IPWhitelist not working

Traefik Traefik v2
,
1

My requirement is to allow only specific IP addresses from the internet to be allowed through, however when applying the whitelist any IP is allowed to pass through, where am I going wrong?

I have followed the documentation regarding whitelisting set out here: https://doc.traefik.io/traefik/middlewares/ipwhitelist/

This is my whitelist middleware line where I have explicitly set it to reject all internet traffic:
- "traefik.http.middlewares.reverse-proxy.ipwhitelist.sourcerange=192.168.1.1"

However all internet traffic is being passed, what am I doing wrong?

This is my docker-compose.yml file:

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.4.9
    restart: unless-stopped
    # Enables the web UI and tells Traefik to listen to docker
    command: 
        - "--log.level=DEBUG"
        - "--accesslog=true"
        - "--accesslog.filepath=/var/log/traefik/access.log"
        - --accesslog.bufferingsize=100
        - "--api.insecure=false" 
        - "--providers.docker"
        - "--providers.docker.exposedbydefault=false"
        - "--entrypoints.web.address=:80"
        - "--entrypoints.websecure.address=:443"
        - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
        - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
        # Comment out the next line to use production
        # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
        - "--certificatesresolvers.myresolver.acme.email=xx@xx.xx"
        - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
        - "traefik.http.middlewares.reverse-proxy.ipwhitelist.sourcerange=192.168.1.1"

    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"

    networks:
      - web

    volumes:
      - "./letsencrypt:/letsencrypt"  
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
  
networks:
  web:
    external: true
2

Hi @tjc

That middleware label needs to be defined in a dynamic provider, easiest would be docker label or in a file provider. You could add this as a label to the traefik container.

The middleware then has to be attached to a router or you can add middlewares to an entryPoint and the will apply to all routers.

https://doc.traefik.io/traefik/routing/entrypoints/#middlewares

3

I created a file called middlewares.yml and placed that in a directory called dynamic.
I added this to volumes:

volumes:
      - "./letsencrypt:/letsencrypt"  
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/theo/monitor/traefikV2/logs:/var/log/traefik"
      - "/home/theo/monitor/traefikV2/dynamic:/etc/traefik/dynamic"

Inside middlewares.yml I placed:

http:
  middlewares:
    my-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.1"

and in docker-compose.yml I have:

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.4.9
    restart: unless-stopped
    # Enables the web UI and tells Traefik to listen to docker
    command: 
        - "--log.level=DEBUG"
        - "--accesslog=true"
        - "--accesslog.filepath=/var/log/traefik/access.log"
        - --accesslog.bufferingsize=100
        - "--api.insecure=false" 
        - "--providers.docker"
        - "--providers.docker.exposedbydefault=false"
        - "--entrypoints.web.address=:80"
        - "--entrypoints.websecure.address=:443"
        - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
        - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
        # Comment out the next line to use production
        # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
        - "--certificatesresolvers.myresolver.acme.email=theocarper@msn.com"
        - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
        # - "traefik.http.middlewares.reverse-proxy.ipwhitelist.sourcerange=192.168.1.1"
        # - "traefik.http.routers.reverse-proxy.middlewares=my-whitelist@docker"
        - "traefik.http.middlewares=my-ipwhitelist@file"
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"

    networks:
      - web

    volumes:
      - "./letsencrypt:/letsencrypt"  
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/theo/monitor/traefikV2/logs:/var/log/traefik"
      - "/home/theo/monitor/traefikV2/dynamic:/etc/traefik/dynamic"
  
networks:
  web:
    external: true

The bit I'm stuck on is this:

entryPoints:
  websecure:
    address: ':443'
    http:
      middlewares:
        - auth@file
        - strip@file

Where does the auth in auth@file come from?

In my static traefik.yml file I have:

providers:
  file:
    directory: "/etc/traefik/dynamic"

certificatesResolvers:
  myresolver:
    # Enable ACME (Let's Encrypt): automatic SSL.
    acme:

      # Email address used for registration.
      #
      # Required
      #
      email: "my.email@address"

      # File or key used for certificates storage.
      #
      # Required
      #
      storage: "acme.json"
      tlsChallenge:
        
        entryPoint: websecure

      # Use a HTTP-01 ACME challenge.
      #
      # Optional
      #
      httpChallenge:

        # EntryPoint to use for the HTTP-01 challenges.
        #
        # Required
        #
        entryPoint: web

I appended to entryPoint:

entryPoint: web
          http:
            middlewares:
            - my-ipwhitelist@file

But that made no difference

I added:

entryPoints:
  web:
    address: :80
    http:
      middlewares:
        - my-ipwhitelist@file
  websecure:
    address: :443
    http:
      middlewares:
        - my-ipwhitelist@file

But again this made no difference.