Renaming IPWhiteList to IPAllowList
This commit is contained in:
parent
e86f21ae7b
commit
1b9873cae9
69 changed files with 523 additions and 506 deletions
Binary file not shown.
Before Width: | Height: | Size: 58 KiB |
|
@ -15,7 +15,7 @@ It makes reusing the same groups easier.
|
||||||
|
|
||||||
## Configuration Example
|
## Configuration Example
|
||||||
|
|
||||||
Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
|
Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
|
||||||
|
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
labels:
|
labels:
|
||||||
|
@ -25,7 +25,7 @@ labels:
|
||||||
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
|
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
|
||||||
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
|
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
|
||||||
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
|
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
|
||||||
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
|
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
|
||||||
- "traefik.http.services.service1.loadbalancer.server.port=80"
|
- "traefik.http.services.service1.loadbalancer.server.port=80"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -80,7 +80,7 @@ kind: Middleware
|
||||||
metadata:
|
metadata:
|
||||||
name: known-ips
|
name: known-ips
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 192.168.1.7
|
- 192.168.1.7
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
|
@ -93,7 +93,7 @@ spec:
|
||||||
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
|
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
|
||||||
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
|
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
|
||||||
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
|
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
|
||||||
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
|
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
|
||||||
- "traefik.http.services.service1.loadbalancer.server.port=80"
|
- "traefik.http.services.service1.loadbalancer.server.port=80"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -105,7 +105,7 @@ spec:
|
||||||
"traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
|
"traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
|
||||||
"traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
"traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
||||||
"traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
|
"traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
|
||||||
"traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
|
"traefik.http.middlewares.known-ips.ipallowlist.sourceRange": "192.168.1.7,127.0.0.1/32",
|
||||||
"traefik.http.services.service1.loadbalancer.server.port": "80"
|
"traefik.http.services.service1.loadbalancer.server.port": "80"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
@ -118,7 +118,7 @@ labels:
|
||||||
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
|
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
|
||||||
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
|
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
|
||||||
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
|
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
|
||||||
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
|
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
|
||||||
- "traefik.http.services.service1.loadbalancer.server.port=80"
|
- "traefik.http.services.service1.loadbalancer.server.port=80"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -150,7 +150,7 @@ http:
|
||||||
scheme: https
|
scheme: https
|
||||||
|
|
||||||
known-ips:
|
known-ips:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- "192.168.1.7"
|
- "192.168.1.7"
|
||||||
- "127.0.0.1/32"
|
- "127.0.0.1/32"
|
||||||
|
@ -180,7 +180,7 @@ http:
|
||||||
[http.middlewares.https-only.redirectScheme]
|
[http.middlewares.https-only.redirectScheme]
|
||||||
scheme = "https"
|
scheme = "https"
|
||||||
|
|
||||||
[http.middlewares.known-ips.ipWhiteList]
|
[http.middlewares.known-ips.ipAllowList]
|
||||||
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
|
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
|
||||||
|
|
||||||
[http.services]
|
[http.services]
|
||||||
|
|
|
@ -1,32 +1,30 @@
|
||||||
---
|
---
|
||||||
title: "Traefik HTTP Middlewares IPWhiteList"
|
title: "Traefik HTTP Middlewares IPAllowList"
|
||||||
description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
|
description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
|
||||||
---
|
---
|
||||||
|
|
||||||
# IPWhiteList
|
# IPAllowList
|
||||||
|
|
||||||
Limiting Clients to Specific IPs
|
Limiting Clients to Specific IPs
|
||||||
{: .subtitle }
|
{: .subtitle }
|
||||||
|
|
||||||
![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
|
IPAllowList accepts / refuses requests based on the client IP.
|
||||||
|
|
||||||
IPWhitelist accepts / refuses requests based on the client IP.
|
|
||||||
|
|
||||||
## Configuration Examples
|
## Configuration Examples
|
||||||
|
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Kubernetes"
|
```yaml tab="Kubernetes"
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: Middleware
|
kind: Middleware
|
||||||
metadata:
|
metadata:
|
||||||
name: test-ipwhitelist
|
name: test-ipallowlist
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
- 192.168.1.7
|
- 192.168.1.7
|
||||||
|
@ -34,27 +32,27 @@ spec:
|
||||||
|
|
||||||
```yaml tab="Consul Catalog"
|
```yaml tab="Consul Catalog"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```json tab="Marathon"
|
```json tab="Marathon"
|
||||||
"labels": {
|
"labels": {
|
||||||
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
|
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Rancher"
|
```yaml tab="Rancher"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="File (YAML)"
|
```yaml tab="File (YAML)"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
http:
|
http:
|
||||||
middlewares:
|
middlewares:
|
||||||
test-ipwhitelist:
|
test-ipallowlist:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- "127.0.0.1/32"
|
- "127.0.0.1/32"
|
||||||
- "192.168.1.7"
|
- "192.168.1.7"
|
||||||
|
@ -63,7 +61,7 @@ http:
|
||||||
```toml tab="File (TOML)"
|
```toml tab="File (TOML)"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
[http.middlewares.test-ipallowlist.ipAllowList]
|
||||||
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -86,7 +84,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
|
||||||
|
|
||||||
!!! example "Examples of Depth & X-Forwarded-For"
|
!!! example "Examples of Depth & X-Forwarded-For"
|
||||||
|
|
||||||
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
|
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
|
||||||
|
|
||||||
| `X-Forwarded-For` | `depth` | clientIP |
|
| `X-Forwarded-For` | `depth` | clientIP |
|
||||||
|-----------------------------------------|---------|--------------|
|
|-----------------------------------------|---------|--------------|
|
||||||
|
@ -95,20 +93,20 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
|
||||||
|
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Kubernetes"
|
```yaml tab="Kubernetes"
|
||||||
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: Middleware
|
kind: Middleware
|
||||||
metadata:
|
metadata:
|
||||||
name: test-ipwhitelist
|
name: test-ipallowlist
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
- 192.168.1.7
|
- 192.168.1.7
|
||||||
|
@ -117,31 +115,31 @@ spec:
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Consul Catalog"
|
```yaml tab="Consul Catalog"
|
||||||
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
|
||||||
```
|
```
|
||||||
|
|
||||||
```json tab="Marathon"
|
```json tab="Marathon"
|
||||||
"labels": {
|
"labels": {
|
||||||
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
|
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
|
||||||
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
|
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Rancher"
|
```yaml tab="Rancher"
|
||||||
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="File (YAML)"
|
```yaml tab="File (YAML)"
|
||||||
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
http:
|
http:
|
||||||
middlewares:
|
middlewares:
|
||||||
test-ipwhitelist:
|
test-ipallowlist:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- "127.0.0.1/32"
|
- "127.0.0.1/32"
|
||||||
- "192.168.1.7"
|
- "192.168.1.7"
|
||||||
|
@ -150,11 +148,11 @@ http:
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File (TOML)"
|
```toml tab="File (TOML)"
|
||||||
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
[http.middlewares.test-ipallowlist.ipAllowList]
|
||||||
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
|
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
|
||||||
depth = 2
|
depth = 2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -177,7 +175,7 @@ http:
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Exclude from `X-Forwarded-For`
|
# Exclude from `X-Forwarded-For`
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Kubernetes"
|
```yaml tab="Kubernetes"
|
||||||
|
@ -185,9 +183,9 @@ labels:
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: Middleware
|
kind: Middleware
|
||||||
metadata:
|
metadata:
|
||||||
name: test-ipwhitelist
|
name: test-ipallowlist
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
excludedIPs:
|
excludedIPs:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
|
@ -196,27 +194,27 @@ spec:
|
||||||
|
|
||||||
```yaml tab="Consul Catalog"
|
```yaml tab="Consul Catalog"
|
||||||
# Exclude from `X-Forwarded-For`
|
# Exclude from `X-Forwarded-For`
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```json tab="Marathon"
|
```json tab="Marathon"
|
||||||
"labels": {
|
"labels": {
|
||||||
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
|
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Rancher"
|
```yaml tab="Rancher"
|
||||||
# Exclude from `X-Forwarded-For`
|
# Exclude from `X-Forwarded-For`
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="File (YAML)"
|
```yaml tab="File (YAML)"
|
||||||
# Exclude from `X-Forwarded-For`
|
# Exclude from `X-Forwarded-For`
|
||||||
http:
|
http:
|
||||||
middlewares:
|
middlewares:
|
||||||
test-ipwhitelist:
|
test-ipallowlist:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
excludedIPs:
|
excludedIPs:
|
||||||
- "127.0.0.1/32"
|
- "127.0.0.1/32"
|
||||||
|
@ -226,7 +224,7 @@ http:
|
||||||
```toml tab="File (TOML)"
|
```toml tab="File (TOML)"
|
||||||
# Exclude from `X-Forwarded-For`
|
# Exclude from `X-Forwarded-For`
|
||||||
[http.middlewares]
|
[http.middlewares]
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
[http.middlewares.test-ipallowlist.ipAllowList]
|
||||||
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
|
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
|
||||||
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
```
|
```
|
|
@ -142,7 +142,7 @@ http:
|
||||||
| [Errors](errorpages.md) | Defines custom error pages | Request Lifecycle |
|
| [Errors](errorpages.md) | Defines custom error pages | Request Lifecycle |
|
||||||
| [ForwardAuth](forwardauth.md) | Delegates Authentication | Security, Authentication |
|
| [ForwardAuth](forwardauth.md) | Delegates Authentication | Security, Authentication |
|
||||||
| [Headers](headers.md) | Adds / Updates headers | Security |
|
| [Headers](headers.md) | Adds / Updates headers | Security |
|
||||||
| [IPWhiteList](ipwhitelist.md) | Limits the allowed client IPs | Security, Request lifecycle |
|
| [IPAllowList](ipallowlist.md) | Limits the allowed client IPs | Security, Request lifecycle |
|
||||||
| [InFlightReq](inflightreq.md) | Limits the number of simultaneous connections | Security, Request lifecycle |
|
| [InFlightReq](inflightreq.md) | Limits the number of simultaneous connections | Security, Request lifecycle |
|
||||||
| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header | Security |
|
| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header | Security |
|
||||||
| [RateLimit](ratelimit.md) | Limits the call frequency | Security, Request lifecycle |
|
| [RateLimit](ratelimit.md) | Limits the call frequency | Security, Request lifecycle |
|
||||||
|
|
|
@ -1,30 +1,30 @@
|
||||||
---
|
---
|
||||||
title: "Traefik TCP Middlewares IPWhiteList"
|
title: "Traefik TCP Middlewares IPAllowList"
|
||||||
description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
|
description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
|
||||||
---
|
---
|
||||||
|
|
||||||
# IPWhiteList
|
# IPAllowList
|
||||||
|
|
||||||
Limiting Clients to Specific IPs
|
Limiting Clients to Specific IPs
|
||||||
{: .subtitle }
|
{: .subtitle }
|
||||||
|
|
||||||
IPWhitelist accepts / refuses connections based on the client IP.
|
IPAllowList accepts / refuses connections based on the client IP.
|
||||||
|
|
||||||
## Configuration Examples
|
## Configuration Examples
|
||||||
|
|
||||||
```yaml tab="Docker"
|
```yaml tab="Docker"
|
||||||
# Accepts connections from defined IP
|
# Accepts connections from defined IP
|
||||||
labels:
|
labels:
|
||||||
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Kubernetes"
|
```yaml tab="Kubernetes"
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: test-ipwhitelist
|
name: test-ipallowlist
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
- 192.168.1.7
|
- 192.168.1.7
|
||||||
|
@ -32,25 +32,25 @@ spec:
|
||||||
|
|
||||||
```yaml tab="Consul Catalog"
|
```yaml tab="Consul Catalog"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```json tab="Marathon"
|
```json tab="Marathon"
|
||||||
"labels": {
|
"labels": {
|
||||||
"traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
|
"traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Rancher"
|
```yaml tab="Rancher"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
labels:
|
labels:
|
||||||
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File (TOML)"
|
```toml tab="File (TOML)"
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
[tcp.middlewares]
|
[tcp.middlewares]
|
||||||
[tcp.middlewares.test-ipwhitelist.ipWhiteList]
|
[tcp.middlewares.test-ipallowlist.ipAllowList]
|
||||||
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -58,8 +58,8 @@ labels:
|
||||||
# Accepts request from defined IP
|
# Accepts request from defined IP
|
||||||
tcp:
|
tcp:
|
||||||
middlewares:
|
middlewares:
|
||||||
test-ipwhitelist:
|
test-ipallowlist:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- "127.0.0.1/32"
|
- "127.0.0.1/32"
|
||||||
- "192.168.1.7"
|
- "192.168.1.7"
|
|
@ -18,10 +18,10 @@ whoami:
|
||||||
# A container that exposes an API to show its IP address
|
# A container that exposes an API to show its IP address
|
||||||
image: traefik/whoami
|
image: traefik/whoami
|
||||||
labels:
|
labels:
|
||||||
# Create a middleware named `foo-ip-whitelist`
|
# Create a middleware named `foo-ip-allowlist`
|
||||||
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
|
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
|
||||||
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
|
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Kubernetes IngressRoute"
|
```yaml tab="Kubernetes IngressRoute"
|
||||||
|
@ -43,9 +43,9 @@ spec:
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: foo-ip-whitelist
|
name: foo-ip-allowlist
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourcerange:
|
sourcerange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
- 192.168.1.7
|
- 192.168.1.7
|
||||||
|
@ -60,30 +60,30 @@ spec:
|
||||||
routes:
|
routes:
