IPv6 whitelist / allowlist not supported?

Traefik Traefik v3 (latest)
1

I'm trying to create a whitelist/allowlist for IPv6 addresses however nothing I have tried works and the only posts I have come across on the forum don't have any answers.
When using ipv4 this works perfectly fine however when I try to introduce ipv6 I always get a forbidden response. Is this supported at all? I dont think so and I think this should be noted as i've wasted way more time than i'd like to admit trying to get this to work

Extra info: this is running as a service in its own VM not as a docker container so IPv6 works system and network wide, ipv6 entry points work just fine , it's when I try adding an whitelist middleware to the service do things go south.

I have tried every possible variation of the following :

http:
  middlewares:
    mywhitelist:
      ipWhiteList:
        sourceRange:
          - "fe80::/10"
          - "[fe80::]/10"
          - "2000:3000:aeff::/64"
          - "fe80::6969/128"
    myotherwhitelist:
      ipAllowList
        sourceRange:
          - "fe80::/10"
          - "[fe80::]/10"
          - "[2000:3000:aeff::]/64"
          - "fe80::6969/128"
2

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Your IPv6 works without the middlewares?

3

Yes everything works perfectly fine, but as soon as I add the middleware i get forbidden for those routes.

So now that I think about it , I might know what is going on, I have not tried the solution yet however I was doing/testing this while transitioning to a dual stack configuration and so I created a separate middleware to handle just the ipv6 addresses so that i could separate and comment it out if needed but is it possible that because I am using 2 allow list middle wares that the ipv4 will block any ipv6 addresses and then vice versa the ipv6 middle ware will block ipv4 addresses - essentially the ipv6 addresses should be in the same middleware as the ipv4 addresses? It's late so I will try this tomorrow and report back, but for the mean time this is my setup, ipv6 included

static config

global:
  checkNewVersion: true
  sendAnonymousUsage: false
log:
  level: DEBUG
  filePath: "/srv/traefik/logs/process.log"
  format: common
accessLog:
  filePath: "/srv/traefik/logs/access.log"
  bufferingSize: 10
  format: common
providers:
  providersThrottleDuration: 10s
  file:
    directory: /srv/traefik/config.d
    watch: true
api:
  dashboard: true
  debug: true
entryPoints:
  web:
    address: '192.168.22.10:22080' # router handles forwarding from port 80 to 22080
  web-secure:
    address: '192.168.22.10:22443'  # router handles forwarding from port 443 to 22443
  web_v6:
    address: '[2:4:a:5::4]:22080' # router handles forwarding from port 80 to 22080
  web-secure_v6:
    address: '[2:4:a:5::4]:22443' # router handles forwarding from port 443 to 22443
certificatesResolvers:
  personal:
    acme:
      email: A@gmail.com
      storage: /srv/traefik/sslcerts/cert-personal.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 30
  certifiedb:
    acme:
      email: A@gmail.com
      storage: /srv/traefik/sslcerts/cert-certifiedb.json
      httpChallenge:
        entryPoint: web

