Hello dear participants!
I need to restrict access to applications: some should only be accessible from the local network, while others should be accessible both locally and from the internet.
Access to applications should be done via domain names.
In other words, I need to selectively allow access to applications from the internet.
I’m not sure how this should be implemented properly. There are many options available online, including whitelists, adding new entrypoints, and port forwarding on the router.
I’d prefer a simple and concise solution with minimal configuration.
I’d appreciate any ideas.
Here are my traefik.yml settings if that matters:
global:
checkNewVersion: false
sendAnonymousUsage: false
entryPoints:
web:
address: ":80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letencrypt
domains:
- main: example.com
sans:
- "*.example.com"
- "*.sub.example.com"
log:
level: DEBUG #DEBUG, PANIC, FATAL, ERROR, WARN, INFO
api:
insecure: true
dashboard: true
providers:
docker:
exposedByDefault: false
file:
filename: "/etc/traefik/dynamic_conf.yml"
watch: true
certificatesResolvers:
letencrypt:
acme:
email: mail@gmail.com
storage: /certs/acme.json
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
Best regards,
Alexander
You can use multiple router rules, so you can combine them to only allow internal access, like
.rule=Host(`sub.domain.com`) && ClientIP(`10.0.0.0/24`)
Make sure to test and to limit trusted IPs if you use something like ProxyProtocol.
Another option. Using different ports seems an ugly solution, alternatively you could use different IPs when publishing ports with Docker, then use different Traefik entrypoints and routers.
You misunderstood me.
I want some applications to have local access only, while others have access from the internet.
Here’s a piece of code I wrote.
According to my idea, applications running through web_local will only be accessible from 192.168.0.0/24 and redirected from http to https using letsencrypt certificates.
entryPoints:
web_local:
address: ":80"
reusePort: true
http:
redirections:
entrypoint:
to: websecure
scheme: https
middlewares:
my-ipallowlist:
ipAllowList:
sourceRange:
- "192.168.0.0/24"
web:
address: ":80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letencrypt
domains:
- main: example.com
sans:
- "*.example.com"
- "*.sub.example.com"
What do you think? How’s the idea?
An entrypoint is a port used by Traefik, you can only use it once.
Using standard entrypoints and a rule with ClientIP() instead of middleware should do what you want:
.rule=Host(`sub.domain.com`) && ClientIP(`192.168.0.0/24 `)
.rule=Host(`sub.domain.com`)
The first router rule will be checked first, it has higher priority, because it is longer. Only internal requests will be matched and processed. For other IPs, it will be skipped and the next router rule will be matched.
Check out Jims Garage video on traefik @youtube. Essentially, port forward public facing 443 to other random entry port in traefik and use for public services. Use the default 443 entry point for local services. For local services, you will need to add a dns entry in your router to forward to your traefik instance or enter your local traefik ip in the public dns provider.
I use Cloudflare Tunnel and am behind CGNAT, so I’m looking for a simple and convenient solution that could be useful if using a static IP.
What @bluepuma77 suggested seems to work. There are probably other ways besides the entry point.