Why is my GeoBlock middleware not working for a Docker container?

Traefik Traefik v2 (latest)
, ,
1

Hello *
I have a docker instance with my owncloud and I want to protect it with the GeoBlock plugin. I have the following in my docker-compose.yaml file for the owncloud:

labels:
  ...
  - "traefik.http.routers.owncloud.middlewares=geoblock"
  - "traefik.http.middlewares.geoblock.plugin.GeoBlock.api=https://get.geojs.io/v1/ip/country/{ip}"
  - "traefik.http.middlewares.geoblock.plugin.GeoBlock.countries=US"

For my monitor instance of traefik which is defined in the traefik.toml (traefik_dynamic.toml) this works fine. In my HTTP Middlewares entry I see my GeoBlock middleware and it also works when I try to connect via proxy from a different country. But for docker it doesn't. Do I miss something?

2

Hello @Jester,

Do you have some sort of error messages in the logs ? Can you also provide more configuration that could help find your issue?

Thanks :slight_smile:

3

Hello @tommoulard ,
yes sure. Thank you for the quick reply. So I followed this tutorial. So my owncloud docker docker-compose.yml looks like in this tutorial. I have the following labels to register the instance with my traefik docker instance:

services:
  owncloud:
    image: owncloud/server:${OWNCLOUD_VERSION}
    restart: always
    depends_on:
      - db
      - redis
    environment:
      - ...
    networks:
      - web
      - internal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.owncloud.rule=Host(`${OWNCLOUD_DOMAIN}`)"
      - "traefik.http.routers.owncloud.tls=true"
      - "traefik.http.routers.owncloud.tls.certresolver=lets-encrypt"
      # I experimented with different flags but no success
      #- "traefik.http.routers.owncloud.middlewares=geoblock"
      #- "traefik.http.routers.owncloud.middlewares=geoBlock@file"
      #- "traefik.http.middlewares.geoblock.plugin.GeoBlock.api=https://get.geojs.io/v1/ip/country/{ip}"
      #- "traefik.http.middlewares.geoblock.plugin.GeoBlock.countries=US"
      - "traefik.port=8080"
      - "traefik.docker.network=web"
  db:
     ...
  redis:
     ...

And my traefik.toml file looks like the following:

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true

[certificatesResolvers.lets-encrypt.acme]
  email = "xxxx"
  storage = "acme.json"
  [certificatesResolvers.lets-encrypt.acme.tlsChallenge]

[providers.docker]
  endpoint = "unix:///var/run/docker.sock"
  watch = true
  exposedByDefault=false
  network = "web"

[providers.file]
  filename = "traefik_dynamic.toml"

[log]
  filePath = "/var/log/traefik/instance.log"
  level = "INFO"

[pilot]
  token = "xxxxx"

[accessLog]
  filePath = "/var/log/traefik/access.log"

# Activate fail2ban plugin
#[experimental.plugins.fail2ban]
#  moduleName = "github.com/tomMoulard/fail2ban"
#  version = "v0.6.6"

# Activate GeoBlock
[experimental.plugins.GeoBlock]
  moduleName = "github.com/PascalMinder/GeoBlock"
  version = "v0.1.7"

And finally my traefik_dynamic.toml looks like this:

[http.routers.api]
  rule = "Host(`XXXX`)"
  entrypoints = ["websecure"]
  middlewares = ["geoBlock", "simpleAuth"]
  service = "api@internal"
  [http.routers.api.tls]
    certResolver = "lets-encrypt"
[http.middlewares.simpleAuth.basicAuth]
  users = [ "xxxxx" ]

[http.middlewares.geoBlock]
  [http.middlewares.geoBlock.plugin]
    [http.middlewares.geoBlock.plugin.GeoBlock]
      allowlocalrequests = "false"
      allowunknowncountries = "false"
      api = "https://get.geojs.io/v1/ip/country/{ip}"
      cachesize = "15"
      countries = ["US"]
      forcemonthlyupdate = "true"
      logallowedrequests = "true"
      logapirequests = "true"
      loglocalrequests = "true"
      unknowncountryapiresponse = "nil"

With this config, the geo blocking works for my monitor instance of Traefik and I also see my Owncloud instance in the monitor. So the communication between traefik and my owncloud container seems to work fine. I have this setup running since a while. I just though it makes sense to block requests from other countries since I only have 2 users for my instance and we are both located in the same place.

But I don't understand what I have to do to enable it for my Owncloud Docker instance. As shown above I tried to define it in the labels sections of the docker-compose.yml but no success...

Edit: I think this is what I get from my traefik log file when I start my owncloud docker container:

time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 API uri:  https://get.geojs.io/v1/ip/country/{ip}" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 allow local IPs:  false" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 log local requests:  true" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 log allowed requests:  true" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 log api requests:  true" module=github.com/PascalMinder/GeoBlock plugin=plugin-GeoBlock
time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 allow unknown countries:  false" module=github.com/PascalMinder/GeoBlock plugin=plugin-GeoBlock
time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 unknown country api response:  nil" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:10Z" level=error msg="2022/02/23 15:23:10 allowed countries:  [US]" module=github.com/PascalMinder/GeoBlock plugin=plugin-GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 API uri:  https://get.geojs.io/v1/ip/country/{ip}" module=github.com/PascalMinder/GeoBlock plugin=plugin-GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 allow local IPs:  false" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 log local requests:  true" module=github.com/PascalMinder/GeoBlock plugin=plugin-GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 log allowed requests:  true" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 log api requests:  true" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 allow unknown countries:  false" module=github.com/PascalMinder/GeoBlock plugin=plugin-GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 unknown country api response:  nil" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock
time="2022-02-23T15:23:40Z" level=error msg="2022/02/23 15:23:40 allowed countries:  [US]" plugin=plugin-GeoBlock module=github.com/PascalMinder/GeoBlock

Tell me if you need more info.

4

Ok I found the solution. So, the flag

- "traefik.http.routers.owncloud.middlewares=geoBlock@file"

does the trick to reference a middleware defined in the traefik_dynamic.toml

I'm not sure why it didn't work before. But maybe it was due to the fact that I just did a simple docker-compose restart, which might not be enough. After performing a full docker-compose down and docker-compose up -d on both containers now it seems to work. Jippie! Thanks anyway.

2 Likes
5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.