traefik/docs/content/middlewares/http/ipallowlist.md

196 lines
6.3 KiB
Markdown
Raw Normal View History

---
2022-10-26 18:16:05 +03:00
title: "Traefik HTTP Middlewares IPAllowList"
description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
---
2022-10-26 18:16:05 +03:00
# IPAllowList
Limiting Clients to Specific IPs
{: .subtitle }
2022-10-26 18:16:05 +03:00
IPAllowList accepts / refuses requests based on the client IP.
## Configuration Examples
2023-05-10 15:28:05 +02:00
```yaml tab="Docker & Swarm"
2019-03-29 12:34:05 +01:00
# Accepts request from defined IP
labels:
2022-10-26 18:16:05 +03:00
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
2019-04-03 14:32:04 +02:00
```
```yaml tab="Kubernetes"
2023-03-20 15:38:08 +01:00
apiVersion: traefik.io/v1alpha1
2019-04-03 14:32:04 +02:00
kind: Middleware
metadata:
2022-10-26 18:16:05 +03:00
name: test-ipallowlist
2019-04-03 14:32:04 +02:00
spec:
2022-10-26 18:16:05 +03:00
ipAllowList:
2019-04-03 14:32:04 +02:00
sourceRange:
2019-09-23 17:00:06 +02:00
- 127.0.0.1/32
- 192.168.1.7
2019-03-29 12:34:05 +01:00
```
2019-10-15 18:34:08 +03:00
```yaml tab="Consul Catalog"
# Accepts request from defined IP
2022-10-26 18:16:05 +03:00
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
2019-10-15 18:34:08 +03:00
```
2019-07-22 09:58:04 +02:00
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
middlewares:
2022-10-26 18:16:05 +03:00
test-ipallowlist:
ipAllowList:
2019-07-22 09:58:04 +02:00
sourceRange:
2019-09-23 17:00:06 +02:00
- "127.0.0.1/32"
- "192.168.1.7"
2019-07-22 09:58:04 +02:00
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[http.middlewares]
2022-10-26 18:16:05 +03:00
[http.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
## Configuration Options
2019-04-03 14:32:04 +02:00
### `sourceRange`
2019-12-19 21:38:03 +01:00
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
2019-04-03 14:32:04 +02:00
### `ipStrategy`
The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
!!! important "As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`."
2019-04-03 14:32:04 +02:00
#### `ipStrategy.depth`
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
2021-02-11 14:34:04 +01:00
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is less than or equal to 0.
2019-09-23 14:32:04 +02:00
!!! example "Examples of Depth & X-Forwarded-For"
2022-10-26 18:16:05 +03:00
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
2021-02-11 14:34:04 +01:00
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
2023-05-10 15:28:05 +02:00
```yaml tab="Docker & Swarm"
2022-10-26 18:16:05 +03:00
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
2021-02-11 14:34:04 +01:00
labels:
2022-10-26 18:16:05 +03:00
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
2021-02-11 14:34:04 +01:00
```
```yaml tab="Kubernetes"
2022-10-26 18:16:05 +03:00
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
2023-03-20 15:38:08 +01:00
apiVersion: traefik.io/v1alpha1
2021-02-11 14:34:04 +01:00
kind: Middleware
metadata:
2022-10-26 18:16:05 +03:00
name: test-ipallowlist
2021-02-11 14:34:04 +01:00
spec:
2022-10-26 18:16:05 +03:00
ipAllowList:
2021-02-11 14:34:04 +01:00
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
ipStrategy:
depth: 2
```
```yaml tab="Consul Catalog"
2022-10-26 18:16:05 +03:00
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
2021-02-11 14:34:04 +01:00
```
```yaml tab="File (YAML)"
2022-10-26 18:16:05 +03:00
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
2021-02-11 14:34:04 +01:00
http:
middlewares:
2022-10-26 18:16:05 +03:00
test-ipallowlist:
ipAllowList:
2019-07-01 11:30:05 +02:00
sourceRange:
2021-02-11 14:34:04 +01:00
- "127.0.0.1/32"
- "192.168.1.7"
2019-07-01 11:30:05 +02:00
ipStrategy:
2019-04-03 14:32:04 +02:00
depth: 2
2021-02-11 14:34:04 +01:00
```
```toml tab="File (TOML)"
2022-10-26 18:16:05 +03:00
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
2022-10-26 18:16:05 +03:00
[http.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
2022-10-26 18:16:05 +03:00
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
depth = 2
```
2019-04-03 14:32:04 +02:00
#### `ipStrategy.excludedIPs`
2021-02-11 14:34:04 +01:00
`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
!!! important "If `depth` is specified, `excludedIPs` is ignored."
!!! example "Example of ExcludedIPs & X-Forwarded-For"
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|-----------------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
2023-05-10 15:28:05 +02:00
```yaml tab="Docker & Swarm"
2019-04-03 14:32:04 +02:00
# Exclude from `X-Forwarded-For`
labels:
2022-10-26 18:16:05 +03:00
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
2019-04-03 14:32:04 +02:00
```
2019-04-03 14:32:04 +02:00
```yaml tab="Kubernetes"
# Exclude from `X-Forwarded-For`
2023-03-20 15:38:08 +01:00
apiVersion: traefik.io/v1alpha1
2019-04-03 14:32:04 +02:00
kind: Middleware
metadata:
2022-10-26 18:16:05 +03:00
name: test-ipallowlist
2019-04-03 14:32:04 +02:00
spec:
2022-10-26 18:16:05 +03:00
ipAllowList:
2019-07-01 11:30:05 +02:00
ipStrategy:
2019-04-03 14:32:04 +02:00
excludedIPs:
2019-09-23 17:00:06 +02:00
- 127.0.0.1/32
- 192.168.1.7
2019-04-03 14:32:04 +02:00
```
2019-10-15 18:34:08 +03:00
```yaml tab="Consul Catalog"
2019-04-08 17:14:08 +02:00
# Exclude from `X-Forwarded-For`
2022-10-26 18:16:05 +03:00
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
2019-04-08 17:14:08 +02:00
```
2019-07-22 09:58:04 +02:00
```yaml tab="File (YAML)"
# Exclude from `X-Forwarded-For`
http:
middlewares:
2022-10-26 18:16:05 +03:00
test-ipallowlist:
ipAllowList:
2019-07-22 09:58:04 +02:00
ipStrategy:
excludedIPs:
2019-09-23 17:00:06 +02:00
- "127.0.0.1/32"
- "192.168.1.7"
2019-07-22 09:58:04 +02:00
```
```toml tab="File (TOML)"
# Exclude from `X-Forwarded-For`
[http.middlewares]
2022-10-26 18:16:05 +03:00
[http.middlewares.test-ipallowlist.ipAllowList]
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```