Hi there, is it possible to use traefik;s whitelistSourceRange along with proxyProtocol . My use case is for a traefik sitting behind an AWS ELB to allow the connections from specific IP-sets. This is so because AWS ELBs adds SGs with 0.0.0.0/0 for all the ports by default. I am currently using Kubernetes 1.13 (so cannot use the latest loadBalancerSourceRanges setting in service).
I have currently tried enabling proxyProtocol as well as setting proxyProtocol.trustedIps and forwardedHeaders.trustedIPs to the internal CIDR ( 10.0.0.0/8 ). However, none of this is working. I am currently using latest stable/traefik chart (version: 1.78.5)-
traefik version:
/traefik version
Version: v1.7.14
Codename: maroilles
Go version: go1.12.8
Built: 2019-08-14_09:46:58AM
OS/Arch: linux/amd64
As per the debug logs the X-FF headers are def. coming through but traefik still checks the RealIp f the ELB and not the X-FF IP. I am not sure if traefik can actually help me block the real-ips.
Debug Logs:
{"level":"debug","msg":"request \u0026{Method:GET URL:/ Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-GB,en-US;q=0.9,en;q=0.8] Connection:[keep-alive] Dnt:[1] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36] X-Forwarded-For:[49.255.65.166] X-Forwarded-Port:[443] X-Forwarded-Proto:[https]] Body:0xc000840100 GetBody:\u003cnil\u003e ContentLength:0 TransferEncoding:[] Close:false Host:a.b.com Form:map[] PostForm:map[] MultipartForm:\u003cnil\u003e Trailer:map[] RemoteAddr:10.14.109.202:21590 RequestURI:/ TLS:\u003cnil\u003e Cancel:\u003cnil\u003e Response:\u003cnil\u003e ctx:0xc0006da3c0} - rejecting: \"10.14.109.202:21590\" matched none of the white list","time":"2019-10-30T01:26:13Z"}
49.255.65.166 - - [30/Oct/2019:01:26:13 +0000] "GET / HTTP/1.1" 403 9 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" 5 "ipwhitelister for entrypoint httpn" "/" 0ms
{"level":"debug","msg":"request \u0026{Method:GET URL:/favicon.ico Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept:[image/webp,image/apng,image/*,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-GB,en-US;q=0.9,en;q=0.8] Connection:[keep-alive] Dnt:[1] Referer:[https://a.b.com/] Sec-Fetch-Mode:[no-cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36] X-Forwarded-For:[49.255.65.166] X-Forwarded-Port:[443] X-Forwarded-Proto:[https]] Body:0xc000840b20 GetBody:\u003cnil\u003e ContentLength:0 TransferEncoding:[] Close:false Host:a.b.com Form:map[] PostForm:map[] MultipartForm:\u003cnil\u003e Trailer:map[] RemoteAddr:10.14.109.202:21590 RequestURI:/favicon.ico TLS:\u003cnil\u003e Cancel:\u003cnil\u003e Response:\u003cnil\u003e ctx:0xc0006daab0} - rejecting: \"10.14.109.202:21590\" matched none of the white list","time":"2019-10-30T01:26:13Z"}
49.255.65.166 - - [30/Oct/2019:01:26:13 +0000] "GET /favicon.ico HTTP/1.1" 403 9 "https://a.b.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" 6 "ipwhitelister for entrypoint httpn" "/favicon.ico" 0ms