zoomba
August 27, 2023, 11:39am
1
Is something like this even possible?
middlewares:
test-whitelist-group:
- "1.1.1.1/32"
- "2.2.2.2/32"
first-whitelist:
ipWhiteList:
sourceRange: ${test-whitelist-group}
second-whitelist:
ipWhiteList:
sourceRange:
- ${test-whitelist-group}
- "1.2.3.4/32"
...
Middlewares are usually dynamic config, you can create those in a dynamic config file, which you can load via providers.file
in static config.
There is ipwhitelist
for http and TCP routers, check the doc .
zoomba
August 28, 2023, 11:09am
3
Hey, and yes, that is exactly what I do.
I load the dynamic config.yml
within the static traefik.yml
file, but I couldn't get this to work, or anything similar.
Did you assign the middlewares globally to entrypoint or to the routers?
zoomba
August 28, 2023, 12:32pm
5
Assigned to a router.
{"entryPointName":"web-secure","level":"error","msg":"cannot parse CIDR whitelist [${test-whitelist-group}]: parsing CIDR trusted IPs \u003cnil\u003e: invalid CIDR address: ${test-whitelist-group}","routerName":"test-router@file","time":"2023-08-27T13:41:15+02:00"}
Seems your templating does not work and ${test-whitelist-group}
was not replaced with the value.
Share your full Traefik static and dynamic config, and docker-compose.yml
if used.
zoomba
August 28, 2023, 1:47pm
7
Dynamic:
tls:
options:
default:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/home.local.crt
keyFile: /etc/traefik/certs/home.local.key
certificates:
- certFile: /etc/traefik/certs/home.local.crt
keyFile: /etc/traefik/certs/home.local.key
stores:
- default
http:
routers:
example-router:
rule: Host(`example.home.local`)
entryPoints:
- web-secure
middlewares:
- test-whitelist
service: test-service
tls:
domains:
- main: "*.home.local"
middlewares:
test-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
services:
test-service:
loadBalancer:
servers:
- url: https://some-other-local-host:443
This works, although I have 20+ routers, and each have the same sub-group of allowed hosts, and some additional hosts.
So for example, all of them have:
- "1.1.1.1/32"
- "2.2.2.2/32"
- "3.3.3.3/32"
And only some have.
- "4.4.4.4"
What I want to do, is set a static group for all routers:
management-group-whitelist:
ipWhiteList:
sourceRange:
- "1.1.1.1/32"
- "2.2.2.2/32"
- "3.3.3.3/32"
whatever-the-fuck-whitelist:
ipWhiteList:
sourceRange:
- "4.4.4.4/32"
So I can add my custom one only where I need it, and make configuration easier.
example-router:
rule: Host(`example.home.local`)
entryPoints:
- web-secure
middlewares:
- management-group-whitelist
- whatever-the-fuck-whitelist
Static:
log:
filePath: /var/log/traefik/traefik.log
format: json
level: INFO
accessLog:
format: json
filePath: /var/log/traefik/access.log
bufferingSize: 2000
fields:
names:
StartLocal: keep
StartUTC: drop
ServiceAddr: keep
ServiceURL: drop
headers:
names:
Referrer: keep
Authorization: drop
User-Agent: keep
api:
dashboard: true
serversTransport:
rootCAs:
- [REDACTED]
insecureSkipVerify: false
providers:
file:
filename: /etc/traefik/config.yml
watch: true
entryPoints:
web:
address: 0.0.0.0:80
http:
redirections:
entryPoint:
to: web-secure
scheme: https
permanent: true
web-secure:
address: 0.0.0.0:443
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
certificatesResolvers:
le:
acme:
email: [REDACTED]
storage: [REDACTED]
dnsChallenge:
provider: [REDACTED]
delayBeforeCheck: "0"
resolvers:
- [REDACTED]
That should work.
As stated before, the last error you shared was about a template variable (${test-whitelist-group}
), that should have been replaced, but was not, otherwise it would not have been shown in the error message.
zoomba
August 29, 2023, 10:26am
9
My thoughts exactly, "should work", but it doesn't because the middlewares aren't chained. Only the last one is applied, while the management-group-whitelist
is being completely ignored.
Also there isn't any way to template and use lists, which is what I'm aiming at.
If it should work but does not, then open an issue at Traefik Github.
YAML files can re-use blocks, see for example this article .
zoomba
August 30, 2023, 9:43am
11
Unfortunately that didn't help, and neither did this:
An issue seems to be opened for quite some time and there doesn't seem to be any activity on it:
opened 07:38AM - 12 Dec 19 UTC
kind/proposal
area/middleware
### Do you want to request a *feature* or report a *bug*?
<!--
DO NOT FILE I… SSUES FOR GENERAL SUPPORT QUESTIONS.
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
- the Traefik community forum: https://community.containo.us/
-->
Feature
### What did you expect to see?
<!--
HOW TO WRITE A GOOD ISSUE?
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that you’re facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-->
It would be cool if traefik could support chaining middlewares with or instead of executing them one after one. Currently, there is the [chain middleware](https://docs.traefik.io/middlewares/chain/), which executes middlewares one after the other. The thing I have in mind would be to execute the first one in the list, if that fails execute the second one etc. A problem here might be a middleware does not "fail" or "succeed", it either calls the next one or does not iirc.
A bit more context on the use case:
We have one site which we want to secure using ip whitelist and basic auth, either one should work. If a user accesses the site not on the ip whitelist, it should need to complete the basic auth.
I'm not sure if a general way of doing this is a good idea or if the use case is too specific and thus, a custom thing would be better suited.
I've discussed this a bit in https://github.com/justinas/alice/issues/50
Ok, now I see the challenge. You really need an "OR" to match at least one of the middlewares, the first one can fail, but the second one could be okay and still let the request succeed.
There is a middleware to chain (doc ), but nothing for "OR". Traefik is open source, you could (let someone else) implement it and do a pull request.
zoomba
August 30, 2023, 2:47pm
13
I have tried the chain middleware, but it did not work as expected, only the last whitelist in the chain was applied.
Of course...
Thank you for the help though.