I'm trying to create a whitelist/allowlist for IPv6 addresses however nothing I have tried works and the only posts I have come across on the forum don't have any answers.
When using ipv4 this works perfectly fine however when I try to introduce ipv6 I always get a forbidden response. Is this supported at all? I dont think so and I think this should be noted as i've wasted way more time than i'd like to admit trying to get this to work
Extra info: this is running as a service in its own VM not as a docker container so IPv6 works system and network wide, ipv6 entry points work just fine , it's when I try adding an whitelist middleware to the service do things go south.
I have tried every possible variation of the following :
Yes everything works perfectly fine, but as soon as I add the middleware i get forbidden for those routes.
So now that I think about it , I might know what is going on, I have not tried the solution yet however I was doing/testing this while transitioning to a dual stack configuration and so I created a separate middleware to handle just the ipv6 addresses so that i could separate and comment it out if needed but is it possible that because I am using 2 allow list middle wares that the ipv4 will block any ipv6 addresses and then vice versa the ipv6 middle ware will block ipv4 addresses - essentially the ipv6 addresses should be in the same middleware as the ipv4 addresses? It's late so I will try this tomorrow and report back, but for the mean time this is my setup, ipv6 included
static config
global:
checkNewVersion: true
sendAnonymousUsage: false
log:
level: DEBUG
filePath: "/srv/traefik/logs/process.log"
format: common
accessLog:
filePath: "/srv/traefik/logs/access.log"
bufferingSize: 10
format: common
providers:
providersThrottleDuration: 10s
file:
directory: /srv/traefik/config.d
watch: true
api:
dashboard: true
debug: true
entryPoints:
web:
address: '192.168.22.10:22080' # router handles forwarding from port 80 to 22080
web-secure:
address: '192.168.22.10:22443' # router handles forwarding from port 443 to 22443
web_v6:
address: '[2:4:a:5::4]:22080' # router handles forwarding from port 80 to 22080
web-secure_v6:
address: '[2:4:a:5::4]:22443' # router handles forwarding from port 443 to 22443
certificatesResolvers:
personal:
acme:
email: A@gmail.com
storage: /srv/traefik/sslcerts/cert-personal.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 30
certifiedb:
acme:
email: A@gmail.com
storage: /srv/traefik/sslcerts/cert-certifiedb.json
httpChallenge:
entryPoint: web
It seems like there might be some issues with the way the IPv6 addresses are being specified in the whitelist configuration. Here are a few things to check and try:
Correct Syntax and Spelling:
Ensure that the syntax and spelling in your configuration file are correct. For example, the ipAllowList should have the correct indentation and spelling:
http:
middlewares:
mywhitelist:
ipWhiteList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
myotherwhitelist:
ipAllowList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
Brackets:
Remove the brackets around IPv6 addresses. The brackets are generally used for URLs, not for specifying CIDR blocks:
sourceRange:
"fe80::/10"
"2000:3000:aeff::/64"
"fe80::6969/128"
Proper Indentation:
Ensure the indentation is consistent. YAML is indentation-sensitive, and incorrect indentation can lead to configuration errors:
http:
middlewares:
mywhitelist:
ipWhiteList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
myotherwhitelist:
ipAllowList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
Check Service Logs:
Check the service logs for any errors or warnings that might indicate what the issue is. There might be clues that can help you debug the problem.
Service Documentation:
Consult the documentation for the service you are using to ensure that IPv6 whitelisting is supported and that you are using the correct configuration format.
Network Configuration:
Verify that the VM's network configuration is set up to handle IPv6 traffic correctly. This includes checking firewall rules, routing tables, and any other network-related settings.
If you have tried these steps and still face issues, consider seeking help from experts in custom software development, maybe they can help you https://tech-stack.com/