|
||||||
# more fields...
|
# more fields...
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: foo-ip-whitelist
|
- name: foo-ip-allowlist
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Consul Catalog"
|
```yaml tab="Consul Catalog"
|
||||||
# Create a middleware named `foo-ip-whitelist`
|
# Create a middleware named `foo-ip-allowlist`
|
||||||
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
|
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
|
||||||
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
|
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
|
||||||
```
|
```
|
||||||
|
|
||||||
```json tab="Marathon"
|
```json tab="Marathon"
|
||||||
"labels": {
|
"labels": {
|
||||||
"traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
|
"traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7",
|
||||||
"traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
|
"traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@marathon"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="Rancher"
|
```yaml tab="Rancher"
|
||||||
# As a Rancher Label
|
# As a Rancher Label
|
||||||
labels:
|
labels:
|
||||||
# Create a middleware named `foo-ip-whitelist`
|
# Create a middleware named `foo-ip-allowlist`
|
||||||
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||||
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
|
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
|
||||||
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
|
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@rancher"
|
||||||
```
|
```
|
||||||
|
|
||||||
```toml tab="File (TOML)"
|
```toml tab="File (TOML)"
|
||||||
|
@ -91,11 +91,11 @@ labels:
|
||||||
[tcp.routers]
|
[tcp.routers]
|
||||||
[tcp.routers.router1]
|
[tcp.routers.router1]
|
||||||
service = "myService"
|
service = "myService"
|
||||||
middlewares = ["foo-ip-whitelist"]
|
middlewares = ["foo-ip-allowlist"]
|
||||||
rule = "Host(`example.com`)"
|
rule = "Host(`example.com`)"
|
||||||
|
|
||||||
[tcp.middlewares]
|
[tcp.middlewares]
|
||||||
[tcp.middlewares.foo-ip-whitelist.ipWhiteList]
|
[tcp.middlewares.foo-ip-allowlist.ipAllowList]
|
||||||
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
|
|
||||||
[tcp.services]
|
[tcp.services]
|
||||||
|
@ -114,12 +114,12 @@ tcp:
|
||||||
router1:
|
router1:
|
||||||
service: myService
|
service: myService
|
||||||
middlewares:
|
middlewares:
|
||||||
- "foo-ip-whitelist"
|
- "foo-ip-allowlist"
|
||||||
rule: "Host(`example.com`)"
|
rule: "Host(`example.com`)"
|
||||||
|
|
||||||
middlewares:
|
middlewares:
|
||||||
foo-ip-whitelist:
|
foo-ip-allowlist:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- "127.0.0.1/32"
|
- "127.0.0.1/32"
|
||||||
- "192.168.1.7"
|
- "192.168.1.7"
|
||||||
|
@ -137,4 +137,4 @@ tcp:
|
||||||
| Middleware | Purpose | Area |
|
| Middleware | Purpose | Area |
|
||||||
|-------------------------------------------|---------------------------------------------------|-----------------------------|
|
|-------------------------------------------|---------------------------------------------------|-----------------------------|
|
||||||
| [InFlightConn](inflightconn.md) | Limits the number of simultaneous connections. | Security, Request lifecycle |
|
| [InFlightConn](inflightconn.md) | Limits the number of simultaneous connections. | Security, Request lifecycle |
|
||||||
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs. | Security, Request lifecycle |
|
| [IPAllowList](ipallowlist.md) | Limit the allowed client IPs. | Security, Request lifecycle |
|
||||||
|
|
18
docs/content/migration/v2-to-v3.md
Normal file
18
docs/content/migration/v2-to-v3.md
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
title: "Traefik V3 Migration Documentation"
|
||||||
|
description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
|
||||||
|
---
|
||||||
|
|
||||||
|
# Migration Guide: From v2 to v3
|
||||||
|
|
||||||
|
How to Migrate from Traefik v2 to Traefik v3.
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
The version 3 of Traefik introduces a number of breaking changes,
|
||||||
|
which require one to update their configuration when they migrate from v2 to v3.
|
||||||
|
The goal of this page is to recapitulate all of these changes, and in particular to give examples,
|
||||||
|
feature by feature, of how the configuration looked like in v2, and how it now looks like in v3.
|
||||||
|
|
||||||
|
## IPWhiteList
|
||||||
|
|
||||||
|
In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration.
|
|
@ -72,7 +72,7 @@ to allow defining:
|
||||||
|
|
||||||
- One or more security features through [middlewares](../middlewares/overview.md)
|
- One or more security features through [middlewares](../middlewares/overview.md)
|
||||||
like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
|
like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
|
||||||
[forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
|
[forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).
|
||||||
|
|
||||||
- A [router rule](#dashboard-router-rule) for accessing the dashboard,
|
- A [router rule](#dashboard-router-rule) for accessing the dashboard,
|
||||||
through Traefik itself (sometimes referred as "Traefik-ception").
|
through Traefik itself (sometimes referred as "Traefik-ception").
|
||||||
|
|
|
@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen
|
||||||
|
|
||||||
!!! tip
|
!!! tip
|
||||||
|
|
||||||
The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
|
The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)
|
||||||
|
|
||||||
## Configuration Examples
|
## Configuration Examples
|
||||||
|
|
||||||
|
|
|
@ -71,9 +71,9 @@
|
||||||
- "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
|
- "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
|
||||||
- "traefik.http.middlewares.middleware10.headers.stspreload=true"
|
- "traefik.http.middlewares.middleware10.headers.stspreload=true"
|
||||||
- "traefik.http.middlewares.middleware10.headers.stsseconds=42"
|
- "traefik.http.middlewares.middleware10.headers.stsseconds=42"
|
||||||
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
|
- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth=42"
|
||||||
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
|
- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips=foobar, foobar"
|
||||||
- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
|
- "traefik.http.middlewares.middleware11.ipallowlist.sourcerange=foobar, foobar"
|
||||||
- "traefik.http.middlewares.middleware12.inflightreq.amount=42"
|
- "traefik.http.middlewares.middleware12.inflightreq.amount=42"
|
||||||
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
|
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
|
||||||
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
|
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
|
||||||
|
@ -166,7 +166,7 @@
|
||||||
- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
|
- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
|
||||||
- "traefik.http.services.service01.loadbalancer.server.port=foobar"
|
- "traefik.http.services.service01.loadbalancer.server.port=foobar"
|
||||||
- "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
|
- "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
|
||||||
- "traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange=foobar, foobar"
|
- "traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange=foobar, foobar"
|
||||||
- "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount=42"
|
- "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount=42"
|
||||||
- "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
|
- "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
|
||||||
- "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"
|
- "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"
|
||||||
|
|
|
@ -203,9 +203,9 @@
|
||||||
name0 = "foobar"
|
name0 = "foobar"
|
||||||
name1 = "foobar"
|
name1 = "foobar"
|
||||||
[http.middlewares.Middleware11]
|
[http.middlewares.Middleware11]
|
||||||
[http.middlewares.Middleware11.ipWhiteList]
|
[http.middlewares.Middleware11.ipAllowList]
|
||||||
sourceRange = ["foobar", "foobar"]
|
sourceRange = ["foobar", "foobar"]
|
||||||
[http.middlewares.Middleware11.ipWhiteList.ipStrategy]
|
[http.middlewares.Middleware11.ipAllowList.ipStrategy]
|
||||||
depth = 42
|
depth = 42
|
||||||
excludedIPs = ["foobar", "foobar"]
|
excludedIPs = ["foobar", "foobar"]
|
||||||
[http.middlewares.Middleware12]
|
[http.middlewares.Middleware12]
|
||||||
|
@ -402,7 +402,7 @@
|
||||||
weight = 42
|
weight = 42
|
||||||
[tcp.middlewares]
|
[tcp.middlewares]
|
||||||
[tcp.middlewares.TCPMiddleware00]
|
[tcp.middlewares.TCPMiddleware00]
|
||||||
[tcp.middlewares.TCPMiddleware00.ipWhiteList]
|
[tcp.middlewares.TCPMiddleware00.ipAllowList]
|
||||||
sourceRange = ["foobar", "foobar"]
|
sourceRange = ["foobar", "foobar"]
|
||||||
[tcp.middlewares.TCPMiddleware01]
|
[tcp.middlewares.TCPMiddleware01]
|
||||||
[tcp.middlewares.TCPMiddleware01.inFlightConn]
|
[tcp.middlewares.TCPMiddleware01.inFlightConn]
|
||||||
|
|
|
@ -230,7 +230,7 @@ http:
|
||||||
permissionsPolicy: foobar
|
permissionsPolicy: foobar
|
||||||
isDevelopment: true
|
isDevelopment: true
|
||||||
Middleware11:
|
Middleware11:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- foobar
|
- foobar
|
||||||
- foobar
|
- foobar
|
||||||
|
@ -443,7 +443,7 @@ tcp:
|
||||||
weight: 42
|
weight: 42
|
||||||
middlewares:
|
middlewares:
|
||||||
TCPMiddleware00:
|
TCPMiddleware00:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- foobar
|
- foobar
|
||||||
- foobar
|
- foobar
|
||||||
|
|
|
@ -1149,7 +1149,7 @@ spec:
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration
|
description: 'IPStrategy holds the IP strategy configuration
|
||||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -1174,14 +1174,14 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
description: 'IPWhiteList holds the IP whitelist middleware configuration.
|
description: 'IPAllowList holds the IP allowlist middleware configuration.
|
||||||
This middleware accepts / refuses requests based on the client IP.
|
This middleware accepts / refuses requests based on the client IP.
|
||||||
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
|
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration used
|
description: 'IPStrategy holds the IP strategy configuration used
|
||||||
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -1345,7 +1345,7 @@ spec:
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration
|
description: 'IPStrategy holds the IP strategy configuration
|
||||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -1541,8 +1541,8 @@ spec:
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
type: object
|
type: object
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
description: IPWhiteList defines the IPWhiteList middleware configuration.
|
description: IPAllowList defines the IPAllowList middleware configuration.
|
||||||
properties:
|
properties:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
description: SourceRange defines the allowed IPs (or ranges of
|
description: SourceRange defines the allowed IPs (or ranges of
|
||||||
|
|
|
@ -148,7 +148,7 @@ spec:
|
||||||
- name: whoamitcp
|
- name: whoamitcp
|
||||||
port: 8080
|
port: 8080
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
tls:
|
tls:
|
||||||
secretName: foosecret
|
secretName: foosecret
|
||||||
passthrough: false
|
passthrough: false
|
||||||
|
|
|
@ -84,11 +84,11 @@
|
||||||
| `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
|
| `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
|
||||||
| `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
|
| `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
|
||||||
| `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
|
| `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
|
||||||
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/depth` | `42` |
|
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/depth` | `42` |
|
||||||
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
|
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
|
||||||
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
|
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
|
||||||
| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/0` | `foobar` |
|
| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/0` | `foobar` |
|
||||||
| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/1` | `foobar` |
|
| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/1` | `foobar` |
|
||||||
| `traefik/http/middlewares/Middleware12/inFlightReq/amount` | `42` |
|
| `traefik/http/middlewares/Middleware12/inFlightReq/amount` | `42` |
|
||||||
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
|
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
|
||||||
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
|
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
|
||||||
|
@ -247,8 +247,8 @@
|
||||||
| `traefik/http/services/Service04/failover/fallback` | `foobar` |
|
| `traefik/http/services/Service04/failover/fallback` | `foobar` |
|
||||||
| `traefik/http/services/Service04/failover/healthCheck` | `` |
|
| `traefik/http/services/Service04/failover/healthCheck` | `` |
|
||||||
| `traefik/http/services/Service04/failover/service` | `foobar` |
|
| `traefik/http/services/Service04/failover/service` | `foobar` |
|
||||||
| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/0` | `foobar` |
|
| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/0` | `foobar` |
|
||||||
| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/1` | `foobar` |
|
| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/1` | `foobar` |
|
||||||
| `traefik/tcp/middlewares/TCPMiddleware01/inFlightConn/amount` | `42` |
|
| `traefik/tcp/middlewares/TCPMiddleware01/inFlightConn/amount` | `42` |
|
||||||
| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
|
| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
|
||||||
| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
|
| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
|
||||||
|
|
|
@ -71,9 +71,9 @@
|
||||||
"traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
|
"traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
|
||||||
"traefik.http.middlewares.middleware10.headers.stspreload": "true",
|
"traefik.http.middlewares.middleware10.headers.stspreload": "true",
|
||||||
"traefik.http.middlewares.middleware10.headers.stsseconds": "42",
|
"traefik.http.middlewares.middleware10.headers.stsseconds": "42",
|
||||||
"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
|
"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth": "42",
|
||||||
"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
|
"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips": "foobar, foobar",
|
||||||
"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
|
"traefik.http.middlewares.middleware11.ipallowlist.sourcerange": "foobar, foobar",
|
||||||
"traefik.http.middlewares.middleware12.inflightreq.amount": "42",
|
"traefik.http.middlewares.middleware12.inflightreq.amount": "42",
|
||||||
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
|
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
|
||||||
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
|
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
|
||||||
|
@ -166,7 +166,7 @@
|
||||||
"traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
|
"traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
|
||||||
"traefik.http.services.service01.loadbalancer.server.port": "foobar",
|
"traefik.http.services.service01.loadbalancer.server.port": "foobar",
|
||||||
"traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
|
"traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
|
||||||
"traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange": "foobar, foobar",
|
"traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange": "foobar, foobar",
|
||||||
"traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount": "42",
|
"traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount": "42",
|
||||||
"traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
|
"traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
|
||||||
"traefik.tcp.routers.tcprouter0.middlewares": "foobar, foobar",
|
"traefik.tcp.routers.tcprouter0.middlewares": "foobar, foobar",
|
||||||
|
|
|
@ -572,7 +572,7 @@ spec:
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration
|
description: 'IPStrategy holds the IP strategy configuration
|
||||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -597,14 +597,14 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
description: 'IPWhiteList holds the IP whitelist middleware configuration.
|
description: 'IPAllowList holds the IP allowlist middleware configuration.
|
||||||
This middleware accepts / refuses requests based on the client IP.
|
This middleware accepts / refuses requests based on the client IP.
|
||||||
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
|
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration used
|
description: 'IPStrategy holds the IP strategy configuration used
|
||||||
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -768,7 +768,7 @@ spec:
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration
|
description: 'IPStrategy holds the IP strategy configuration
|
||||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
|
|
@ -47,8 +47,8 @@ spec:
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
type: object
|
type: object
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
description: IPWhiteList defines the IPWhiteList middleware configuration.
|
description: IPAllowList defines the IPAllowList middleware configuration.
