Secure IP middleware is blocking unmatched routes

jdyck · January 27, 2022, 5:44pm

I have a Wordpress site where I want to use middleware to restrict wp-admin, wp-login and xmlrpc to only certain secure IP ranges. I got that working using a combination of the following:

A middlewares.toml file for dynamic Traefik config:

[http.middlewares]
	[http.middlewares.bur-whitelist.ipWhiteList]
		sourceRange =  ["10.10.4.0/24", "10.10.8.0/22", "10.250.10.1/24"]

	[http.middlewares.csf-whitelist.ipWhiteList]
		sourceRange = ["10.0.0.1/8"]
		
	[http.middlewares.wp-ratelimit.rateLimit]
		average = 10
		burst = 50
		
	[http.middlewares.bur-secured.chain]
		middlewares = ["bur-whitelist", "wp-ratelimit"]

	[http.middlewares.csf-secured.chain]
		middlewares = ["csf-whitelist", "wp-ratelimit"]

docker-compose.yaml (particularly note the ${SERVICE}_admin rule and middleware lines:

      - "traefik.enable=true"
      - "traefik.http.routers.${SERVICE}.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.${SERVICE}.service=nginx-${SERVICE}"
      - "traefik.http.routers.${SERVICE}.entrypoints=websecure"
      - "traefik.http.routers.${SERVICE}.middlewares=wp-ratelimit@file"
      - "traefik.http.routers.${SERVICE}.tls=true"
      - "traefik.http.routers.${SERVICE}_admin.entrypoints=websecure"
      - "traefik.http.routers.${SERVICE}_admin.rule=(Host(`${DOMAIN}`) && Path(`/{(wp-login|wp-admin|xmlrpc)}`, `/{(.*)}/{(wp-login|wp-admin|xmlrpc)}`))"
      - "traefik.http.routers.${SERVICE}_admin.middlewares=bur-secured@file"
      - "traefik.http.routers.${SERVICE}_admin.tls=true"
      - "traefik.${SERVICE}.network=traefik"

This setup does correctly block the wp-admin, wp-login and xmlrpc routes.

Note:Because this is a multisite, I quickly discovered that hackers could enter https://domain/random_entry/wp-admin and it would reroute back to the main wp-admin. This is why I have a second entry in the admin rule with the /{(.*)}/{(wp-login|wp-admin|xmlrpc)}) to prevent that. Perhaps there is a better way for that to be done?

More importantly, this admin route Path rule is matching more than just wp-admin, wp-login and xmlrpc, and in so doing is breaking other parts of the site. We have some static files mounted at /csf_directives_administratives_final, and for some reason Traefik is matching that path as being part of the admin route, so is applying the IP filter and blocking it. I can't figure out for the life of me why that route rule would match this extra path so I'm hoping someone can point me in the right direction.

jdyck · January 27, 2022, 6:59pm

It gets stranger - based on another blog I tried tweaking the admin route rule to:

- "traefik.http.routers.${SERVICE}_admin.rule=(Host(${DOMAIN}) && PathPrefix(/wp-admin,/admin,/wp-login.php) || Method(POST))"

At first this seemed to work well as it actually allowed the /csf_directives_administratives_final to work, but then I got a report of something even stranger...

People logging onto the wp-admin of other Traefik/Docker sites were now getting caught by this 'rule' and redirected to the wp-admin for this site.

Since the rule specifies the host && path, why the heck would it catch anything going to a completely different host/domain?

Topic		Replies	Views
Middleware Path not blocking multiple forward slashes in url Traefik v2 file	7	118	April 17, 2024
Whitelist Configuration Traefik v2 middleware	4	1286	March 28, 2022
ipWhiteList middleware w/ cloudflare not functioning properly Traefik v2 docker , file , middleware	0	393	November 29, 2023
Traefik v2.1.4: X-Forwarded-For header doet not pass visitor IP when using IPv6 Traefik v2 docker , middleware	8	11860	January 5, 2022
Wordpress Protect Admin with Second Domain Traefik v2 docker , middleware	1	293	August 25, 2023

Secure IP middleware is blocking unmatched routes

Related Topics