[localhost] excludedIPs = empty IP address

numero26 · August 27, 2024, 9:54am

Hi everyone,

I'm learning to use Traefik on my local environment. Currently, I'm trying to set up an IP blacklist to block all requests from a specific IP.

Here's my docker-compose.yml file:

version: '3'

services:
  reverse-proxy:
    restart: always
    # The official v2 Traefik docker image
    image: traefik:v3.1
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.toml:/etc/traefik/traefik.toml:ro
      - ./logs/traefik/:/etc/traefik/log/
      - ./logs/access/:/etc/traefik/access/
      - ./config/basic_auth.txt:/etc/traefik/basic_auth.txt
      #- ./config/acme.json:/acme.json
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - ./config/dynamic:/etc/traefik/dynamic
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`${TRAEFIK_API_HOST}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.entrypoints=web,websecure"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.usersfile=/etc/traefik/basic_auth.txt"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.tls.certresolver=le_resolver"
      - "certificatesresolvers.myresolver.acme.email=${TRAEFIK_LE_EMAIL}"
    networks:
      - default

networks:
  default:
    external: true
    name: web

Here my middlewares.toml

[http.middlewares]
[http.middlewares.global-ip-filter.ipAllowList]
  sourceRange = ["0.0.0.0/0"]
  [http.middlewares.global-ip-filter.ipAllowList.ipStrategy]
   excludedIPs = ["111.222.333.444"]

and here my treafic.toml :


[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      middlewares = ["global-ip-filter@file"]
    [entryPoints.web.http.redirections]
      [entryPoints.web.http.redirections.entryPoint]
        to = "websecure"
        scheme = "https"

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http]
      middlewares = ["global-ip-filter@file"]
      [entryPoints.websecure.http.tls]
        certResolver= "le_resolver"

My issue is : when i set an excludeIps in my middleware, i have this log error

2024-08-27T11:01:08+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:80 > Rejecting IP : empty IP address middlewareName=global-ip-filter@file middlewareType=IPAllowLister

if i remove the excludeIPs, i have no error and i've try the sourcerange, it works perfectly.

It seems that i've missed something important here and i need your help to tell me what.

Thanks in advance.

Jordan

bluepuma77 · August 27, 2024, 12:50pm

You can not use static config in traefik.yml and command, decide for one (doc).

When using dynamic config files, you need to load them in static config with providers.file.

I personally suggest to use yaml, as it is a lot more common and a lot less typing. Maybe check simple Traefik example.

numero26 · August 27, 2024, 1:47pm

Thank you for your feedback.

I have updated my Docker Compose file and my traefik.toml. I'll probably follow your advice about using the .yml file, but for now, I want to focus on my current issue.

I'm still facing the problem with my ipallowlist middleware: as soon as I add an excludeIPs, all requests are forbidden. However, I can confirm through my tests that the sourcerange is working properly when i don't use the excludeIPs.

bluepuma77 · August 27, 2024, 7:23pm

From the doc:

excludedIPs configures Traefik to scan the X-Forwarded-For header and select the first IP not in the list.

Maybe remove the middleware and check with traefik/whoami target container your headers.

numero26 · August 28, 2024, 7:17am

Okay, I think I'm starting to understand. I guess I have misunderstood the middleware IPAllowList. The option ipStrategy.excludedIPs of the middleware IPAllowList isn't used for blacklisting one or several IPs. It's useful for finding the clientIP according to eventual options.

Am I right? And if I'm right, is there a solution to forbid only 1 IP using Traefik (thanks to a plugin or another middleware that i don't know yet) ?

bluepuma77 · August 28, 2024, 2:11pm

You can simply add a new Traefik router and service to send the IP to whoami

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.priority=1000
      - traefik.http.routers.mywhoami.rule=ClientIP(`10.76.105.11`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

Doc

Or search Traefik plugins (link) for "ip".

Topic		Replies	Views
Traefik in Docker gets Docker network ip instead of real one randomly Traefik v2 docker	7	906	March 30, 2024
IPWhitelist not working Traefik v2 docker , middleware	2	4086	August 1, 2021
Ip_whitelist.go:70 > Rejecting IP 172.28.0.1 Traefik v3 (latest) docker , middleware	16	325	June 21, 2024
Traefik whitelist local network Traefik v3 (latest) docker , middleware	5	183	June 26, 2024
Disable http response when visiting server ip address Traefik v2 docker	5	2976	January 1, 2024

[localhost] excludedIPs = empty IP address

Related Topics