Is it possible to use a yaml list for whitelisting groups in config.yml?

Is something like this even possible?

  middlewares:
    test-whitelist-group:
      - "1.1.1.1/32"
      - "2.2.2.2/32"

    first-whitelist:
      ipWhiteList:
        sourceRange: ${test-whitelist-group}

    second-whitelist:
      ipWhiteList:
        sourceRange: 
          - ${test-whitelist-group}
          - "1.2.3.4/32"
...

Middlewares are usually dynamic config, you can create those in a dynamic config file, which you can load via providers.file in static config.

There is ipwhitelist for http and TCP routers, check the doc.

Hey, and yes, that is exactly what I do.

I load the dynamic config.yml within the static traefik.yml file, but I couldn't get this to work, or anything similar.

Did you assign the middlewares globally to entrypoint or to the routers?

Assigned to a router.

{"entryPointName":"web-secure","level":"error","msg":"cannot parse CIDR whitelist [${test-whitelist-group}]: parsing CIDR trusted IPs \u003cnil\u003e: invalid CIDR address: ${test-whitelist-group}","routerName":"test-router@file","time":"2023-08-27T13:41:15+02:00"}

Seems your templating does not work and ${test-whitelist-group} was not replaced with the value.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Dynamic:

tls:
  options:
    default:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/home.local.crt
        keyFile: /etc/traefik/certs/home.local.key
  certificates:
    - certFile: /etc/traefik/certs/home.local.crt
      keyFile: /etc/traefik/certs/home.local.key
      stores:
        - default

http:
  routers:
    example-router:
      rule: Host(`example.home.local`)
      entryPoints:
        - web-secure
      middlewares:
        - test-whitelist
      service: test-service
      tls:
        domains:
          - main: "*.home.local"

 middlewares:
    test-whitelist:
    ipWhiteList:
      sourceRange:
          - "10.0.0.0/8"
          - "172.16.0.0/12"
          - "192.168.0.0/16"

  services:
    test-service:
      loadBalancer:
        servers:
          - url: https://some-other-local-host:443

This works, although I have 20+ routers, and each have the same sub-group of allowed hosts, and some additional hosts.
So for example, all of them have:

- "1.1.1.1/32"
- "2.2.2.2/32"
- "3.3.3.3/32"

And only some have.

- "4.4.4.4"

What I want to do, is set a static group for all routers:

management-group-whitelist:
  ipWhiteList:
    sourceRange:
      - "1.1.1.1/32"
      - "2.2.2.2/32"
      - "3.3.3.3/32"

whatever-the-fuck-whitelist:
  ipWhiteList:
    sourceRange:
      - "4.4.4.4/32"

So I can add my custom one only where I need it, and make configuration easier.

 example-router:
      rule: Host(`example.home.local`)
      entryPoints:
        - web-secure
      middlewares:
        - management-group-whitelist
        - whatever-the-fuck-whitelist

Static:

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: INFO

accessLog:
  format: json
  filePath: /var/log/traefik/access.log
  bufferingSize: 2000
  fields:
    names:
      StartLocal: keep
      StartUTC: drop
      ServiceAddr: keep
      ServiceURL: drop
    headers:
      names:
        Referrer: keep
        Authorization: drop
        User-Agent: keep

api:
  dashboard: true

serversTransport:
  rootCAs:
    - [REDACTED]
  insecureSkipVerify: false

providers:
  file:
    filename: /etc/traefik/config.yml
    watch: true

entryPoints:
  web:
    address: 0.0.0.0:80
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https
          permanent: true

  web-secure:
    address: 0.0.0.0:443
    forwardedHeaders:
      trustedIPs:
        - "127.0.0.1/32"
        - "10.0.0.0/8" 
        - "192.168.0.0/16"
        - "172.16.0.0/12" 

certificatesResolvers:
  le:
    acme:
      email: [REDACTED]
      storage: [REDACTED]
      dnsChallenge:
        provider: [REDACTED]
        delayBeforeCheck: "0"
        resolvers:
          - [REDACTED]

That should work.

As stated before, the last error you shared was about a template variable (${test-whitelist-group}), that should have been replaced, but was not, otherwise it would not have been shown in the error message.

My thoughts exactly, "should work", but it doesn't because the middlewares aren't chained. Only the last one is applied, while the management-group-whitelist is being completely ignored.

Also there isn't any way to template and use lists, which is what I'm aiming at.

If it should work but does not, then open an issue at Traefik Github.

YAML files can re-use blocks, see for example this article.

Unfortunately that didn't help, and neither did this:

An issue seems to be opened for quite some time and there doesn't seem to be any activity on it:

Ok, now I see the challenge. You really need an "OR" to match at least one of the middlewares, the first one can fail, but the second one could be okay and still let the request succeed.

There is a middleware to chain (doc), but nothing for "OR". Traefik is open source, you could (let someone else) implement it and do a pull request.

I have tried the chain middleware, but it did not work as expected, only the last whitelist in the chain was applied.

Of course...

Thank you for the help though.