Middleware Path not blocking multiple forward slashes in url

Hello Traefik Community!
I've been using Traefik v2 for some time now for some small personal sites hosting wordpress.

I have a middleware rule that IP restricts /wp-admin /wp-login.php and /xmlrpc.php

Recently I discovered if someone requests //xmlrpc.php or //////xmlrpc.php it works and completely ignores my middleware. I removed the xmlrpc.php file completely from my wordpress installation and that fixed that but now they are hitting /////wp-login.php. Traefik doesnt seem to care how many foward slashes /// are in the url. If it is not exactly /wp-login.php, it lets it through.

Not sure if this is a bug, but is there a way to fix it?

My wordpress installation is screaming with bots and all sorts of stuff trying to get past my login page.

Sincerely,

alexv305

Dare to share your Traefik static and dynamic config?

I use file based configuration.

Here is my sample config for one of the wordpress sites and the middleware used.

I changed the white listed IPs from what I actually use and my domain names have been removed.

filename: mywebsite.yml 

http:
  routers:
    mywebsite-http:
      rule: "Host(`mywebsite.com`,`www.mywebsite.com`)"
      entryPoints:
      - "web"
      service: mywebsite

    mywebsite-https:
      rule: "Host(`mywebsite.com`,`www.mywebsite.com`)"
      entryPoints:
      - "websecure"
      tls:
        certresolver: "production"
        domains:
          - main: "mywebsite.com"
          - main: "www.mywebsite.com"
      service: mywebsite

    mywebsite-http-whitelist:
      rule: "Host(`mywebsite.com`,`www.mywebsite.com`) && Path(`/wp-admin/`,`/wp-login.php`,`/xmlrpc.php`)"
      entryPoints:
      - "web"
      middlewares:
      - test-ipwhitelist
      service: mywebsite

    mywebsite-https-whitelist:
      rule: "Host(`mywebsite.com`,`www.mywebsite.com`) && Path(`/wp-admin/`,`/wp-login.php`,`/xmlrpc.php`)"
      entryPoints:
      - "websecure"
      middlewares:
      - test-ipwhitelist
      tls:
        certresolver: "production"
        domains:
          - main: "mywebsite.com"
          - main: "www.mywebsite.com"
      service: mywebsite

  services:
    mywebsite:
      loadBalancer:
        servers:
        - url: http://192.168.0.100


filename: middlewares.yml

http:
  middlewares:
    test-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "192.168.0.50/32"
          - "192.168.0.51/32"

Why you have routers for web/http? Usually that is only redirected to websecure/https, see simple Traefik example.

You don’t need explicit domains when you use Host(). It’s only needed for wildcards.

Path() is the wrong selector, better use PathPrefix().

If your target service responds to multiple slashes (which I think is a security issue in general), then you might want to use RegEx (doc):

HostRegexp , PathPrefix , and Path accept an expression with zero or more groups enclosed by curly braces, which are called named regexps.

Final note: Traefik v3 will not allow multiple names in Host() in the future, use logical operators:

( Host() || Host() ) && ( PathPrefix() || PathPrefix() )