[localhost] excludedIPs = empty IP address

numero26 · August 27, 2024, 9:54am

Hi everyone,

I'm learning to use Traefik on my local environment. Currently, I'm trying to set up an IP blacklist to block all requests from a specific IP.

Here's my docker-compose.yml file:

version: '3'

services:
  reverse-proxy:
    restart: always
    # The official v2 Traefik docker image
    image: traefik:v3.1
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.toml:/etc/traefik/traefik.toml:ro
      - ./logs/traefik/:/etc/traefik/log/
      - ./logs/access/:/etc/traefik/access/
      - ./config/basic_auth.txt:/etc/traefik/basic_auth.txt
      #- ./config/acme.json:/acme.json
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - ./config/dynamic:/etc/traefik/dynamic
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`${TRAEFIK_API_HOST}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.entrypoints=web,websecure"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.usersfile=/etc/traefik/basic_auth.txt"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.tls.certresolver=le_resolver"
      - "certificatesresolvers.myresolver.acme.email=${TRAEFIK_LE_EMAIL}"
    networks:
      - default

networks:
  default:
    external: true
    name: web

Here my middlewares.toml

[http.middlewares]
[http.middlewares.global-ip-filter.ipAllowList]
  sourceRange = ["0.0.0.0/0"]
  [http.middlewares.global-ip-filter.ipAllowList.ipStrategy]
   excludedIPs = ["111.222.333.444"]

and here my treafic.toml :


[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      middlewares = ["global-ip-filter@file"]
    [entryPoints.web.http.redirections]
      [entryPoints.web.http.redirections.entryPoint]
        to = "websecure"
        scheme = "https"

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http]
      middlewares = ["global-ip-filter@file"]
      [entryPoints.websecure.http.tls]
        certResolver= "le_resolver"

My issue is : when i set an excludeIps in my middleware, i have this log error

2024-08-27T11:01:08+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:80 > Rejecting IP : empty IP address middlewareName=global-ip-filter@file middlewareType=IPAllowLister

if i remove the excludeIPs, i have no error and i've try the sourcerange, it works perfectly.

It seems that i've missed something important here and i need your help to tell me what.

Thanks in advance.

Jordan

bluepuma77 · August 27, 2024, 12:50pm

You can not use static config in traefik.yml and command, decide for one (doc).

When using dynamic config files, you need to load them in static config with providers.file.

I personally suggest to use yaml, as it is a lot more common and a lot less typing. Maybe check simple Traefik example.

numero26 · August 27, 2024, 1:47pm

Thank you for your feedback.

I have updated my Docker Compose file and my traefik.toml. I'll probably follow your advice about using the .yml file, but for now, I want to focus on my current issue.

I'm still facing the problem with my ipallowlist middleware: as soon as I add an excludeIPs, all requests are forbidden. However, I can confirm through my tests that the sourcerange is working properly when i don't use the excludeIPs.

bluepuma77 · August 27, 2024, 7:23pm

From the doc:

excludedIPs configures Traefik to scan the X-Forwarded-For header and select the first IP not in the list.

Maybe remove the middleware and check with traefik/whoami target container your headers.

numero26 · August 28, 2024, 7:17am

Okay, I think I'm starting to understand. I guess I have misunderstood the middleware IPAllowList. The option ipStrategy.excludedIPs of the middleware IPAllowList isn't used for blacklisting one or several IPs. It's useful for finding the clientIP according to eventual options.

Am I right? And if I'm right, is there a solution to forbid only 1 IP using Traefik (thanks to a plugin or another middleware that i don't know yet) ?

bluepuma77 · August 28, 2024, 2:11pm

You can simply add a new Traefik router and service to send the IP to whoami

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.priority=1000
      - traefik.http.routers.mywhoami.rule=ClientIP(`10.76.105.11`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

Doc

Or search Traefik plugins (link) for "ip".

Topic		Replies	Views
Traefik in Docker gets Docker network ip instead of real one randomly Traefik v2 docker	7	2089	March 30, 2024
IPWhitelist not working Traefik v2 docker , middleware	2	4304	August 1, 2021
ipWhiteList with excludedIPs setting will result in empty IP address when there is 1 IP address in X-Forwarded-For Header Traefik v2 middleware	2	2027	April 10, 2024
How to whitelist specific IP address for HTTP Basic Auth? Traefik v1 docker-swarm	0	869	December 26, 2019
How to filter one specific container by IP address, and have a default filtering for all containers? Traefik v2 docker , middleware	0	2009	November 26, 2019

[localhost] excludedIPs = empty IP address

Related topics