Is it possible to use a yaml list for whitelisting groups in config.yml?

zoomba · August 27, 2023, 11:39am

Is something like this even possible?

  middlewares:
    test-whitelist-group:
      - "1.1.1.1/32"
      - "2.2.2.2/32"

    first-whitelist:
      ipWhiteList:
        sourceRange: ${test-whitelist-group}

    second-whitelist:
      ipWhiteList:
        sourceRange: 
          - ${test-whitelist-group}
          - "1.2.3.4/32"
...

bluepuma77 · August 27, 2023, 3:00pm

Middlewares are usually dynamic config, you can create those in a dynamic config file, which you can load via providers.file in static config.

There is ipwhitelist for http and TCP routers, check the doc.

zoomba · August 28, 2023, 11:09am

Hey, and yes, that is exactly what I do.

I load the dynamic config.yml within the static traefik.yml file, but I couldn't get this to work, or anything similar.

bluepuma77 · August 28, 2023, 11:42am

Did you assign the middlewares globally to entrypoint or to the routers?

zoomba · August 28, 2023, 12:32pm

Assigned to a router.

{"entryPointName":"web-secure","level":"error","msg":"cannot parse CIDR whitelist [${test-whitelist-group}]: parsing CIDR trusted IPs \u003cnil\u003e: invalid CIDR address: ${test-whitelist-group}","routerName":"test-router@file","time":"2023-08-27T13:41:15+02:00"}

bluepuma77 · August 28, 2023, 1:29pm

Seems your templating does not work and ${test-whitelist-group} was not replaced with the value.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

zoomba · August 28, 2023, 1:47pm

Dynamic:

tls:
  options:
    default:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/home.local.crt
        keyFile: /etc/traefik/certs/home.local.key
  certificates:
    - certFile: /etc/traefik/certs/home.local.crt
      keyFile: /etc/traefik/certs/home.local.key
      stores:
        - default

http:
  routers:
    example-router:
      rule: Host(`example.home.local`)
      entryPoints:
        - web-secure
      middlewares:
        - test-whitelist
      service: test-service
      tls:
        domains:
          - main: "*.home.local"

 middlewares:
    test-whitelist:
    ipWhiteList:
      sourceRange:
          - "10.0.0.0/8"
          - "172.16.0.0/12"
          - "192.168.0.0/16"

  services:
    test-service:
      loadBalancer:
        servers:
          - url: https://some-other-local-host:443

This works, although I have 20+ routers, and each have the same sub-group of allowed hosts, and some additional hosts.
So for example, all of them have:

- "1.1.1.1/32"
- "2.2.2.2/32"
- "3.3.3.3/32"

And only some have.

- "4.4.4.4"

What I want to do, is set a static group for all routers:

management-group-whitelist:
  ipWhiteList:
    sourceRange:
      - "1.1.1.1/32"
      - "2.2.2.2/32"
      - "3.3.3.3/32"

whatever-the-fuck-whitelist:
  ipWhiteList:
    sourceRange:
      - "4.4.4.4/32"

So I can add my custom one only where I need it, and make configuration easier.

 example-router:
      rule: Host(`example.home.local`)
      entryPoints:
        - web-secure
      middlewares:
        - management-group-whitelist
        - whatever-the-fuck-whitelist

Static:

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: INFO

accessLog:
  format: json
  filePath: /var/log/traefik/access.log
  bufferingSize: 2000
  fields:
    names:
      StartLocal: keep
      StartUTC: drop
      ServiceAddr: keep
      ServiceURL: drop
    headers:
      names:
        Referrer: keep
        Authorization: drop
        User-Agent: keep

api:
  dashboard: true

serversTransport:
  rootCAs:
    - [REDACTED]
  insecureSkipVerify: false

providers:
  file:
    filename: /etc/traefik/config.yml
    watch: true

entryPoints:
  web:
    address: 0.0.0.0:80
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https
          permanent: true

  web-secure:
    address: 0.0.0.0:443
    forwardedHeaders:
      trustedIPs:
        - "127.0.0.1/32"
        - "10.0.0.0/8" 
        - "192.168.0.0/16"
        - "172.16.0.0/12" 

certificatesResolvers:
  le:
    acme:
      email: [REDACTED]
      storage: [REDACTED]
      dnsChallenge:
        provider: [REDACTED]
        delayBeforeCheck: "0"
        resolvers:
          - [REDACTED]

bluepuma77 · August 28, 2023, 7:14pm

That should work.

As stated before, the last error you shared was about a template variable (${test-whitelist-group}), that should have been replaced, but was not, otherwise it would not have been shown in the error message.

zoomba · August 29, 2023, 10:26am

My thoughts exactly, "should work", but it doesn't because the middlewares aren't chained. Only the last one is applied, while the management-group-whitelist is being completely ignored.

Also there isn't any way to template and use lists, which is what I'm aiming at.

bluepuma77 · August 29, 2023, 1:56pm

If it should work but does not, then open an issue at Traefik Github.

YAML files can re-use blocks, see for example this article.

zoomba · August 30, 2023, 9:43am

Unfortunately that didn't help, and neither did this:

An issue seems to be opened for quite some time and there doesn't seem to be any activity on it:

github.com/traefik/traefik

OR-Chained middlewares

opened 07:38AM - 12 Dec 19 UTC

kolaente

kind/proposal area/middleware

### Do you want to request a *feature* or report a *bug*?  Feature ### What did you expect to see?  It would be cool if traefik could support chaining middlewares with or instead of executing them one after one. Currently, there is the [chain middleware](https://docs.traefik.io/middlewares/chain/), which executes middlewares one after the other. The thing I have in mind would be to execute the first one in the list, if that fails execute the second one etc. A problem here might be a middleware does not "fail" or "succeed", it either calls the next one or does not iirc. A bit more context on the use case: We have one site which we want to secure using ip whitelist and basic auth, either one should work. If a user accesses the site not on the ip whitelist, it should need to complete the basic auth. I'm not sure if a general way of doing this is a good idea or if the use case is too specific and thus, a custom thing would be better suited. I've discussed this a bit in https://github.com/justinas/alice/issues/50

bluepuma77 · August 30, 2023, 12:57pm

Ok, now I see the challenge. You really need an "OR" to match at least one of the middlewares, the first one can fail, but the second one could be okay and still let the request succeed.

There is a middleware to chain (doc), but nothing for "OR". Traefik is open source, you could (let someone else) implement it and do a pull request.

zoomba · August 30, 2023, 2:47pm

I have tried the chain middleware, but it did not work as expected, only the last whitelist in the chain was applied.

Of course...

Thank you for the help though.