|
||||||
properties:
|
properties:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
description: SourceRange defines the allowed IPs (or ranges of
|
description: SourceRange defines the allowed IPs (or ranges of
|
||||||
|
|
|
@ -1287,9 +1287,9 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: ipwhitelist
|
name: ipallowlist
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
- 192.168.1.7
|
- 192.168.1.7
|
||||||
|
@ -1305,13 +1305,13 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
|
||||||
entryPoints:
|
entryPoints:
|
||||||
- web
|
- web
|
||||||
routes:
|
routes:
|
||||||
- match: Host(`example.com`) && PathPrefix(`/whitelist`)
|
- match: Host(`example.com`) && PathPrefix(`/allowlist`)
|
||||||
kind: Rule
|
kind: Rule
|
||||||
services:
|
services:
|
||||||
- name: whoami
|
- name: whoami
|
||||||
port: 80
|
port: 80
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
namespace: foo
|
namespace: foo
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -986,7 +986,7 @@ The middlewares will take effect only if the rule matches, and before connecting
|
||||||
[tcp.routers.my-router]
|
[tcp.routers.my-router]
|
||||||
rule = "HostSNI(`*`)"
|
rule = "HostSNI(`*`)"
|
||||||
# declared elsewhere
|
# declared elsewhere
|
||||||
middlewares = ["ipwhitelist"]
|
middlewares = ["ipallowlist"]
|
||||||
service = "service-foo"
|
service = "service-foo"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -998,7 +998,7 @@ The middlewares will take effect only if the rule matches, and before connecting
|
||||||
rule: "HostSNI(`*`)"
|
rule: "HostSNI(`*`)"
|
||||||
# declared elsewhere
|
# declared elsewhere
|
||||||
middlewares:
|
middlewares:
|
||||||
- ipwhitelist
|
- ipallowlist
|
||||||
service: service-foo
|
service: service-foo
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -126,7 +126,7 @@ nav:
|
||||||
- 'Errors': 'middlewares/http/errorpages.md'
|
- 'Errors': 'middlewares/http/errorpages.md'
|
||||||
- 'ForwardAuth': 'middlewares/http/forwardauth.md'
|
- 'ForwardAuth': 'middlewares/http/forwardauth.md'
|
||||||
- 'Headers': 'middlewares/http/headers.md'
|
- 'Headers': 'middlewares/http/headers.md'
|
||||||
- 'IpWhitelist': 'middlewares/http/ipwhitelist.md'
|
- 'IpAllowList': 'middlewares/http/ipallowlist.md'
|
||||||
- 'InFlightReq': 'middlewares/http/inflightreq.md'
|
- 'InFlightReq': 'middlewares/http/inflightreq.md'
|
||||||
- 'PassTLSClientCert': 'middlewares/http/passtlsclientcert.md'
|
- 'PassTLSClientCert': 'middlewares/http/passtlsclientcert.md'
|
||||||
- 'RateLimit': 'middlewares/http/ratelimit.md'
|
- 'RateLimit': 'middlewares/http/ratelimit.md'
|
||||||
|
@ -140,7 +140,7 @@ nav:
|
||||||
- 'TCP':
|
- 'TCP':
|
||||||
- 'Overview': 'middlewares/tcp/overview.md'
|
- 'Overview': 'middlewares/tcp/overview.md'
|
||||||
- 'InFlightConn': 'middlewares/tcp/inflightconn.md'
|
- 'InFlightConn': 'middlewares/tcp/inflightconn.md'
|
||||||
- 'IpWhitelist': 'middlewares/tcp/ipwhitelist.md'
|
- 'IpAllowList': 'middlewares/tcp/ipallowlist.md'
|
||||||
- 'Traefik Hub': 'traefik-hub/index.md'
|
- 'Traefik Hub': 'traefik-hub/index.md'
|
||||||
- 'Plugins & Plugin Catalog': 'plugins/index.md'
|
- 'Plugins & Plugin Catalog': 'plugins/index.md'
|
||||||
- 'Operations':
|
- 'Operations':
|
||||||
|
@ -177,6 +177,7 @@ nav:
|
||||||
- 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
|
- 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
|
||||||
- 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
|
- 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
|
||||||
- 'Migration':
|
- 'Migration':
|
||||||
|
- 'Traefik v2 to v3': 'migration/v2-to-v3.md'
|
||||||
- 'Traefik v2 minor migrations': 'migration/v2.md'
|
- 'Traefik v2 minor migrations': 'migration/v2.md'
|
||||||
- 'Traefik v1 to v2': 'migration/v1-to-v2.md'
|
- 'Traefik v1 to v2': 'migration/v1-to-v2.md'
|
||||||
- 'Contributing':
|
- 'Contributing':
|
||||||
|
|
|
@ -435,7 +435,7 @@ func (s *AccessLogSuite) TestAccessLogBackendNotFound(c *check.C) {
|
||||||
checkNoOtherTraefikProblems(c)
|
checkNoOtherTraefikProblems(c)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
|
func (s *AccessLogSuite) TestAccessLogFrontendAllowlist(c *check.C) {
|
||||||
ensureWorkingDirectoryIsClean()
|
ensureWorkingDirectoryIsClean()
|
||||||
|
|
||||||
expected := []accessLogValue{
|
expected := []accessLogValue{
|
||||||
|
@ -443,7 +443,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
|
||||||
formatOnly: false,
|
formatOnly: false,
|
||||||
code: "403",
|
code: "403",
|
||||||
user: "-",
|
user: "-",
|
||||||
routerName: "rt-frontendWhitelist",
|
routerName: "rt-frontendAllowlist",
|
||||||
serviceURL: "-",
|
serviceURL: "-",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -458,7 +458,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
|
||||||
|
|
||||||
checkStatsForLogFile(c)
|
checkStatsForLogFile(c)
|
||||||
|
|
||||||
waitForTraefik(c, "frontendWhitelist")
|
waitForTraefik(c, "frontendAllowlist")
|
||||||
|
|
||||||
// Verify Traefik started OK
|
// Verify Traefik started OK
|
||||||
checkTraefikStarted(c)
|
checkTraefikStarted(c)
|
||||||
|
@ -466,7 +466,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
|
||||||
// Test rate limit
|
// Test rate limit
|
||||||
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
|
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
req.Host = "frontend.whitelist.docker.local"
|
req.Host = "frontend.allowlist.docker.local"
|
||||||
|
|
||||||
err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusForbidden), try.HasBody())
|
err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusForbidden), try.HasBody())
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
|
@ -1149,7 +1149,7 @@ spec:
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration
|
description: 'IPStrategy holds the IP strategy configuration
|
||||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -1174,14 +1174,14 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
description: 'IPWhiteList holds the IP whitelist middleware configuration.
|
description: 'IPAllowList holds the IP allowlist middleware configuration.
|
||||||
This middleware accepts / refuses requests based on the client IP.
|
This middleware accepts / refuses requests based on the client IP.
|
||||||
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
|
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration used
|
description: 'IPStrategy holds the IP strategy configuration used
|
||||||
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -1345,7 +1345,7 @@ spec:
|
||||||
properties:
|
properties:
|
||||||
ipStrategy:
|
ipStrategy:
|
||||||
description: 'IPStrategy holds the IP strategy configuration
|
description: 'IPStrategy holds the IP strategy configuration
|
||||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
|
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
|
||||||
properties:
|
properties:
|
||||||
depth:
|
depth:
|
||||||
description: Depth tells Traefik to use the X-Forwarded-For
|
description: Depth tells Traefik to use the X-Forwarded-For
|
||||||
|
@ -1541,8 +1541,8 @@ spec:
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
type: object
|
type: object
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
description: IPWhiteList defines the IPWhiteList middleware configuration.
|
description: IPAllowList defines the IPAllowList middleware configuration.
|
||||||
properties:
|
properties:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
description: SourceRange defines the allowed IPs (or ranges of
|
description: SourceRange defines the allowed IPs (or ranges of
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
entryPoints = ["tcp"]
|
entryPoints = ["tcp"]
|
||||||
rule = "HostSNI(`whoami-a.test`)"
|
rule = "HostSNI(`whoami-a.test`)"
|
||||||
service = "whoami-a"
|
service = "whoami-a"
|
||||||
middlewares = ["blocking-ipwhitelist"]
|
middlewares = ["blocking-ipallowlist"]
|
||||||
[tcp.routers.to-whoami-a.tls]
|
[tcp.routers.to-whoami-a.tls]
|
||||||
passthrough = true
|
passthrough = true
|
||||||
|
|
||||||
|
@ -31,7 +31,7 @@
|
||||||
entryPoints = ["tcp"]
|
entryPoints = ["tcp"]
|
||||||
rule = "HostSNI(`whoami-b.test`)"
|
rule = "HostSNI(`whoami-b.test`)"
|
||||||
service = "whoami-b"
|
service = "whoami-b"
|
||||||
middlewares = ["allowing-ipwhitelist"]
|
middlewares = ["allowing-ipallowlist"]
|
||||||
[tcp.routers.to-whoami-b.tls]
|
[tcp.routers.to-whoami-b.tls]
|
||||||
passthrough = true
|
passthrough = true
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
address = "{{ .WhoamiB }}"
|
address = "{{ .WhoamiB }}"
|
||||||
|
|
||||||
[tcp.middlewares]
|
[tcp.middlewares]
|
||||||
[tcp.middlewares.allowing-ipwhitelist.ipWhiteList]
|
[tcp.middlewares.allowing-ipallowlist.ipAllowList]
|
||||||
sourceRange = ["127.0.0.1/32"]
|
sourceRange = ["127.0.0.1/32"]
|
||||||
[tcp.middlewares.blocking-ipwhitelist.ipWhiteList]
|
[tcp.middlewares.blocking-ipallowlist.ipAllowList]
|
||||||
sourceRange = ["127.127.127.127/32"]
|
sourceRange = ["127.127.127.127/32"]
|
|
@ -75,14 +75,14 @@ services:
|
||||||
traefik.http.middlewares.rate.ratelimit.burst: 2
|
traefik.http.middlewares.rate.ratelimit.burst: 2
|
||||||
traefik.http.services.service3.loadbalancer.server.port: 80
|
traefik.http.services.service3.loadbalancer.server.port: 80
|
||||||
|
|
||||||
frontendWhitelist:
|
frontendAllowlist:
|
||||||
image: traefik/whoami
|
image: traefik/whoami
|
||||||
labels:
|
labels:
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.http.routers.rt-frontendWhitelist.entryPoints: web
|
traefik.http.routers.rt-frontendAllowlist.entryPoints: web
|
||||||
traefik.http.routers.rt-frontendWhitelist.rule: Host(`frontend.whitelist.docker.local`)
|
traefik.http.routers.rt-frontendAllowlist.rule: Host(`frontend.allowlist.docker.local`)
|
||||||
traefik.http.routers.rt-frontendWhitelist.middlewares: wl
|
traefik.http.routers.rt-frontendAllowlist.middlewares: wl
|
||||||
traefik.http.middlewares.wl.ipwhitelist.sourcerange: 8.8.8.8/32
|
traefik.http.middlewares.wl.ipallowlist.sourcerange: 8.8.8.8/32
|
||||||
traefik.http.services.service3.loadbalancer.server.port: 80
|
traefik.http.services.service3.loadbalancer.server.port: 80
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
|
|
41
integration/resources/compose/allowlist.yml
Normal file
41
integration/resources/compose/allowlist.yml
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
noOverrideAllowlist:
|
||||||
|
image: traefik/whoami
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.rt1.rule: Host(`no.override.allowlist.docker.local`)
|
||||||
|
traefik.http.routers.rt1.middlewares: wl1
|
||||||
|
traefik.http.middlewares.wl1.ipallowList.sourceRange: 8.8.8.8
|
||||||
|
|
||||||
|
overrideIPStrategyRemoteAddrAllowlist:
|
||||||
|
image: traefik/whoami
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.rt2.rule: Host(`override.remoteaddr.allowlist.docker.local`)
|
||||||
|
traefik.http.routers.rt2.middlewares: wl2
|
||||||
|
traefik.http.middlewares.wl2.ipallowlist.sourceRange: 8.8.8.8
|
||||||
|
traefik.http.middlewares.wl2.ipallowlist.ipStrategy: true
|
||||||
|
|
||||||
|
overrideIPStrategyDepthAllowlist:
|
||||||
|
image: traefik/whoami
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.rt3.rule: Host(`override.depth.allowlist.docker.local`)
|
||||||
|
traefik.http.routers.rt3.middlewares: wl3
|
||||||
|
traefik.http.middlewares.wl3.ipallowlist.sourceRange: 8.8.8.8
|
||||||
|
traefik.http.middlewares.wl3.ipallowlist.ipStrategy.depth: 3
|
||||||
|
|
||||||
|
overrideIPStrategyExcludedIPsAllowlist:
|
||||||
|
image: traefik/whoami
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.rt4.rule: Host(`override.excludedips.allowlist.docker.local`)
|
||||||
|
traefik.http.routers.rt4.middlewares: wl4
|
||||||
|
traefik.http.middlewares.wl4.ipallowlist.sourceRange: 8.8.8.8
|
||||||
|
traefik.http.middlewares.wl4.ipallowlist.ipStrategy.excludedIPs: 10.0.0.1,10.0.0.2
|
||||||
|
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
name: traefik-test-network
|
||||||
|
external: true
|
|
@ -1,41 +0,0 @@
|
||||||
version: "3.8"
|
|
||||||
services:
|
|
||||||
noOverrideWhitelist:
|
|
||||||
image: traefik/whoami
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.rt1.rule: Host(`no.override.whitelist.docker.local`)
|
|
||||||
traefik.http.routers.rt1.middlewares: wl1
|
|
||||||
traefik.http.middlewares.wl1.ipwhiteList.sourceRange: 8.8.8.8
|
|
||||||
|
|
||||||
overrideIPStrategyRemoteAddrWhitelist:
|
|
||||||
