I am facing a major problem that I cannot quite understand so I hope someone will be able to explain it to me.
I am running multiple services via Docker and expose them with traefik (e. g. via URL scheme app1.mydomain.com).
mydomain.com is pointing to my router's public IP address and port forwarding to the server hosting traefik is enabled.
So far, everything is working fine and I can access my application app1 over the Internet.
Now, I want to restrict access for a second application app2 so that it is accessible via app2.mydomain.com but from my LAN only. In order to do that, I created custom DNS entries in my Adguard Home and routed them to my traefik's server IP. In traefik, I configured an ipWhitelist middleware with the sourceRange 192.168.178.0/24 and attached it to the router of app2.
If I use Google Chrome on my Android phone with WiFi enabled, the request succeeds.
If I use Google Chrome on my Android phone with WiFi disabled, the request fails (as expected) with a 403 Forbidden.
Now here's the thing that I don't understand:
If I use a different browser (Brave) on my Android phone with Wifi disabled, the request succeeds! How is this possible? For me, this is a major security implicaiton as I have been hosting sensitive services this way and it seems they were somehow accessible via Internet all along?
I even completely reset Brave (because I thought maybe it somehow cached my internal IP address) and retried but still I can access app2 over the Internet.
So to me it seems an attacker could access all of my sensitive applications by simply spoofing their IP address to be an internal one!?
How can I effectively prevent this?
192.168.178.0/24 is private and can’t be routed over the Internet.
If the domain DNS is only in you local network, how can you access it via Internet?
What is Traefik access log showing you?
It really is strange.
Both times, I can see the same IP address (my phone's IP address assigned by my ISP) in the access logs.
When accessing via Chrome (403 Forbidden):
109.42.11x.1xx - - [07/Aug/2023:19:03:38 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 78 "jd2@docker" "-" 0ms
109.42.11x.1xx - - [07/Aug/2023:19:03:38 +0000] "GET /favicon.ico HTTP/2.0" 403 9 "-" "-" 79 "jd2@docker" "-" 0ms
When accessing via Brave (200 OK):
109.42.11x.1xx - - [07/Aug/2023:19:03:08 +0000] "GET / HTTP/1.1" 200 10439 "-" "-" 16 "x-jd2@docker" "http://172.19.0.2:5800" 1ms
109.42.11x.1xx - - [07/Aug/2023:19:03:09 +0000] "GET /app/styles/font-awesome.min.css?v=9a02bd6236 HTTP/1.1" 304 0 "-" "-" 17 "x-jd2@docker" "http://172.19.0.2:5800" 0ms
I cannot wrap my head around why two different browsers are being treated differently?
This is my static config file:
This is my dynamic config file:
Labels for my app2 service:
mydomain.com can also be publicly resolved to my router's IP address!
Ok I think I found the issue myself...
Apparently the http entrypoint was still working because I didn't assign it with the middleware. I added it now (4th line) and access is being blocked:
However, now it is the other way round: When WiFi is enabled I receive 403 Forbidden although I can see my IP address is in the allowed range?
192.168.178.73 - - [07/Aug/2023:19:20:20 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 415 "jd2@docker" "-" 0ms
192.168.178.73 - - [07/Aug/2023:19:20:20 +0000] "GET /favicon.ico HTTP/2.0" 403 9 "-" "-" 416 "jd2@docker" "-" 0ms
EDIT: Solved it finally. Sometimes you have to ask first before you come up with the solution.
Still, thanks a lot @bluepuma77 as your hint with the access log led me to success!
I had to specify a global redirection scheme rather than via middleware:
and adjust the labels the following way:
Maybe Brave is using http and therefore no middlewares.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.