Firstly thank you for taking time here. Now let me first be more specific with the actual scenario:
Here:
- WHITELIST ipset contains the Cloudflare's IPs.
- BLACKLIST ipset contains other IP sets such as different countries or spam groups (this is periodically updated in the background).
Then:
I have configured this where I am trusting Cloudflare's IPs:
forwardedHeaders:
trustedIPs:
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
Thus:
The server still sees the Cloudlfare Y.Y.Y.Y IP address and passes it to the Traefik. Now you say that it is possible to filter those request based on the X-Forwarded-For: X.X.X.X - well sure for couple of IPs but not for the whole region.. Here it would be ideal and much desired if Traefik could make use of systems IP sets or be able to implement them itself (or import them from system at start?).
Some time ago I created a feature request for this very scenario and no one cared to even reply 
. With this capability we now have power to effectively filter this per service.
Thanks.