image: traefik/whoami
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.rt2.rule: Host(`override.remoteaddr.whitelist.docker.local`)
|
|
||||||
traefik.http.routers.rt2.middlewares: wl2
|
|
||||||
traefik.http.middlewares.wl2.ipwhitelist.sourceRange: 8.8.8.8
|
|
||||||
traefik.http.middlewares.wl2.ipwhitelist.ipStrategy: true
|
|
||||||
|
|
||||||
overrideIPStrategyDepthWhitelist:
|
|
||||||
image: traefik/whoami
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.rt3.rule: Host(`override.depth.whitelist.docker.local`)
|
|
||||||
traefik.http.routers.rt3.middlewares: wl3
|
|
||||||
traefik.http.middlewares.wl3.ipwhitelist.sourceRange: 8.8.8.8
|
|
||||||
traefik.http.middlewares.wl3.ipwhitelist.ipStrategy.depth: 3
|
|
||||||
|
|
||||||
overrideIPStrategyExcludedIPsWhitelist:
|
|
||||||
image: traefik/whoami
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.rt4.rule: Host(`override.excludedips.whitelist.docker.local`)
|
|
||||||
traefik.http.routers.rt4.middlewares: wl4
|
|
||||||
traefik.http.middlewares.wl4.ipwhitelist.sourceRange: 8.8.8.8
|
|
||||||
traefik.http.middlewares.wl4.ipwhitelist.ipStrategy.excludedIPs: 10.0.0.1,10.0.0.2
|
|
||||||
|
|
||||||
networks:
|
|
||||||
default:
|
|
||||||
name: traefik-test-network
|
|
||||||
external: true
|
|
|
@ -397,13 +397,13 @@ func (s *SimpleSuite) TestMultipleProviderSameBackendName(c *check.C) {
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
|
func (s *SimpleSuite) TestIPStrategyAllowlist(c *check.C) {
|
||||||
s.createComposeProject(c, "whitelist")
|
s.createComposeProject(c, "allowlist")
|
||||||
|
|
||||||
s.composeUp(c)
|
s.composeUp(c)
|
||||||
defer s.composeDown(c)
|
defer s.composeDown(c)
|
||||||
|
|
||||||
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_whitelist.toml"))
|
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_allowlist.toml"))
|
||||||
defer output(c)
|
defer output(c)
|
||||||
|
|
||||||
err := cmd.Start()
|
err := cmd.Start()
|
||||||
|
@ -413,7 +413,7 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
|
||||||
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override"))
|
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override"))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.whitelist.docker.local"))
|
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.allowlist.docker.local"))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
|
@ -425,31 +425,31 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
|
||||||
{
|
{
|
||||||
desc: "override remote addr reject",
|
desc: "override remote addr reject",
|
||||||
xForwardedFor: "8.8.8.8,8.8.8.8",
|
xForwardedFor: "8.8.8.8,8.8.8.8",
|
||||||
host: "override.remoteaddr.whitelist.docker.local",
|
host: "override.remoteaddr.allowlist.docker.local",
|
||||||
expectedStatusCode: 403,
|
expectedStatusCode: 403,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "override depth accept",
|
desc: "override depth accept",
|
||||||
xForwardedFor: "8.8.8.8,10.0.0.1,127.0.0.1",
|
xForwardedFor: "8.8.8.8,10.0.0.1,127.0.0.1",
|
||||||
host: "override.depth.whitelist.docker.local",
|
host: "override.depth.allowlist.docker.local",
|
||||||
expectedStatusCode: 200,
|
expectedStatusCode: 200,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "override depth reject",
|
desc: "override depth reject",
|
||||||
xForwardedFor: "10.0.0.1,8.8.8.8,127.0.0.1",
|
xForwardedFor: "10.0.0.1,8.8.8.8,127.0.0.1",
|
||||||
host: "override.depth.whitelist.docker.local",
|
host: "override.depth.allowlist.docker.local",
|
||||||
expectedStatusCode: 403,
|
expectedStatusCode: 403,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "override excludedIPs reject",
|
desc: "override excludedIPs reject",
|
||||||
xForwardedFor: "10.0.0.3,10.0.0.1,10.0.0.2",
|
xForwardedFor: "10.0.0.3,10.0.0.1,10.0.0.2",
|
||||||
host: "override.excludedips.whitelist.docker.local",
|
host: "override.excludedips.allowlist.docker.local",
|
||||||
expectedStatusCode: 403,
|
expectedStatusCode: 403,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "override excludedIPs accept",
|
desc: "override excludedIPs accept",
|
||||||
xForwardedFor: "8.8.8.8,10.0.0.1,10.0.0.2",
|
xForwardedFor: "8.8.8.8,10.0.0.1,10.0.0.2",
|
||||||
host: "override.excludedips.whitelist.docker.local",
|
host: "override.excludedips.allowlist.docker.local",
|
||||||
expectedStatusCode: 200,
|
expectedStatusCode: 200,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -468,12 +468,12 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
|
func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
|
||||||
s.createComposeProject(c, "whitelist")
|
s.createComposeProject(c, "allowlist")
|
||||||
|
|
||||||
s.composeUp(c)
|
s.composeUp(c)
|
||||||
defer s.composeDown(c)
|
defer s.composeDown(c)
|
||||||
|
|
||||||
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_whitelist.toml"))
|
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_allowlist.toml"))
|
||||||
defer output(c)
|
defer output(c)
|
||||||
|
|
||||||
err := cmd.Start()
|
err := cmd.Start()
|
||||||
|
@ -481,13 +481,13 @@ func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
|
||||||
defer s.killCmd(cmd)
|
defer s.killCmd(cmd)
|
||||||
|
|
||||||
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second,
|
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second,
|
||||||
try.BodyContains("override.remoteaddr.whitelist.docker.local"))
|
try.BodyContains("override.remoteaddr.allowlist.docker.local"))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000", nil)
|
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000", nil)
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
req.Host = "override.depth.whitelist.docker.local"
|
req.Host = "override.depth.allowlist.docker.local"
|
||||||
req.Header.Set("X-Forwarded-For", "8.8.8.8,10.0.0.1,127.0.0.1")
|
req.Header.Set("X-Forwarded-For", "8.8.8.8,10.0.0.1,127.0.0.1")
|
||||||
|
|
||||||
err = try.Request(req, 1*time.Second,
|
err = try.Request(req, 1*time.Second,
|
||||||
|
|
|
@ -241,8 +241,8 @@ func (s *TCPSuite) TestCatchAllNoTLSWithHTTPS(c *check.C) {
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *TCPSuite) TestMiddlewareWhiteList(c *check.C) {
|
func (s *TCPSuite) TestMiddlewareAllowList(c *check.C) {
|
||||||
file := s.adaptFile(c, "fixtures/tcp/ip-whitelist.toml", struct {
|
file := s.adaptFile(c, "fixtures/tcp/ipallowlist.toml", struct {
|
||||||
WhoamiA string
|
WhoamiA string
|
||||||
WhoamiB string
|
WhoamiB string
|
||||||
}{
|
}{
|
||||||
|
@ -261,7 +261,7 @@ func (s *TCPSuite) TestMiddlewareWhiteList(c *check.C) {
|
||||||
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 5*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`whoami-a.test`)"))
|
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 5*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`whoami-a.test`)"))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
// Traefik not passes through, ipWhitelist closes connection
|
// Traefik not passes through, ipAllowList closes connection
|
||||||
_, err = guessWhoTLSPassthrough("127.0.0.1:8093", "whoami-a.test")
|
_, err = guessWhoTLSPassthrough("127.0.0.1:8093", "whoami-a.test")
|
||||||
c.Assert(err, checker.ErrorMatches, "EOF")
|
c.Assert(err, checker.ErrorMatches, "EOF")
|
||||||
|
|
||||||
|
|
|
@ -173,24 +173,24 @@ func TestHandler_Overview(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
||||||
"ipwhitelist1@myprovider": {
|
"ipallowlist1@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Status: runtime.StatusEnabled,
|
Status: runtime.StatusEnabled,
|
||||||
},
|
},
|
||||||
"ipwhitelist2@myprovider": {
|
"ipallowlist2@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"ipwhitelist3@myprovider": {
|
"ipallowlist3@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -512,25 +512,25 @@ func TestHandler_TCP(t *testing.T) {
|
||||||
path: "/api/tcp/middlewares",
|
path: "/api/tcp/middlewares",
|
||||||
conf: runtime.Configuration{
|
conf: runtime.Configuration{
|
||||||
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
||||||
"ipwhitelist1@myprovider": {
|
"ipallowlist1@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
||||||
},
|
},
|
||||||
"ipwhitelist2@myprovider": {
|
"ipallowlist2@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.2/32"},
|
SourceRange: []string{"127.0.0.2/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"test@myprovider"},
|
UsedBy: []string{"test@myprovider"},
|
||||||
},
|
},
|
||||||
"ipwhitelist1@anotherprovider": {
|
"ipallowlist1@anotherprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -549,27 +549,27 @@ func TestHandler_TCP(t *testing.T) {
|
||||||
path: "/api/tcp/middlewares?status=enabled",
|
path: "/api/tcp/middlewares?status=enabled",
|
||||||
conf: runtime.Configuration{
|
conf: runtime.Configuration{
|
||||||
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
||||||
"ipwhitelist@myprovider": {
|
"ipallowlist@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
||||||
Status: runtime.StatusEnabled,
|
Status: runtime.StatusEnabled,
|
||||||
},
|
},
|
||||||
"ipwhitelist2@myprovider": {
|
"ipallowlist2@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.2/32"},
|
SourceRange: []string{"127.0.0.2/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"test@myprovider"},
|
UsedBy: []string{"test@myprovider"},
|
||||||
Status: runtime.StatusDisabled,
|
Status: runtime.StatusDisabled,
|
||||||
},
|
},
|
||||||
"ipwhitelist@anotherprovider": {
|
"ipallowlist@anotherprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -586,30 +586,30 @@ func TestHandler_TCP(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "middlewares filtered by search",
|
desc: "middlewares filtered by search",
|
||||||
path: "/api/tcp/middlewares?search=ipwhitelist",
|
path: "/api/tcp/middlewares?search=ipallowlist",
|
||||||
conf: runtime.Configuration{
|
conf: runtime.Configuration{
|
||||||
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
||||||
"bad@myprovider": {
|
"bad@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
||||||
Status: runtime.StatusEnabled,
|
Status: runtime.StatusEnabled,
|
||||||
},
|
},
|
||||||
"ipwhitelist@myprovider": {
|
"ipallowlist@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"test@myprovider"},
|
UsedBy: []string{"test@myprovider"},
|
||||||
Status: runtime.StatusDisabled,
|
Status: runtime.StatusDisabled,
|
||||||
},
|
},
|
||||||
"ipwhitelist@anotherprovider": {
|
"ipallowlist@anotherprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -629,25 +629,25 @@ func TestHandler_TCP(t *testing.T) {
|
||||||
path: "/api/tcp/middlewares?page=2&per_page=1",
|
path: "/api/tcp/middlewares?page=2&per_page=1",
|
||||||
conf: runtime.Configuration{
|
conf: runtime.Configuration{
|
||||||
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
||||||
"ipwhitelist@myprovider": {
|
"ipallowlist@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
||||||
},
|
},
|
||||||
"ipwhitelist2@myprovider": {
|
"ipallowlist2@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.2/32"},
|
SourceRange: []string{"127.0.0.2/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"test@myprovider"},
|
UsedBy: []string{"test@myprovider"},
|
||||||
},
|
},
|
||||||
"ipwhitelist@anotherprovider": {
|
"ipallowlist@anotherprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -663,28 +663,28 @@ func TestHandler_TCP(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "one middleware by id",
|
desc: "one middleware by id",
|
||||||
path: "/api/tcp/middlewares/ipwhitelist@myprovider",
|
path: "/api/tcp/middlewares/ipallowlist@myprovider",
|
||||||
conf: runtime.Configuration{
|
conf: runtime.Configuration{
|
||||||
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
||||||
"ipwhitelist@myprovider": {
|
"ipallowlist@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
UsedBy: []string{"bar@myprovider", "test@myprovider"},
|
||||||
},
|
},
|
||||||
"ipwhitelist2@myprovider": {
|
"ipallowlist2@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.2/32"},
|
SourceRange: []string{"127.0.0.2/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
UsedBy: []string{"test@myprovider"},
|
UsedBy: []string{"test@myprovider"},
|
||||||
},
|
},
|
||||||
"ipwhitelist@anotherprovider": {
|
"ipallowlist@anotherprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -694,7 +694,7 @@ func TestHandler_TCP(t *testing.T) {
|
||||||
},
|
},
|
||||||
expected: expected{
|
expected: expected{
|
||||||
statusCode: http.StatusOK,
|
statusCode: http.StatusOK,
|
||||||
jsonFile: "testdata/tcpmiddleware-ipwhitelist.json",
