          - "my.wan.ip.here"
        # ipstrategy: # enable this when cloudflare proxy in use
        #   depth: 1 # depth 1 when cloudflare proxy in use

Topic		Replies	Views
Cloudflare Proxy IPAllowList Config Example, and Question on how to improve with Split DNS Traefik v2 middleware	0	67	April 21, 2024
Setting up both forwardedHeaders and ipWhiteList (or: how to trust IP and whitelist the proxy, not the end user?) Traefik v2 file	1	1876	February 7, 2023
Real IP and Host Header Traefik v2 docker , cli	9	14836	September 26, 2023
Issue using ipWhiteList with "ipStrategy.excludedIPs" / "ipStrategy.depth" setting Traefik v2 middleware	2	1490	November 22, 2022
Use X-Forwarded in Traefik v2 Traefik v2 middleware	5	19171	January 16, 2022

ipAllowList & X-Forwarded-For & X-Real-Ip

Related Topics