Ipwhitelist only for a specific route

mick2k · September 17, 2023, 11:55am

Hello! I am trying to setup vaultwarden in a way that the route /admin can be accessed only from a subset of private ips

This is my compose configuration pastebin here
I am literally just starting with traefik and I have to say is really confusing

bluepuma77 · September 17, 2023, 1:54pm

Why do you set priority=2? That is a low priority, the route will never be reached.

mick2k · September 17, 2023, 2:07pm

Hello, thank you very much for the comment
indeed I mistake this (the order is the opposite as i tought to be)
hence i refractored into this https://pastebin.com/EjRRwMaB

I also noticed an error here that I adjusted

"traefik.http.routers.vaultwarden-secure-admin.rule=Host(vw.domain.com) && PathPrefix(/admin)" where i mistake "vaultwarden-secure-admin"

I tried putting only the vaultwarden-secure-admin priority to 0 and it worked but was written "Forbidden" even when accessing from a whitelisted private ip

I was wondering if also the vaultwarden-secure-admin would need an http router with redirect middleware, and if i have to setup the priorities of all the 3 routers

mick2k · September 17, 2023, 2:38pm

Reading the logs

172.71.134.241 - - [17/Sep/2023:14:24:53 +0000] "GET /api/config HTTP/2.0" 200 311 "-" "-" 40 "vaultwarden-secure@docker" "http://172.25.0.13:80" 1ms
172.70.247.104 - - [17/Sep/2023:14:25:04 +0000] "GET / HTTP/2.0" 200 1247 "-" "-" 41 "vaultwarden-secure@docker" "http://172.25.0.13:80" 1ms

these ips 172.7X.XX.XX actually i do not know what they refer to

trying to understand whats happening, this is the whoami from public

Hostname: whoami
IP: 127.0.0.1
IP: 172.25.0.20
RemoteAddr: 172.25.0.2:55140
GET / HTTP/1.1
Host: whoami.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.5
Cdn-Loop: cloudflare
Cf-Connecting-Ip: X.144.XXX.XXX
Cf-Ipcountry: IT
Cf-Ray: 808211645b002179-CDG
Cf-Visitor: {"scheme":"https"}
Dnt: 1
Priority: u=1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 141.101.XX.XXX
X-Forwarded-Host: whoami.domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: cc1c6321d910
X-Real-Ip: 141.10X.XX.XXX

and this from private/local

Hostname: whoami
IP: 127.0.0.1
IP: 172.25.0.20
RemoteAddr: 172.25.0.1:49771
GET / HTTP/1.1
Host: 172.25.0.20
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Dnt: 1
Upgrade-Insecure-Requests: 1

edit: 172.71.. is the cloudflare proxy IP, my actual true ip is Cf-Connecting-Ip at this point I do not know why would still return forbidden when only 172.25.0.0/16 is whitelisted

mick2k · September 18, 2023, 3:44pm

up
sadly not solved yet, the doc is also very poor about this