|
jsonFile: "testdata/tcpmiddleware-ipallowlist.json",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -702,9 +702,9 @@ func TestHandler_TCP(t *testing.T) {
|
||||||
path: "/api/tcp/middlewares/foo@myprovider",
|
path: "/api/tcp/middlewares/foo@myprovider",
|
||||||
conf: runtime.Configuration{
|
conf: runtime.Configuration{
|
||||||
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
|
||||||
"ipwhitelist@myprovider": {
|
"ipallowlist@myprovider": {
|
||||||
TCPMiddleware: &dynamic.TCPMiddleware{
|
TCPMiddleware: &dynamic.TCPMiddleware{
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist@myprovider",
|
"name": "ipallowlist@myprovider",
|
||||||
"provider": "myprovider",
|
"provider": "myprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"bar@myprovider",
|
"bar@myprovider",
|
||||||
"test@myprovider"
|
"test@myprovider"
|
|
@ -1,24 +1,24 @@
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist@anotherprovider",
|
"name": "ipallowlist@anotherprovider",
|
||||||
"provider": "anotherprovider",
|
"provider": "anotherprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"bar@myprovider"
|
"bar@myprovider"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist@myprovider",
|
"name": "ipallowlist@myprovider",
|
||||||
"provider": "myprovider",
|
"provider": "myprovider",
|
||||||
"status": "disabled",
|
"status": "disabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"test@myprovider"
|
"test@myprovider"
|
||||||
]
|
]
|
||||||
|
|
|
@ -1,24 +1,24 @@
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist@anotherprovider",
|
"name": "ipallowlist@anotherprovider",
|
||||||
"provider": "anotherprovider",
|
"provider": "anotherprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"bar@myprovider"
|
"bar@myprovider"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist@myprovider",
|
"name": "ipallowlist@myprovider",
|
||||||
"provider": "myprovider",
|
"provider": "myprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"bar@myprovider",
|
"bar@myprovider",
|
||||||
"test@myprovider"
|
"test@myprovider"
|
||||||
|
|
6
pkg/api/testdata/tcpmiddlewares-page2.json
vendored
6
pkg/api/testdata/tcpmiddlewares-page2.json
vendored
|
@ -1,12 +1,12 @@
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist@anotherprovider",
|
"name": "ipallowlist@anotherprovider",
|
||||||
"provider": "anotherprovider",
|
"provider": "anotherprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"bar@myprovider"
|
"bar@myprovider"
|
||||||
]
|
]
|
||||||
|
|
18
pkg/api/testdata/tcpmiddlewares.json
vendored
18
pkg/api/testdata/tcpmiddlewares.json
vendored
|
@ -1,37 +1,37 @@
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist1@anotherprovider",
|
"name": "ipallowlist1@anotherprovider",
|
||||||
"provider": "anotherprovider",
|
"provider": "anotherprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"bar@myprovider"
|
"bar@myprovider"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.1/32"]
|
"sourceRange": ["127.0.0.1/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist1@myprovider",
|
"name": "ipallowlist1@myprovider",
|
||||||
"provider": "myprovider",
|
"provider": "myprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"bar@myprovider",
|
"bar@myprovider",
|
||||||
"test@myprovider"
|
"test@myprovider"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": ["127.0.0.2/32"]
|
"sourceRange": ["127.0.0.2/32"]
|
||||||
},
|
},
|
||||||
"name": "ipwhitelist2@myprovider",
|
"name": "ipallowlist2@myprovider",
|
||||||
"provider": "myprovider",
|
"provider": "myprovider",
|
||||||
"status": "enabled",
|
"status": "enabled",
|
||||||
"type": "ipwhitelist",
|
"type": "ipallowlist",
|
||||||
"usedBy": [
|
"usedBy": [
|
||||||
"test@myprovider"
|
"test@myprovider"
|
||||||
]
|
]
|
||||||
|
|
|
@ -358,11 +358,11 @@
|
||||||
[http.middlewares.Middleware5.chain]
|
[http.middlewares.Middleware5.chain]
|
||||||
middlewares = ["foobar", "foobar"]
|
middlewares = ["foobar", "foobar"]
|
||||||
[http.middlewares.Middleware6]
|
[http.middlewares.Middleware6]
|
||||||
[http.middlewares.Middleware6.ipWhiteList]
|
[http.middlewares.Middleware6.ipAllowList]
|
||||||
sourceRange = ["foobar", "foobar"]
|
sourceRange = ["foobar", "foobar"]
|
||||||
[http.middlewares.Middleware7]
|
[http.middlewares.Middleware7]
|
||||||
[http.middlewares.Middleware7.ipWhiteList]
|
[http.middlewares.Middleware7.ipAllowList]
|
||||||
[http.middlewares.Middleware7.ipWhiteList.ipStrategy]
|
[http.middlewares.Middleware7.ipAllowList.ipStrategy]
|
||||||
depth = 42
|
depth = 42
|
||||||
excludedIPs = ["foobar", "foobar"]
|
excludedIPs = ["foobar", "foobar"]
|
||||||
[http.middlewares.Middleware8]
|
[http.middlewares.Middleware8]
|
||||||
|
|
|
@ -18,7 +18,7 @@ type Middleware struct {
|
||||||
ReplacePath *ReplacePath `json:"replacePath,omitempty" toml:"replacePath,omitempty" yaml:"replacePath,omitempty" export:"true"`
|
ReplacePath *ReplacePath `json:"replacePath,omitempty" toml:"replacePath,omitempty" yaml:"replacePath,omitempty" export:"true"`
|
||||||
ReplacePathRegex *ReplacePathRegex `json:"replacePathRegex,omitempty" toml:"replacePathRegex,omitempty" yaml:"replacePathRegex,omitempty" export:"true"`
|
ReplacePathRegex *ReplacePathRegex `json:"replacePathRegex,omitempty" toml:"replacePathRegex,omitempty" yaml:"replacePathRegex,omitempty" export:"true"`
|
||||||
Chain *Chain `json:"chain,omitempty" toml:"chain,omitempty" yaml:"chain,omitempty" export:"true"`
|
Chain *Chain `json:"chain,omitempty" toml:"chain,omitempty" yaml:"chain,omitempty" export:"true"`
|
||||||
IPWhiteList *IPWhiteList `json:"ipWhiteList,omitempty" toml:"ipWhiteList,omitempty" yaml:"ipWhiteList,omitempty" export:"true"`
|
IPAllowList *IPAllowList `json:"ipAllowList,omitempty" toml:"ipAllowList,omitempty" yaml:"ipAllowList,omitempty" export:"true"`
|
||||||
Headers *Headers `json:"headers,omitempty" toml:"headers,omitempty" yaml:"headers,omitempty" export:"true"`
|
Headers *Headers `json:"headers,omitempty" toml:"headers,omitempty" yaml:"headers,omitempty" export:"true"`
|
||||||
Errors *ErrorPage `json:"errors,omitempty" toml:"errors,omitempty" yaml:"errors,omitempty" export:"true"`
|
Errors *ErrorPage `json:"errors,omitempty" toml:"errors,omitempty" yaml:"errors,omitempty" export:"true"`
|
||||||
RateLimit *RateLimit `json:"rateLimit,omitempty" toml:"rateLimit,omitempty" yaml:"rateLimit,omitempty" export:"true"`
|
RateLimit *RateLimit `json:"rateLimit,omitempty" toml:"rateLimit,omitempty" yaml:"rateLimit,omitempty" export:"true"`
|
||||||
|
@ -346,7 +346,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
// IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
|
// IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
|
||||||
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy
|
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy
|
||||||
type IPStrategy struct {
|
type IPStrategy struct {
|
||||||
// Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).
|
// Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).
|
||||||
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
|
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
|
||||||
|
@ -385,10 +385,10 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
|
||||||
|
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
// IPWhiteList holds the IP whitelist middleware configuration.
|
// IPAllowList holds the IP allowlist middleware configuration.
|
||||||
// This middleware accepts / refuses requests based on the client IP.
|
// This middleware accepts / refuses requests based on the client IP.
|
||||||
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/
|
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/
|
||||||
type IPWhiteList struct {
|
type IPAllowList struct {
|
||||||
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||||
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
||||||
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
|
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
|
||||||
|
|
|
@ -5,7 +5,7 @@ package dynamic
|
||||||
// TCPMiddleware holds the TCPMiddleware configuration.
|
// TCPMiddleware holds the TCPMiddleware configuration.
|
||||||
type TCPMiddleware struct {
|
type TCPMiddleware struct {
|
||||||
InFlightConn *TCPInFlightConn `json:"inFlightConn,omitempty" toml:"inFlightConn,omitempty" yaml:"inFlightConn,omitempty" export:"true"`
|
InFlightConn *TCPInFlightConn `json:"inFlightConn,omitempty" toml:"inFlightConn,omitempty" yaml:"inFlightConn,omitempty" export:"true"`
|
||||||
IPWhiteList *TCPIPWhiteList `json:"ipWhiteList,omitempty" toml:"ipWhiteList,omitempty" yaml:"ipWhiteList,omitempty" export:"true"`
|
IPAllowList *TCPIPAllowList `json:"ipAllowList,omitempty" toml:"ipAllowList,omitempty" yaml:"ipAllowList,omitempty" export:"true"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
@ -22,9 +22,9 @@ type TCPInFlightConn struct {
|
||||||
|
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
// TCPIPWhiteList holds the TCP IPWhiteList middleware configuration.
|
// TCPIPAllowList holds the TCP IPAllowList middleware configuration.
|
||||||
// This middleware accepts/refuses connections based on the client IP.
|
// This middleware accepts/refuses connections based on the client IP.
|
||||||
type TCPIPWhiteList struct {
|
type TCPIPAllowList struct {
|
||||||
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||||
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
|
@ -532,6 +532,32 @@ func (in *HealthCheck) DeepCopy() *HealthCheck {
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *IPAllowList) DeepCopyInto(out *IPAllowList) {
|
||||||
|
*out = *in
|
||||||
|
if in.SourceRange != nil {
|
||||||
|
in, out := &in.SourceRange, &out.SourceRange
|
||||||
|
*out = make([]string, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
if in.IPStrategy != nil {
|
||||||
|
in, out := &in.IPStrategy, &out.IPStrategy
|
||||||
|
*out = new(IPStrategy)
|
||||||
|
(*in).DeepCopyInto(*out)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAllowList.
|
||||||
|
func (in *IPAllowList) DeepCopy() *IPAllowList {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(IPAllowList)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *IPStrategy) DeepCopyInto(out *IPStrategy) {
|
func (in *IPStrategy) DeepCopyInto(out *IPStrategy) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
@ -553,32 +579,6 @@ func (in *IPStrategy) DeepCopy() *IPStrategy {
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *IPWhiteList) DeepCopyInto(out *IPWhiteList) {
|
|
||||||
*out = *in
|
|
||||||
if in.SourceRange != nil {
|
|
||||||
in, out := &in.SourceRange, &out.SourceRange
|
|
||||||
*out = make([]string, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
if in.IPStrategy != nil {
|
|
||||||
in, out := &in.IPStrategy, &out.IPStrategy
|
|
||||||
*out = new(IPStrategy)
|
|
||||||
(*in).DeepCopyInto(*out)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPWhiteList.
|
|
||||||
func (in *IPWhiteList) DeepCopy() *IPWhiteList {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(IPWhiteList)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *InFlightReq) DeepCopyInto(out *InFlightReq) {
|
func (in *InFlightReq) DeepCopyInto(out *InFlightReq) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
@ -654,9 +654,9 @@ func (in *Middleware) DeepCopyInto(out *Middleware) {
|
||||||
*out = new(Chain)
|
*out = new(Chain)
|
||||||
(*in).DeepCopyInto(*out)
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
if in.IPWhiteList != nil {
|
if in.IPAllowList != nil {
|
||||||
in, out := &in.IPWhiteList, &out.IPWhiteList
|
in, out := &in.IPAllowList, &out.IPAllowList
|
||||||
*out = new(IPWhiteList)
|
*out = new(IPAllowList)
|
||||||
(*in).DeepCopyInto(*out)
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
if in.Headers != nil {
|
if in.Headers != nil {
|
||||||
|
@ -1382,7 +1382,7 @@ func (in *TCPConfiguration) DeepCopy() *TCPConfiguration {
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TCPIPWhiteList) DeepCopyInto(out *TCPIPWhiteList) {
|
func (in *TCPIPAllowList) DeepCopyInto(out *TCPIPAllowList) {
|
||||||
*out = *in
|
*out = *in
|
||||||
if in.SourceRange != nil {
|
if in.SourceRange != nil {
|
||||||
in, out := &in.SourceRange, &out.SourceRange
|
in, out := &in.SourceRange, &out.SourceRange
|
||||||
|
@ -1392,12 +1392,12 @@ func (in *TCPIPWhiteList) DeepCopyInto(out *TCPIPWhiteList) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPIPWhiteList.
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPIPAllowList.
