Limiting Clients to Specific IPs: IPWhiteList

Traefik Traefik v2 (latest)
1

Hello;
I would like to limit access to my dns link mycompagny.com.
I am using a GKE kubernetes cluster and Traefik v2.
I use the configuration from the traefik documentation

Here is my configuration:

Middleware.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prometheus-ipwhitelist
  namespace: monitoring
spec:
  ipWhiteList:
    sourceRange:
      - 22.214.169.73
      - 93.20.191.33
      - 67.18.89.28

ingressroute.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: grafana
  namespace: monitoring
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`mycompagny.com`)
      services:
        - name: prometheus-operator-grafana
          port: 80
      # secure web_ui
      middlewares:
      - name: prometheus-ipwhitelist
  tls:
    certResolver: myresolver

After a kubeclt apply -f
When I type the link dns mycompagny.com the result is: Forbidden
Thank you in advance for your help

2

Noone got a clue on this ?

3

Hello I was able to solve my problem
The problem is that when I try to access my mycompagny.com domain name with the IPs listed at the SourceRange level.
Once the traffic arrives on the cluster there is a resolution of IP address (NAT principle), as it is not the correct source IP address which arrives at traefik level, the middleware blocks the traffic.

To solve the problem: it is necessary to modify the service of the controlled ingress, by adding externaltrafficpolicy: Local. Allows to Preserving the client source IP

See kubernetes documentation kubernetes documentation

apiVersion: v1
kind: Service
metadata:
  name: traefik
  labels:
    app: traefik
spec:
  externalTrafficPolicy: Local
  type: LoadBalancer
  ports:
    - name: http
      port: 80
      targetPort: web
    - name: https
      port: 443
      targetPort: websecure
  selector:
    app: traefik

And it works great

1 Like
4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.