IPWhitelist not working

tjc · July 31, 2021, 1:38pm

My requirement is to allow only specific IP addresses from the internet to be allowed through, however when applying the whitelist any IP is allowed to pass through, where am I going wrong?

I have followed the documentation regarding whitelisting set out here: https://doc.traefik.io/traefik/middlewares/ipwhitelist/

This is my whitelist middleware line where I have explicitly set it to reject all internet traffic:
- "traefik.http.middlewares.reverse-proxy.ipwhitelist.sourcerange=192.168.1.1"

However all internet traffic is being passed, what am I doing wrong?

This is my docker-compose.yml file:

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.4.9
    restart: unless-stopped
    # Enables the web UI and tells Traefik to listen to docker
    command: 
        - "--log.level=DEBUG"
        - "--accesslog=true"
        - "--accesslog.filepath=/var/log/traefik/access.log"
        - --accesslog.bufferingsize=100
        - "--api.insecure=false" 
        - "--providers.docker"
        - "--providers.docker.exposedbydefault=false"
        - "--entrypoints.web.address=:80"
        - "--entrypoints.websecure.address=:443"
        - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
        - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
        # Comment out the next line to use production
        # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
        - "--certificatesresolvers.myresolver.acme.email=xx@xx.xx"
        - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
        - "traefik.http.middlewares.reverse-proxy.ipwhitelist.sourcerange=192.168.1.1"

    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"

    networks:
      - web

    volumes:
      - "./letsencrypt:/letsencrypt"  
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
  
networks:
  web:
    external: true

cakiwi · July 31, 2021, 4:54pm

Hi @tjc

That middleware label needs to be defined in a dynamic provider, easiest would be docker label or in a file provider. You could add this as a label to the traefik container.

The middleware then has to be attached to a router or you can add middlewares to an entryPoint and the will apply to all routers.

https://doc.traefik.io/traefik/routing/entrypoints/#middlewares

tjc · August 1, 2021, 1:20pm

I created a file called middlewares.yml and placed that in a directory called dynamic.
I added this to volumes:

volumes:
      - "./letsencrypt:/letsencrypt"  
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/theo/monitor/traefikV2/logs:/var/log/traefik"
      - "/home/theo/monitor/traefikV2/dynamic:/etc/traefik/dynamic"

Inside middlewares.yml I placed:

http:
  middlewares:
    my-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.1"

and in docker-compose.yml I have:

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.4.9
    restart: unless-stopped
    # Enables the web UI and tells Traefik to listen to docker
    command: 
        - "--log.level=DEBUG"
        - "--accesslog=true"
        - "--accesslog.filepath=/var/log/traefik/access.log"
        - --accesslog.bufferingsize=100
        - "--api.insecure=false" 
        - "--providers.docker"
        - "--providers.docker.exposedbydefault=false"
        - "--entrypoints.web.address=:80"
        - "--entrypoints.websecure.address=:443"
        - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
        - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
        # Comment out the next line to use production
        # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
        - "--certificatesresolvers.myresolver.acme.email=theocarper@msn.com"
        - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
        # - "traefik.http.middlewares.reverse-proxy.ipwhitelist.sourcerange=192.168.1.1"
        # - "traefik.http.routers.reverse-proxy.middlewares=my-whitelist@docker"
        - "traefik.http.middlewares=my-ipwhitelist@file"
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"

    networks:
      - web

    volumes:
      - "./letsencrypt:/letsencrypt"  
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/theo/monitor/traefikV2/logs:/var/log/traefik"
      - "/home/theo/monitor/traefikV2/dynamic:/etc/traefik/dynamic"
  
networks:
  web:
    external: true

The bit I'm stuck on is this:

entryPoints:
  websecure:
    address: ':443'
    http:
      middlewares:
        - auth@file
        - strip@file

Where does the auth in auth@file come from?

In my static traefik.yml file I have:

providers:
  file:
    directory: "/etc/traefik/dynamic"

certificatesResolvers:
  myresolver:
    # Enable ACME (Let's Encrypt): automatic SSL.
    acme:

      # Email address used for registration.
      #
      # Required
      #
      email: "my.email@address"

      # File or key used for certificates storage.
      #
      # Required
      #
      storage: "acme.json"
      tlsChallenge:
        
        entryPoint: websecure

      # Use a HTTP-01 ACME challenge.
      #
      # Optional
      #
      httpChallenge:

        # EntryPoint to use for the HTTP-01 challenges.
        #
        # Required
        #
        entryPoint: web

I appended to entryPoint:

entryPoint: web
          http:
            middlewares:
            - my-ipwhitelist@file

But that made no difference

I added:

entryPoints:
  web:
    address: :80
    http:
      middlewares:
        - my-ipwhitelist@file
  websecure:
    address: :443
    http:
      middlewares:
        - my-ipwhitelist@file

But again this made no difference.

Topic		Replies	Views
Traefik ipWhiteList middleware is not working( Traefik v2 docker , middleware	4	921	September 17, 2023
Ip_whitelist.go:70 > Rejecting IP 172.28.0.1 Traefik v3 (latest) docker , middleware	8	73	May 11, 2024
IP Whitelist & VPNs Traefik v2 docker , middleware	5	4328	August 5, 2020
Traefik 2 - 2 rules, each with own ipwhitelist, only one applied to all rules Traefik v2 docker-swarm , middleware	1	815	February 7, 2023
Traefik v2.8 ip whitelist using client real-ip behind cloudflare proxy Traefik v2 docker	0	1018	July 12, 2022

IPWhitelist not working

Related Topics