|
||||||
func (in *TCPIPWhiteList) DeepCopy() *TCPIPWhiteList {
|
func (in *TCPIPAllowList) DeepCopy() *TCPIPAllowList {
|
||||||
if in == nil {
|
if in == nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
out := new(TCPIPWhiteList)
|
out := new(TCPIPAllowList)
|
||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
@ -1426,9 +1426,9 @@ func (in *TCPMiddleware) DeepCopyInto(out *TCPMiddleware) {
|
||||||
*out = new(TCPInFlightConn)
|
*out = new(TCPInFlightConn)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
if in.IPWhiteList != nil {
|
if in.IPAllowList != nil {
|
||||||
in, out := &in.IPWhiteList, &out.IPWhiteList
|
in, out := &in.IPAllowList, &out.IPAllowList
|
||||||
*out = new(TCPIPWhiteList)
|
*out = new(TCPIPAllowList)
|
||||||
(*in).DeepCopyInto(*out)
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
|
|
|
@ -82,9 +82,9 @@ func TestDecodeConfiguration(t *testing.T) {
|
||||||
"traefik.http.middlewares.Middleware8.headers.stsincludesubdomains": "true",
|
"traefik.http.middlewares.Middleware8.headers.stsincludesubdomains": "true",
|
||||||
"traefik.http.middlewares.Middleware8.headers.stspreload": "true",
|
"traefik.http.middlewares.Middleware8.headers.stspreload": "true",
|
||||||
"traefik.http.middlewares.Middleware8.headers.stsseconds": "42",
|
"traefik.http.middlewares.Middleware8.headers.stsseconds": "42",
|
||||||
"traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.depth": "42",
|
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.depth": "42",
|
||||||
"traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.excludedips": "foobar, fiibar",
|
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.excludedips": "foobar, fiibar",
|
||||||
"traefik.http.middlewares.Middleware9.ipwhitelist.sourcerange": "foobar, fiibar",
|
"traefik.http.middlewares.Middleware9.ipallowlist.sourcerange": "foobar, fiibar",
|
||||||
"traefik.http.middlewares.Middleware10.inflightreq.amount": "42",
|
"traefik.http.middlewares.Middleware10.inflightreq.amount": "42",
|
||||||
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.depth": "42",
|
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.depth": "42",
|
||||||
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, fiibar",
|
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, fiibar",
|
||||||
|
@ -180,7 +180,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
||||||
"traefik.http.services.Service1.loadbalancer.sticky": "false",
|
"traefik.http.services.Service1.loadbalancer.sticky": "false",
|
||||||
"traefik.http.services.Service1.loadbalancer.sticky.cookie.name": "fui",
|
"traefik.http.services.Service1.loadbalancer.sticky.cookie.name": "fui",
|
||||||
|
|
||||||
"traefik.tcp.middlewares.Middleware0.ipwhitelist.sourcerange": "foobar, fiibar",
|
"traefik.tcp.middlewares.Middleware0.ipallowlist.sourcerange": "foobar, fiibar",
|
||||||
"traefik.tcp.middlewares.Middleware2.inflightconn.amount": "42",
|
"traefik.tcp.middlewares.Middleware2.inflightconn.amount": "42",
|
||||||
"traefik.tcp.routers.Router0.rule": "foobar",
|
"traefik.tcp.routers.Router0.rule": "foobar",
|
||||||
"traefik.tcp.routers.Router0.priority": "42",
|
"traefik.tcp.routers.Router0.priority": "42",
|
||||||
|
@ -244,7 +244,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware0": {
|
"Middleware0": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -611,7 +611,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"Middleware9": {
|
"Middleware9": {
|
||||||
IPWhiteList: &dynamic.IPWhiteList{
|
IPAllowList: &dynamic.IPAllowList{
|
||||||
SourceRange: []string{
|
SourceRange: []string{
|
||||||
"foobar",
|
"foobar",
|
||||||
"fiibar",
|
"fiibar",
|
||||||
|
@ -741,7 +741,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware0": {
|
"Middleware0": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1113,7 +1113,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"Middleware9": {
|
"Middleware9": {
|
||||||
IPWhiteList: &dynamic.IPWhiteList{
|
IPAllowList: &dynamic.IPAllowList{
|
||||||
SourceRange: []string{
|
SourceRange: []string{
|
||||||
"foobar",
|
"foobar",
|
||||||
"fiibar",
|
"fiibar",
|
||||||
|
@ -1265,9 +1265,9 @@ func TestEncodeConfiguration(t *testing.T) {
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains": "true",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains": "true",
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload": "true",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload": "true",
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds": "42",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds": "42",
|
||||||
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.Depth": "42",
|
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.Depth": "42",
|
||||||
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.ExcludedIPs": "foobar, fiibar",
|
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.ExcludedIPs": "foobar, fiibar",
|
||||||
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.SourceRange": "foobar, fiibar",
|
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.SourceRange": "foobar, fiibar",
|
||||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.Amount": "42",
|
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.Amount": "42",
|
||||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.Depth": "42",
|
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.Depth": "42",
|
||||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.ExcludedIPs": "foobar, fiibar",
|
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.ExcludedIPs": "foobar, fiibar",
|
||||||
|
@ -1360,7 +1360,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
||||||
"traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme": "foobar",
|
"traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme": "foobar",
|
||||||
"traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0": "foobar",
|
"traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0": "foobar",
|
||||||
|
|
||||||
"traefik.TCP.Middlewares.Middleware0.IPWhiteList.SourceRange": "foobar, fiibar",
|
"traefik.TCP.Middlewares.Middleware0.IPAllowList.SourceRange": "foobar, fiibar",
|
||||||
"traefik.TCP.Middlewares.Middleware2.InFlightConn.Amount": "42",
|
"traefik.TCP.Middlewares.Middleware2.InFlightConn.Amount": "42",
|
||||||
"traefik.TCP.Routers.Router0.Rule": "foobar",
|
"traefik.TCP.Routers.Router0.Rule": "foobar",
|
||||||
"traefik.TCP.Routers.Router0.Priority": "42",
|
"traefik.TCP.Routers.Router0.Priority": "42",
|
||||||
|
|
|
@ -11,25 +11,25 @@ import (
|
||||||
func TestIsAuthorized(t *testing.T) {
|
func TestIsAuthorized(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
desc string
|
desc string
|
||||||
whiteList []string
|
allowList []string
|
||||||
remoteAddr string
|
remoteAddr string
|
||||||
authorized bool
|
authorized bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "remoteAddr not in range",
|
desc: "remoteAddr not in range",
|
||||||
whiteList: []string{"1.2.3.4/24"},
|
allowList: []string{"1.2.3.4/24"},
|
||||||
remoteAddr: "10.2.3.1:123",
|
remoteAddr: "10.2.3.1:123",
|
||||||
authorized: false,
|
authorized: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "remoteAddr in range",
|
desc: "remoteAddr in range",
|
||||||
whiteList: []string{"1.2.3.4/24"},
|
allowList: []string{"1.2.3.4/24"},
|
||||||
remoteAddr: "1.2.3.1:123",
|
remoteAddr: "1.2.3.1:123",
|
||||||
authorized: true,
|
authorized: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "octal ip in remoteAddr",
|
desc: "octal ip in remoteAddr",
|
||||||
whiteList: []string{"127.2.3.4/24"},
|
allowList: []string{"127.2.3.4/24"},
|
||||||
remoteAddr: "0127.2.3.1:123",
|
remoteAddr: "0127.2.3.1:123",
|
||||||
authorized: false,
|
authorized: false,
|
||||||
},
|
},
|
||||||
|
@ -40,7 +40,7 @@ func TestIsAuthorized(t *testing.T) {
|
||||||
t.Run(test.desc, func(t *testing.T) {
|
t.Run(test.desc, func(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
ipChecker, err := NewChecker(test.whiteList)
|
ipChecker, err := NewChecker(test.allowList)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
err = ipChecker.IsAuthorized(test.remoteAddr)
|
err = ipChecker.IsAuthorized(test.remoteAddr)
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
package ipwhitelist
|
package ipallowlist
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
@ -15,29 +15,29 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
typeName = "IPWhiteLister"
|
typeName = "IPAllowLister"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ipWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists.
|
// ipAllowLister is a middleware that provides Checks of the Requesting IP against a set of Allowlists.
|
||||||
type ipWhiteLister struct {
|
type ipAllowLister struct {
|
||||||
next http.Handler
|
next http.Handler
|
||||||
whiteLister *ip.Checker
|
allowLister *ip.Checker
|
||||||
strategy ip.Strategy
|
strategy ip.Strategy
|
||||||
name string
|
name string
|
||||||
}
|
}
|
||||||
|
|
||||||
// New builds a new IPWhiteLister given a list of CIDR-Strings to whitelist.
|
// New builds a new IPAllowLister given a list of CIDR-Strings to allow.
|
||||||
func New(ctx context.Context, next http.Handler, config dynamic.IPWhiteList, name string) (http.Handler, error) {
|
func New(ctx context.Context, next http.Handler, config dynamic.IPAllowList, name string) (http.Handler, error) {
|
||||||
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
|
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
|
||||||
logger.Debug("Creating middleware")
|
logger.Debug("Creating middleware")
|
||||||
|
|
||||||
if len(config.SourceRange) == 0 {
|
if len(config.SourceRange) == 0 {
|
||||||
return nil, errors.New("sourceRange is empty, IPWhiteLister not created")
|
return nil, errors.New("sourceRange is empty, IPAllowLister not created")
|
||||||
}
|
}
|
||||||
|
|
||||||
checker, err := ip.NewChecker(config.SourceRange)
|
checker, err := ip.NewChecker(config.SourceRange)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("cannot parse CIDR whitelist %s: %w", config.SourceRange, err)
|
return nil, fmt.Errorf("cannot parse CIDRs %s: %w", config.SourceRange, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
strategy, err := config.IPStrategy.Get()
|
strategy, err := config.IPStrategy.Get()
|
||||||
|
@ -45,26 +45,26 @@ func New(ctx context.Context, next http.Handler, config dynamic.IPWhiteList, nam
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.Debugf("Setting up IPWhiteLister with sourceRange: %s", config.SourceRange)
|
logger.Debugf("Setting up IPAllowLister with sourceRange: %s", config.SourceRange)
|
||||||
|
|
||||||
return &ipWhiteLister{
|
return &ipAllowLister{
|
||||||
strategy: strategy,
|
strategy: strategy,
|
||||||
whiteLister: checker,
|
allowLister: checker,
|
||||||
next: next,
|
next: next,
|
||||||
name: name,
|
name: name,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (wl *ipWhiteLister) GetTracingInformation() (string, ext.SpanKindEnum) {
|
func (al *ipAllowLister) GetTracingInformation() (string, ext.SpanKindEnum) {
|
||||||
return wl.name, tracing.SpanKindNoneEnum
|
return al.name, tracing.SpanKindNoneEnum
|
||||||
}
|
}
|
||||||
|
|
||||||
func (wl *ipWhiteLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
func (al *ipAllowLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||||
ctx := middlewares.GetLoggerCtx(req.Context(), wl.name, typeName)
|
ctx := middlewares.GetLoggerCtx(req.Context(), al.name, typeName)
|
||||||
logger := log.FromContext(ctx)
|
logger := log.FromContext(ctx)
|
||||||
|
|
||||||
clientIP := wl.strategy.GetIP(req)
|
clientIP := al.strategy.GetIP(req)
|
||||||
err := wl.whiteLister.IsAuthorized(clientIP)
|
err := al.allowLister.IsAuthorized(clientIP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
msg := fmt.Sprintf("Rejecting IP %s: %v", clientIP, err)
|
msg := fmt.Sprintf("Rejecting IP %s: %v", clientIP, err)
|
||||||
logger.Debug(msg)
|
logger.Debug(msg)
|
||||||
|
@ -74,7 +74,7 @@ func (wl *ipWhiteLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||||
}
|
}
|
||||||
logger.Debugf("Accepting IP %s", clientIP)
|
logger.Debugf("Accepting IP %s", clientIP)
|
||||||
|
|
||||||
wl.next.ServeHTTP(rw, req)
|
al.next.ServeHTTP(rw, req)
|
||||||
}
|
}
|
||||||
|
|
||||||
func reject(ctx context.Context, rw http.ResponseWriter) {
|
func reject(ctx context.Context, rw http.ResponseWriter) {
|
|
@ -1,4 +1,4 @@
|
||||||
package ipwhitelist
|
package ipallowlist
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
@ -11,22 +11,22 @@ import (
|
||||||
"github.com/traefik/traefik/v2/pkg/config/dynamic"
|
"github.com/traefik/traefik/v2/pkg/config/dynamic"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestNewIPWhiteLister(t *testing.T) {
|
func TestNewIPAllowLister(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
desc string
|
desc string
|
||||||
whiteList dynamic.IPWhiteList
|
allowList dynamic.IPAllowList
|
||||||
expectedError bool
|
expectedError bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "invalid IP",
|
desc: "invalid IP",
|
||||||
whiteList: dynamic.IPWhiteList{
|
allowList: dynamic.IPAllowList{
|
||||||
SourceRange: []string{"foo"},
|
SourceRange: []string{"foo"},
|
||||||
},
|
},
|
||||||
expectedError: true,
|
expectedError: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "valid IP",
|
desc: "valid IP",
|
||||||
whiteList: dynamic.IPWhiteList{
|
allowList: dynamic.IPAllowList{
|
||||||
SourceRange: []string{"10.10.10.10"},
|
SourceRange: []string{"10.10.10.10"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -38,28 +38,28 @@ func TestNewIPWhiteLister(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
|
||||||
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
|
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
|
||||||
|
|
||||||
if test.expectedError {
|
if test.expectedError {
|
||||||
assert.Error(t, err)
|
assert.Error(t, err)
|
||||||
} else {
|
} else {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
assert.NotNil(t, whiteLister)
|
assert.NotNil(t, allowLister)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestIPWhiteLister_ServeHTTP(t *testing.T) {
|
func TestIPAllowLister_ServeHTTP(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
desc string
|
desc string
|
||||||
whiteList dynamic.IPWhiteList
|
allowList dynamic.IPAllowList
|
||||||
remoteAddr string
|
remoteAddr string
|
||||||
expected int
|
expected int
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "authorized with remote address",
|
desc: "authorized with remote address",
|
||||||
whiteList: dynamic.IPWhiteList{
|
allowList: dynamic.IPAllowList{
|
||||||
SourceRange: []string{"20.20.20.20"},
|
SourceRange: []string{"20.20.20.20"},
|
||||||
},
|
},
|
||||||
remoteAddr: "20.20.20.20:1234",
|
remoteAddr: "20.20.20.20:1234",
|
||||||
|
@ -67,7 +67,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "non authorized with remote address",
|
desc: "non authorized with remote address",
|
||||||
whiteList: dynamic.IPWhiteList{
|
allowList: dynamic.IPAllowList{
|
||||||
SourceRange: []string{"20.20.20.20"},
|
SourceRange: []string{"20.20.20.20"},
|
||||||
},
|
},
|
||||||
remoteAddr: "20.20.20.21:1234",
|
remoteAddr: "20.20.20.21:1234",
|
||||||
|
@ -81,7 +81,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
|
||||||
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
|
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
recorder := httptest.NewRecorder()
|
recorder := httptest.NewRecorder()
|
||||||
|
@ -92,7 +92,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
|
||||||
req.RemoteAddr = test.remoteAddr
|
req.RemoteAddr = test.remoteAddr
|
||||||
}
|
}
|
||||||
|
|
||||||
whiteLister.ServeHTTP(recorder, req)
|
allowLister.ServeHTTP(recorder, req)
|
||||||
|
|
||||||
assert.Equal(t, test.expected, recorder.Code)
|
assert.Equal(t, test.expected, recorder.Code)
|
||||||
})
|
})
|
|
@ -1,4 +1,4 @@
|
||||||
package tcpipwhitelist
|
package tcpipallowlist
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
@ -13,46 +13,46 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
typeName = "IPWhiteListerTCP"
|
typeName = "IPAllowListerTCP"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ipWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists.
|
// ipAllowLister is a middleware that provides Checks of the Requesting IP against a set of Allowlists.
|
||||||
type ipWhiteLister struct {
|
type ipAllowLister struct {
|
||||||
next tcp.Handler
|
next tcp.Handler
|
||||||
whiteLister *ip.Checker
|
allowLister *ip.Checker
|
||||||
name string
|
name string
|
||||||
}
|
}
|
||||||
|
|
||||||
// New builds a new TCP IPWhiteLister given a list of CIDR-Strings to whitelist.
|
// New builds a new TCP IPAllowLister given a list of CIDR-Strings to allow.