dynamic config

http:
    dashboard-auth:
      basicAuth:
        usersFile: "/srv/traefik/dshusr"
    localipwhitelist:
      #ipWhiteList:   # depreciated??
      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.0/16"
    IPv6localipwhitelist:
      #ipWhiteList:   # depreciated???
      ipAllowList:
        sourceRange:
          - "fe80::/10"
          - "2:4:a:5::/64"
    secureRedirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    sslterminationHeader:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "http"
    gitmetricscorrection:
      replacePathRegex:
        regex: "^/metrics$"
        replacement: "/-/metrics"
  routers:
    personalsite:
      rule: "Host(`a.com`)"
      entryPoints:
        - web
        - web_v6
      service: personalsite
      priority: 11
      tls:
        certResolver: personal
    personalsite-secure:
      rule: "Host(`a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: personalsite
      priority: 100
      tls:
        certResolver: personal
        domains:
          - main: "a.com"
            sans:
              - "*.a.com"
    cb:
      rule: "Host(`cb.co`)"
      entryPoints:
        - web
        - web_v6
      service: cb-httpd
    cb-secure:
      rule: "Host(`cb.co`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: cb-httpd
      tls:
        certResolver: certifiedb
        domains:
          - main: "cb.co"
            sans:
              - "www.cb.co"
    dashboard:
      rule: "Host(`traefik.a.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      service: api@internal
      entrypoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - dashboard-auth
        - localipwhitelist
        - IPv6localipwhitelist
      tls:
        certResolver: personal
    vwsecure:
      rule: "Host(`bw.a.com`) && !PathPrefix(`/admin`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: vw
      tls:
        certResolver: personal
    vw_admin:
      rule: "(Host(`bw.a.com`) && PathPrefix(`/admin`))"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: vw
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
      tls:
        certResolver: personal
    tar1090secure:
      rule: "Host(`tar1090.a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
      service: tar1090
      tls:
        certResolver: personal
    gitlabsecure:
      rule: "Host(`git.a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - sslterminationHeader
      service: gitlab
      tls:
        certResolver: personal
    gitlabsecure_admin:
      rule: "Host(`git.a.com`) && (PathPrefix(`/admin`) || PathPrefix(`/metrics`))"
      entryPoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
        - sslterminationHeader
        - gitmetricscorrection
      service: gitlab
      tls:
        certResolver: personal
    grafanaInternal:
      rule: "Host(`grafana.a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: grafana
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
      tls:
        certResolver: personal
  services:
    personalsite:
      loadBalancer:
        servers:
          - url: "http://ps.servicenet:8083"
    cb-httpd:
      loadBalancer:
        servers:
          - url: "http://cb.servicenet:8083"
    vw:
      loadBalancer:
        servers:
          - url: "http://vw.servicenet:8037"
    tar1090:
      loadBalancer:
        servers:
          - url: "http://tar1090.servicenet:8099"
    gitlab:
      loadBalancer:
        servers:
          - url: "http://git.servicenet:8029"
        healthCheck:
          path: /-/health
          interval: "10s"
          timeout: "3s"
    grafana:
      loadBalancer:
        servers:
          - url: "http://grafana.servicenet:3000"
4

You need to merge the IPs, otherwise each middlewares will be run and one will always fail.

5

You were right, that fixed it, thanks.

6

It seems like there might be some issues with the way the IPv6 addresses are being specified in the whitelist configuration. Here are a few things to check and try:

Correct Syntax and Spelling:
Ensure that the syntax and spelling in your configuration file are correct. For example, the ipAllowList should have the correct indentation and spelling:
http:
middlewares:
mywhitelist:
ipWhiteList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
myotherwhitelist:
ipAllowList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
Brackets:
Remove the brackets around IPv6 addresses. The brackets are generally used for URLs, not for specifying CIDR blocks:
sourceRange:

  • "fe80::/10"
  • "2000:3000:aeff::/64"
  • "fe80::6969/128"
    Proper Indentation:
    Ensure the indentation is consistent. YAML is indentation-sensitive, and incorrect indentation can lead to configuration errors:
    http:
    middlewares:
    mywhitelist:
    ipWhiteList:
    sourceRange:
    - "fe80::/10"
    - "2000:3000:aeff::/64"
    - "fe80::6969/128"
    myotherwhitelist:
    ipAllowList:
    sourceRange:
    - "fe80::/10"
    - "2000:3000:aeff::/64"
    - "fe80::6969/128"
    Check Service Logs:
    Check the service logs for any errors or warnings that might indicate what the issue is. There might be clues that can help you debug the problem.

Service Documentation:
Consult the documentation for the service you are using to ensure that IPv6 whitelisting is supported and that you are using the correct configuration format.

Network Configuration:
Verify that the VM's network configuration is set up to handle IPv6 traffic correctly. This includes checking firewall rules, routing tables, and any other network-related settings.

If you have tried these steps and still face issues, consider seeking help from experts in custom software development, maybe they can help you https://tech-stack.com/