Hi Everyone!
Very new to the forums, sort of new to traefik. I've been trying to get it set up for my homelab and I'm having trouble setting up the ipWhiteList middleware so I can limit the allowed sources to my network. My public IP is behind a DNS entry which is proxied through cloudflare, and without the middleware everything is functional.
However, with the middleware configured I cannot seem to get any other result then all HTTP requests returning a 403 forbidden. I think I'm going wrong with the ipStrategy part of the configuration, but both my configuration attempts with either Depth or Excluded IPs isn't working.
I'm using the docker provider with the ipWhiteList middleware in a dynamic config file provided by the file itself. I've pasted the configuration I'm using below.
The traffic I'm trying to get working is this:
- public client -> cloudflare -> traefik -> service
This setup is already functional without the middleware, but if I introduce the ipwhitelist middleware for the mydomain-org service, the no matter what I put in the sourceRange option. Every request returns 403 Forbidden with the traefik docker logs generating the following debug logs each time:
level=debug msg="Rejecting IP : empty IP address" middlewareName=ipwhitelist@file middlewareType=IPWhiteLister
Full docker logs of traefik - Pastebin
Am I missing something obvious I need to implement to have the ipWhiteList middleware allow connections based on IP? My thought process was to use excludedIPs to have all cloudflare subnets ignored, then the middleware should easily be able to match the actual real source IP. Depth is the current strategy I have purely as a test to see if that made a difference. I did make a few PCAPs but all of them that returned a 403 only included encrypted TLS data. No plaintext HTTP so I could check what the X-Forwarded-For header actually contained. Is this also expected or is this issue caused by traefik only seeing encrypted traffic, causing the middleware to flatout fail in finding any headers at all?
I would appreciate any and all help in troubleshooting this.
docker-compose.yml for traefik:
version: '3'
services:
reverse-proxy:
container_name: traefik
# The official v2 Traefik docker image
image: traefik:latest
ports:
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
# Map the static configuration into the container
- ./config/static.yml:/etc/traefik/traefik.yml
# Map the dynamic configuration into the container
- ./config/dynamic:/etc/traefik/dynamic:ro
# Map the certificates into the container
- ./certs/acme.json:/acme.json
# Map the logfile into the container
- ./logs/accesslog.log:/accesslog.log
logging:
driver: "json-file"
options:
max-size: "1m"
labels:
- 'traefik.enable=true'
- "traefik.frontend.priority=2"
- 'traefik.http.routers.api.rule=Host(`moirai.mydomain.org`)'
- 'traefik.http.routers.api.entrypoints=https'
- 'traefik.http.routers.api.service=api@internal'
- 'traefik.http.routers.api.tls=true'
- 'traefik.http.routers.api.tls.certresolver=letsencrypt'
networks:
- traefik_net
networks:
traefik_net:
external: true
static.yml - static configuration for traefik
global:
sendAnonymousUsage: false
api:
dashboard: true
insecure: false
providers:
file:
directory: /etc/traefik/dynamic # this is where the middleware dynamic config is too
watch: true
docker:
allowEmptyServices: true
exposedByDefault: false
network: traefik_net
watch: true
endpoint: "unix:///var/run/docker.sock"
log:
level: DEBUG
format: common
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: http
http2:
maxConcurrentStreams: 250
https:
address: ":443"
http2:
maxConcurrentStreams: 250
accessLog:
filePath: accesslog.log
bufferingSize: 100
certificatesResolvers:
letsencrypt:
acme:
email: itsme@gmail.com
storage: acme.json
httpChallenge:
entryPoint: http
docker-compose.yml for the service I'm currently trying to get working:
version: '3'
services:
web:
container_name: mydomain-org
build: .
ports:
- "5000:5000"
labels:
- "traefik.enable=true"
- "traefik.frontend.priority=1"
- "traefik.http.routers.mydomain-org.rule=Host(`mydomain.org`)"
- "traefik.http.routers.mydomain-org.entrypoints=https"
- "traefik.http.routers.mydomain-org.tls=true"
- "traefik.http.routers.mydomain-org.tls.certresolver=letsencrypt"
# Middlewares
- "traefik.http.routers.mydomain-org.middlewares=ipwhitelist@file"
# Service configuration
- "traefik.http.routers.mydomain-org.service=mydomain-service"
- "traefik.http.services.mydomain-service.loadbalancer.server.port=5000"
networks:
- traefik_net
redis:
container_name: mydomain-redis
image: "redis:alpine"
networks:
- traefik_net
networks:
traefik_net:
external: true
ipwhitelist.yml - dynamic configuration for the middleware
http:
middlewares:
ipwhitelist:
ipWhiteList:
sourceRange:
- "192.168.0.0/16"
- "10.0.0.0/8"
- "190.0.0.0/24" # not real, redacted for privacy
- "200.0.0.0/24" # not real, redacted for privacy
ipStrategy:
depth: 2
# excludedIPs:
# - "173.245.48.0/20"
# - "103.21.244.0/22"
# - "103.22.200.0/22"
# - "103.31.4.0/22"
# - "141.101.64.0/18"
# - "108.162.192.0/18"
# - "190.93.240.0/20"
# - "188.114.96.0/20"
# - "197.234.240.0/22"
# - "198.41.128.0/17"
# - "162.158.0.0/15"
# - "104.16.0.0/13"
# - "104.24.0.0/14"
# - "172.64.0.0/13"
# - "131.0.72.0/22"