|
||||||
func New(ctx context.Context, next tcp.Handler, config dynamic.TCPIPWhiteList, name string) (tcp.Handler, error) {
|
func New(ctx context.Context, next tcp.Handler, config dynamic.TCPIPAllowList, name string) (tcp.Handler, error) {
|
||||||
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
|
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
|
||||||
logger.Debug("Creating middleware")
|
logger.Debug("Creating middleware")
|
||||||
|
|
||||||
if len(config.SourceRange) == 0 {
|
if len(config.SourceRange) == 0 {
|
||||||
return nil, errors.New("sourceRange is empty, IPWhiteLister not created")
|
return nil, errors.New("sourceRange is empty, IPAllowLister not created")
|
||||||
}
|
}
|
||||||
|
|
||||||
checker, err := ip.NewChecker(config.SourceRange)
|
checker, err := ip.NewChecker(config.SourceRange)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("cannot parse CIDR whitelist %s: %w", config.SourceRange, err)
|
return nil, fmt.Errorf("cannot parse CIDRs %s: %w", config.SourceRange, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.Debugf("Setting up IPWhiteLister with sourceRange: %s", config.SourceRange)
|
logger.Debugf("Setting up IPAllowLister with sourceRange: %s", config.SourceRange)
|
||||||
|
|
||||||
return &ipWhiteLister{
|
return &ipAllowLister{
|
||||||
whiteLister: checker,
|
allowLister: checker,
|
||||||
next: next,
|
next: next,
|
||||||
name: name,
|
name: name,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (wl *ipWhiteLister) ServeTCP(conn tcp.WriteCloser) {
|
func (al *ipAllowLister) ServeTCP(conn tcp.WriteCloser) {
|
||||||
ctx := middlewares.GetLoggerCtx(context.Background(), wl.name, typeName)
|
ctx := middlewares.GetLoggerCtx(context.Background(), al.name, typeName)
|
||||||
logger := log.FromContext(ctx)
|
logger := log.FromContext(ctx)
|
||||||
|
|
||||||
addr := conn.RemoteAddr().String()
|
addr := conn.RemoteAddr().String()
|
||||||
|
|
||||||
err := wl.whiteLister.IsAuthorized(addr)
|
err := al.allowLister.IsAuthorized(addr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Errorf("Connection from %s rejected: %v", addr, err)
|
logger.Errorf("Connection from %s rejected: %v", addr, err)
|
||||||
conn.Close()
|
conn.Close()
|
||||||
|
@ -61,5 +61,5 @@ func (wl *ipWhiteLister) ServeTCP(conn tcp.WriteCloser) {
|
||||||
|
|
||||||
logger.Debugf("Connection from %s accepted", addr)
|
logger.Debugf("Connection from %s accepted", addr)
|
||||||
|
|
||||||
wl.next.ServeTCP(conn)
|
al.next.ServeTCP(conn)
|
||||||
}
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
package tcpipwhitelist
|
package tcpipallowlist
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
@ -12,27 +12,27 @@ import (
|
||||||
"github.com/traefik/traefik/v2/pkg/tcp"
|
"github.com/traefik/traefik/v2/pkg/tcp"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestNewIPWhiteLister(t *testing.T) {
|
func TestNewIPAllowLister(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
desc string
|
desc string
|
||||||
whiteList dynamic.TCPIPWhiteList
|
allowList dynamic.TCPIPAllowList
|
||||||
expectedError bool
|
expectedError bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "Empty config",
|
desc: "Empty config",
|
||||||
whiteList: dynamic.TCPIPWhiteList{},
|
allowList: dynamic.TCPIPAllowList{},
|
||||||
expectedError: true,
|
expectedError: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "invalid IP",
|
desc: "invalid IP",
|
||||||
whiteList: dynamic.TCPIPWhiteList{
|
allowList: dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foo"},
|
SourceRange: []string{"foo"},
|
||||||
},
|
},
|
||||||
expectedError: true,
|
expectedError: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "valid IP",
|
desc: "valid IP",
|
||||||
whiteList: dynamic.TCPIPWhiteList{
|
allowList: dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"10.10.10.10"},
|
SourceRange: []string{"10.10.10.10"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -44,28 +44,28 @@ func TestNewIPWhiteLister(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
next := tcp.HandlerFunc(func(conn tcp.WriteCloser) {})
|
next := tcp.HandlerFunc(func(conn tcp.WriteCloser) {})
|
||||||
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
|
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
|
||||||
|
|
||||||
if test.expectedError {
|
if test.expectedError {
|
||||||
assert.Error(t, err)
|
assert.Error(t, err)
|
||||||
} else {
|
} else {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
assert.NotNil(t, whiteLister)
|
assert.NotNil(t, allowLister)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestIPWhiteLister_ServeHTTP(t *testing.T) {
|
func TestIPAllowLister_ServeHTTP(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
desc string
|
desc string
|
||||||
whiteList dynamic.TCPIPWhiteList
|
allowList dynamic.TCPIPAllowList
|
||||||
remoteAddr string
|
remoteAddr string
|
||||||
expected string
|
expected string
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "authorized with remote address",
|
desc: "authorized with remote address",
|
||||||
whiteList: dynamic.TCPIPWhiteList{
|
allowList: dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"20.20.20.20"},
|
SourceRange: []string{"20.20.20.20"},
|
||||||
},
|
},
|
||||||
remoteAddr: "20.20.20.20:1234",
|
remoteAddr: "20.20.20.20:1234",
|
||||||
|
@ -73,7 +73,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "non authorized with remote address",
|
desc: "non authorized with remote address",
|
||||||
whiteList: dynamic.TCPIPWhiteList{
|
allowList: dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"20.20.20.20"},
|
SourceRange: []string{"20.20.20.20"},
|
||||||
},
|
},
|
||||||
remoteAddr: "20.20.20.21:1234",
|
remoteAddr: "20.20.20.21:1234",
|
||||||
|
@ -94,13 +94,13 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
|
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
server, client := net.Pipe()
|
server, client := net.Pipe()
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
whiteLister.ServeTCP(&contextWriteCloser{client, addr{test.remoteAddr}})
|
allowLister.ServeTCP(&contextWriteCloser{client, addr{test.remoteAddr}})
|
||||||
}()
|
}()
|
||||||
|
|
||||||
read, err := io.ReadAll(server)
|
read, err := io.ReadAll(server)
|
|
@ -2022,7 +2022,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
Name: "Test",
|
Name: "Test",
|
||||||
Labels: map[string]string{
|
Labels: map[string]string{
|
||||||
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
||||||
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
|
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
|
||||||
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
||||||
},
|
},
|
||||||
Address: "127.0.0.1",
|
Address: "127.0.0.1",
|
||||||
|
@ -2041,7 +2041,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware1": {
|
"Middleware1": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -2611,7 +2611,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
Name: "Test",
|
Name: "Test",
|
||||||
Labels: map[string]string{
|
Labels: map[string]string{
|
||||||
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
||||||
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
|
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
|
||||||
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
||||||
},
|
},
|
||||||
NetworkSettings: networkSettings{
|
NetworkSettings: networkSettings{
|
||||||
|
@ -2638,7 +2638,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware1": {
|
"Middleware1": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -2333,7 +2333,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
name("Test"),
|
name("Test"),
|
||||||
labels(map[string]string{
|
labels(map[string]string{
|
||||||
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
||||||
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
|
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
|
||||||
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
||||||
}),
|
}),
|
||||||
iMachine(
|
iMachine(
|
||||||
|
@ -2356,7 +2356,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware1": {
|
"Middleware1": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: ipwhitelist
|
name: ipallowlist
|
||||||
namespace: default
|
namespace: default
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
|
|
||||||
|
@ -12,10 +12,10 @@ spec:
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: ipwhitelist
|
name: ipallowlist
|
||||||
namespace: foo
|
namespace: foo
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
---
|
---
|
||||||
|
@ -36,6 +36,6 @@ spec:
|
||||||
port: 8000
|
port: 8000
|
||||||
|
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
namespace: foo
|
namespace: foo
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: ipwhitelist
|
name: ipallowlist
|
||||||
namespace: default
|
namespace: default
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
|
|
||||||
|
@ -12,10 +12,10 @@ spec:
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: ipwhitelist
|
name: ipallowlist
|
||||||
namespace: foo
|
namespace: foo
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
---
|
---
|
||||||
|
@ -36,9 +36,9 @@ spec:
|
||||||
port: 8000
|
port: 8000
|
||||||
|
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
namespace: foo
|
namespace: foo
|
||||||
- name: ipwhitelist@file
|
- name: ipallowlist@file
|
||||||
- name: ipwhitelist-foo@file
|
- name: ipallowlist-foo@file
|
||||||
namespace: foo
|
namespace: foo
|
||||||
|
|
|
@ -4,7 +4,7 @@ metadata:
|
||||||
name: multiple---hyphens
|
name: multiple---hyphens
|
||||||
namespace: default
|
namespace: default
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: ipwhitelist
|
name: ipallowlist
|
||||||
namespace: default
|
namespace: default
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
|
|
||||||
|
@ -12,10 +12,10 @@ spec:
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
kind: MiddlewareTCP
|
kind: MiddlewareTCP
|
||||||
metadata:
|
metadata:
|
||||||
name: ipwhitelist
|
name: ipallowlist
|
||||||
namespace: cross-ns
|
namespace: cross-ns
|
||||||
spec:
|
spec:
|
||||||
ipWhiteList:
|
ipAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- 127.0.0.1/32
|
- 127.0.0.1/32
|
||||||
---
|
---
|
||||||
|
@ -36,7 +36,7 @@ spec:
|
||||||
port: 8000
|
port: 8000
|
||||||
|
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
|
|
||||||
- match: HostSNI(`bar.com`)
|
- match: HostSNI(`bar.com`)
|
||||||
services:
|
services:
|
||||||
|
@ -44,5 +44,5 @@ spec:
|
||||||
port: 8000
|
port: 8000
|
||||||
|
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: ipwhitelist
|
- name: ipallowlist
|
||||||
namespace: cross-ns
|
namespace: cross-ns
|
||||||
|
|
|
@ -263,7 +263,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
|
||||||
ReplacePath: middleware.Spec.ReplacePath,
|
ReplacePath: middleware.Spec.ReplacePath,
|
||||||
ReplacePathRegex: middleware.Spec.ReplacePathRegex,
|
ReplacePathRegex: middleware.Spec.ReplacePathRegex,
|
||||||
Chain: createChainMiddleware(ctxMid, middleware.Namespace, middleware.Spec.Chain),
|
Chain: createChainMiddleware(ctxMid, middleware.Namespace, middleware.Spec.Chain),
|
||||||
IPWhiteList: middleware.Spec.IPWhiteList,
|
IPAllowList: middleware.Spec.IPAllowList,
|
||||||
Headers: middleware.Spec.Headers,
|
Headers: middleware.Spec.Headers,
|
||||||
Errors: errorPage,
|
Errors: errorPage,
|
||||||
RateLimit: rateLimit,
|
RateLimit: rateLimit,
|
||||||
|
@ -288,7 +288,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
|
||||||
|
|
||||||
conf.TCP.Middlewares[id] = &dynamic.TCPMiddleware{
|
conf.TCP.Middlewares[id] = &dynamic.TCPMiddleware{
|
||||||
InFlightConn: middlewareTCP.Spec.InFlightConn,
|
InFlightConn: middlewareTCP.Spec.InFlightConn,
|
||||||
IPWhiteList: middlewareTCP.Spec.IPWhiteList,
|
IPAllowList: middlewareTCP.Spec.IPAllowList,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -119,18 +119,18 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
||||||
"default-test.route-fdd3e9338e47a45efefc": {
|
"default-test.route-fdd3e9338e47a45efefc": {
|
||||||
EntryPoints: []string{"foo"},
|
EntryPoints: []string{"foo"},
|
||||||
Service: "default-test.route-fdd3e9338e47a45efefc",
|
Service: "default-test.route-fdd3e9338e47a45efefc",
|
||||||
Middlewares: []string{"default-ipwhitelist", "foo-ipwhitelist"},
|
Middlewares: []string{"default-ipallowlist", "foo-ipallowlist"},
|
||||||
Rule: "HostSNI(`foo.com`)",
|
Rule: "HostSNI(`foo.com`)",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"default-ipwhitelist": {
|
"default-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"foo-ipwhitelist": {
|
"foo-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -178,7 +178,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"default-multiple-hyphens": {
|
"default-multiple-hyphens": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -220,18 +220,18 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
||||||
"default-test.route-fdd3e9338e47a45efefc": {
|
"default-test.route-fdd3e9338e47a45efefc": {
|
||||||
EntryPoints: []string{"foo"},
|
EntryPoints: []string{"foo"},
|
||||||
Service: "default-test.route-fdd3e9338e47a45efefc",
|
Service: "default-test.route-fdd3e9338e47a45efefc",
|
||||||
Middlewares: []string{"default-ipwhitelist", "foo-ipwhitelist", "ipwhitelist@file", "ipwhitelist-foo@file"},
|
Middlewares: []string{"default-ipallowlist", "foo-ipallowlist", "ipallowlist@file", "ipallowlist-foo@file"},
|
||||||
Rule: "HostSNI(`foo.com`)",
|
Rule: "HostSNI(`foo.com`)",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"default-ipwhitelist": {
|
"default-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"foo-ipwhitelist": {
|
"foo-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -5459,18 +5459,18 @@ func TestCrossNamespace(t *testing.T) {
|
||||||
"default-test.route-fdd3e9338e47a45efefc": {
|
"default-test.route-fdd3e9338e47a45efefc": {
|
||||||
EntryPoints: []string{"foo"},
|
EntryPoints: []string{"foo"},
|
||||||
Service: "default-test.route-fdd3e9338e47a45efefc",
|
Service: "default-test.route-fdd3e9338e47a45efefc",
|
||||||
Middlewares: []string{"default-ipwhitelist"},
|
Middlewares: []string{"default-ipallowlist"},
|
||||||
Rule: "HostSNI(`foo.com`)",
|
Rule: "HostSNI(`foo.com`)",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"default-ipwhitelist": {
|
"default-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"cross-ns-ipwhitelist": {
|
"cross-ns-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -5513,24 +5513,24 @@ func TestCrossNamespace(t *testing.T) {
|
||||||
"default-test.route-fdd3e9338e47a45efefc": {
|
"default-test.route-fdd3e9338e47a45efefc": {
|
||||||
EntryPoints: []string{"foo"},
|
EntryPoints: []string{"foo"},
|
||||||
Service: "default-test.route-fdd3e9338e47a45efefc",
|
Service: "default-test.route-fdd3e9338e47a45efefc",
|
||||||
Middlewares: []string{"default-ipwhitelist"},
|
Middlewares: []string{"default-ipallowlist"},
|
||||||
Rule: "HostSNI(`foo.com`)",
|
Rule: "HostSNI(`foo.com`)",
|
||||||
},
|
},
|
||||||
"default-test.route-f44ce589164e656d231c": {
|
"default-test.route-f44ce589164e656d231c": {
|
||||||
EntryPoints: []string{"foo"},
|
EntryPoints: []string{"foo"},
|
||||||
Service: "default-test.route-f44ce589164e656d231c",
|
Service: "default-test.route-f44ce589164e656d231c",
|
||||||
Middlewares: []string{"cross-ns-ipwhitelist"},
|
Middlewares: []string{"cross-ns-ipallowlist"},
|
||||||
Rule: "HostSNI(`bar.com`)",
|
Rule: "HostSNI(`bar.com`)",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"default-ipwhitelist": {
|
"default-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"cross-ns-ipwhitelist": {
|
"cross-ns-ipallowlist": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"127.0.0.1/32"},
|
SourceRange: []string{"127.0.0.1/32"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -32,7 +32,7 @@ type MiddlewareSpec struct {
|
||||||
ReplacePath *dynamic.ReplacePath `json:"replacePath,omitempty"`
|
ReplacePath *dynamic.ReplacePath `json:"replacePath,omitempty"`
|
||||||
ReplacePathRegex *dynamic.ReplacePathRegex `json:"replacePathRegex,omitempty"`
|
ReplacePathRegex *dynamic.ReplacePathRegex `json:"replacePathRegex,omitempty"`
|
||||||
Chain *Chain `json:"chain,omitempty"`
|
Chain *Chain `json:"chain,omitempty"`
|
||||||
IPWhiteList *dynamic.IPWhiteList `json:"ipWhiteList,omitempty"`
|
IPAllowList *dynamic.IPAllowList `json:"ipAllowList,omitempty"`
|
||||||
Headers *dynamic.Headers `json:"headers,omitempty"`
|
Headers *dynamic.Headers `json:"headers,omitempty"`
|
||||||
Errors *ErrorPage `json:"errors,omitempty"`
|
Errors *ErrorPage `json:"errors,omitempty"`
|
||||||
RateLimit *RateLimit `json:"rateLimit,omitempty"`
|
RateLimit *RateLimit `json:"rateLimit,omitempty"`
|
||||||
|
|
|
@ -25,8 +25,8 @@ type MiddlewareTCP struct {
|
||||||
type MiddlewareTCPSpec struct {
|
type MiddlewareTCPSpec struct {
|
||||||
// InFlightConn defines the InFlightConn middleware configuration.
|
// InFlightConn defines the InFlightConn middleware configuration.
|
||||||
InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
|
InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
|
||||||
// IPWhiteList defines the IPWhiteList middleware configuration.
|
// IPAllowList defines the IPAllowList middleware configuration.
|
||||||
IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
|
IPAllowList *dynamic.TCPIPAllowList `json:"ipAllowList,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
|
|
|
@ -689,9 +689,9 @@ func (in *MiddlewareSpec) DeepCopyInto(out *MiddlewareSpec) {
|
||||||
*out = new(Chain)
|
*out = new(Chain)
|
||||||
(*in).DeepCopyInto(*out)
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
if in.IPWhiteList != nil {
|
if in.IPAllowList != nil {
|
||||||
in, out := &in.IPWhiteList, &out.IPWhiteList
|
in, out := &in.IPAllowList, &out.IPAllowList
|
||||||
*out = new(dynamic.IPWhiteList)
|
*out = new(dynamic.IPAllowList)
|
||||||
(*in).DeepCopyInto(*out)
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
if in.Headers != nil {
|
if in.Headers != nil {
|
||||||
|
@ -857,9 +857,9 @@ func (in *MiddlewareTCPSpec) DeepCopyInto(out *MiddlewareTCPSpec) {
|
||||||
*out = new(dynamic.TCPInFlightConn)
|
*out = new(dynamic.TCPInFlightConn)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
if in.IPWhiteList != nil {
|
if in.IPAllowList != nil {
|
||||||
in, out := &in.IPWhiteList, &out.IPWhiteList
|
in, out := &in.IPAllowList, &out.IPAllowList
|
||||||
*out = new(dynamic.TCPIPWhiteList)
|
*out = new(dynamic.TCPIPAllowList)
|
||||||
(*in).DeepCopyInto(*out)
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
|
|
|
@ -140,11 +140,11 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name0": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name0": "foobar",
|
||||||
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name1": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name1": "foobar",
|
||||||
"traefik/http/middlewares/Middleware09/headers/browserXssFilter": "true",
|
"traefik/http/middlewares/Middleware09/headers/browserXssFilter": "true",
|
||||||
"traefik/http/middlewares/Middleware10/ipWhiteList/sourceRange/0": "foobar",
|
"traefik/http/middlewares/Middleware10/ipAllowList/sourceRange/0": "foobar",
|
||||||
"traefik/http/middlewares/Middleware10/ipWhiteList/sourceRange/1": "foobar",
|
"traefik/http/middlewares/Middleware10/ipAllowList/sourceRange/1": "foobar",
|
||||||
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/excludedIPs/0": "foobar",
|
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/excludedIPs/0": "foobar",
|
||||||
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/excludedIPs/1": "foobar",
|
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/excludedIPs/1": "foobar",
|
||||||
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/depth": "42",
|
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/depth": "42",
|
||||||
"traefik/http/middlewares/Middleware11/inFlightReq/amount": "42",
|
"traefik/http/middlewares/Middleware11/inFlightReq/amount": "42",
|
||||||
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/requestHost": "true",
|
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/requestHost": "true",
|
||||||
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/ipStrategy/depth": "42",
|
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/ipStrategy/depth": "42",
|
||||||
|
@ -340,7 +340,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.Middleware{
|
Middlewares: map[string]*dynamic.Middleware{
|
||||||
"Middleware10": {
|
"Middleware10": {
|
||||||
IPWhiteList: &dynamic.IPWhiteList{
|
IPAllowList: &dynamic.IPAllowList{
|
||||||
SourceRange: []string{
|
SourceRange: []string{
|
||||||
"foobar",
|
"foobar",
|
||||||
"foobar",
|
"foobar",
|
||||||
|
|
|
@ -196,14 +196,14 @@ func TestBuildConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "TCP with IP whitelist",
|
desc: "TCP with IP allowlist",
|
||||||
applications: withApplications(
|
applications: withApplications(
|
||||||
application(
|
application(
|
||||||
appID("/app"),
|
appID("/app"),
|
||||||
appPorts(80),
|
appPorts(80),
|
||||||
|
|
||||||
withLabel("traefik.tcp.routers.Test.rule", "HostSNI(`foo.bar`)"),
|
withLabel("traefik.tcp.routers.Test.rule", "HostSNI(`foo.bar`)"),
|
||||||
withLabel("traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange", "foobar, fiibar"),
|
withLabel("traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange", "foobar, fiibar"),
|
||||||
withLabel("traefik.tcp.routers.Test.middlewares", "Middleware1"),
|
withLabel("traefik.tcp.routers.Test.middlewares", "Middleware1"),
|
||||||
withTasks(localhostTask(taskPorts(80))),
|
withTasks(localhostTask(taskPorts(80))),
|
||||||
)),
|
)),
|
||||||
|
@ -218,7 +218,7 @@ func TestBuildConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware1": {
|
"Middleware1": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -1621,7 +1621,7 @@ func Test_buildConfig(t *testing.T) {
|
||||||
Name: "Test",
|
Name: "Test",
|
||||||
Tags: []string{
|
Tags: []string{
|
||||||
"traefik.tcp.routers.Test.rule = HostSNI(`foo.bar`)",
|
"traefik.tcp.routers.Test.rule = HostSNI(`foo.bar`)",
|
||||||
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange = foobar, fiibar",
|
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange = foobar, fiibar",
|
||||||
"traefik.tcp.routers.Test.middlewares = Middleware1",
|
"traefik.tcp.routers.Test.middlewares = Middleware1",
|
||||||
},
|
},
|
||||||
Address: "127.0.0.1",
|
Address: "127.0.0.1",
|
||||||
|
@ -1640,7 +1640,7 @@ func Test_buildConfig(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware1": {
|
"Middleware1": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -508,7 +508,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
Name: "Test",
|
Name: "Test",
|
||||||
Labels: map[string]string{
|
Labels: map[string]string{
|
||||||
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
|
||||||
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
|
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
|
||||||
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
"traefik.tcp.routers.Test.middlewares": "Middleware1",
|
||||||
},
|
},
|
||||||
Port: "80/tcp",
|
Port: "80/tcp",
|
||||||
|
@ -528,7 +528,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.TCPMiddleware{
|
Middlewares: map[string]*dynamic.TCPMiddleware{
|
||||||
"Middleware1": {
|
"Middleware1": {
|
||||||
IPWhiteList: &dynamic.TCPIPWhiteList{
|
IPAllowList: &dynamic.TCPIPAllowList{
|
||||||
SourceRange: []string{"foobar", "fiibar"},
|
SourceRange: []string{"foobar", "fiibar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -191,7 +191,7 @@ func init() {
|
||||||
Chain: &dynamic.Chain{
|
Chain: &dynamic.Chain{
|
||||||
Middlewares: []string{"foo"},
|
Middlewares: []string{"foo"},
|
||||||
},
|
},
|
||||||
IPWhiteList: &dynamic.IPWhiteList{
|
IPAllowList: &dynamic.IPAllowList{
|
||||||
SourceRange: []string{"foo"},
|
SourceRange: []string{"foo"},
|
||||||
IPStrategy: &dynamic.IPStrategy{
|
IPStrategy: &dynamic.IPStrategy{
|
||||||
Depth: 42,
|
Depth: 42,
|
||||||
|
|
|
@ -119,7 +119,7 @@
|
||||||
"foo"
|
"foo"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": [
|
"sourceRange": [
|
||||||
"xxxx"
|
"xxxx"
|
||||||
],
|
],
|
||||||
|
|
|
@ -119,7 +119,7 @@
|
||||||
"foo"
|
"foo"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"ipWhiteList": {
|
"ipAllowList": {
|
||||||
"sourceRange": [
|
"sourceRange": [
|
||||||
"foo"
|
"foo"
|
||||||
],
|
],
|
||||||
|
|
|
@ -19,7 +19,7 @@ import (
|
||||||
"github.com/traefik/traefik/v2/pkg/middlewares/customerrors"
|
"github.com/traefik/traefik/v2/pkg/middlewares/customerrors"
|
||||||
"github.com/traefik/traefik/v2/pkg/middlewares/headers"
|
"github.com/traefik/traefik/v2/pkg/middlewares/headers"
|
||||||
"github.com/traefik/traefik/v2/pkg/middlewares/inflightreq"
|
"github.com/traefik/traefik/v2/pkg/middlewares/inflightreq"
|
||||||
"github.com/traefik/traefik/v2/pkg/middlewares/ipwhitelist"
|
"github.com/traefik/traefik/v2/pkg/middlewares/ipallowlist"
|
||||||
"github.com/traefik/traefik/v2/pkg/middlewares/passtlsclientcert"
|
"github.com/traefik/traefik/v2/pkg/middlewares/passtlsclientcert"
|
||||||
"github.com/traefik/traefik/v2/pkg/middlewares/ratelimiter"
|
"github.com/traefik/traefik/v2/pkg/middlewares/ratelimiter"
|
||||||
"github.com/traefik/traefik/v2/pkg/middlewares/redirect"
|
"github.com/traefik/traefik/v2/pkg/middlewares/redirect"
|
||||||
|
@ -229,13 +229,13 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// IPWhiteList
|
// IPAllowList
|
||||||
if config.IPWhiteList != nil {
|
if config.IPAllowList != nil {
|
||||||
if middleware != nil {
|
if middleware != nil {
|
||||||
return nil, badConf
|
return nil, badConf
|
||||||
}
|
}
|
||||||
middleware = func(next http.Handler) (http.Handler, error) {
|
middleware = func(next http.Handler) (http.Handler, error) {
|
||||||
return ipwhitelist.New(ctx, next, *config.IPWhiteList, middlewareName)
|
return ipallowlist.New(ctx, next, *config.IPAllowList, middlewareName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@ import (
|
||||||
|
|
||||||
"github.com/traefik/traefik/v2/pkg/config/runtime"
|
"github.com/traefik/traefik/v2/pkg/config/runtime"
|
||||||
inflightconn "github.com/traefik/traefik/v2/pkg/middlewares/tcp/inflightconn"
|
inflightconn "github.com/traefik/traefik/v2/pkg/middlewares/tcp/inflightconn"
|
||||||
ipwhitelist "github.com/traefik/traefik/v2/pkg/middlewares/tcp/ipwhitelist"
|
ipallowlist "github.com/traefik/traefik/v2/pkg/middlewares/tcp/ipallowlist"
|
||||||
"github.com/traefik/traefik/v2/pkg/server/provider"
|
"github.com/traefik/traefik/v2/pkg/server/provider"
|
||||||
"github.com/traefik/traefik/v2/pkg/tcp"
|
"github.com/traefik/traefik/v2/pkg/tcp"
|
||||||
)
|
)
|
||||||
|
@ -94,10 +94,10 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// IPWhiteList
|
// IPAllowList
|
||||||
if config.IPWhiteList != nil {
|
if config.IPAllowList != nil {
|
||||||
middleware = func(next tcp.Handler) (tcp.Handler, error) {
|
middleware = func(next tcp.Handler) (tcp.Handler, error) {
|
||||||
return ipwhitelist.New(ctx, next, *config.IPWhiteList, middlewareName)
|
return ipallowlist.New(ctx, next, *config.IPAllowList, middlewareName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -675,8 +675,8 @@
|
||||||
</div>
|
</div>
|
||||||
</q-card-section>
|
</q-card-section>
|
||||||
|
|
||||||
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - sourceRange -->
|
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - sourceRange -->
|
||||||
<q-card-section v-if="middleware.ipWhiteList">
|
<q-card-section v-if="middleware.ipAllowList">
|
||||||
<div class="row items-start no-wrap">
|
<div class="row items-start no-wrap">
|
||||||
<div class="col">
|
<div class="col">
|
||||||
<div class="text-subtitle2">Source Range</div>
|
<div class="text-subtitle2">Source Range</div>
|
||||||
|
@ -689,8 +689,8 @@
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</q-card-section>
|
</q-card-section>
|
||||||
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - ipStrategy -->
|
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - ipStrategy -->
|
||||||
<q-card-section v-if="middleware.ipWhiteList">
|
<q-card-section v-if="middleware.ipAllowList">
|
||||||
<div class="row items-start">
|
<div class="row items-start">
|
||||||
<div class="col-12">
|
<div class="col-12">
|
||||||
<div class="text-subtitle2">IP Strategy</div>
|
<div class="text-subtitle2">IP Strategy</div>
|
||||||
|
@ -1076,8 +1076,8 @@
|
||||||
</q-card-section>
|
</q-card-section>
|
||||||
|
|
||||||
<q-card-section v-if="protocol === 'tcp'">
|
<q-card-section v-if="protocol === 'tcp'">
|
||||||
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - sourceRange -->
|
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - sourceRange -->
|
||||||
<q-card-section v-if="middleware.ipWhiteList">
|
<q-card-section v-if="middleware.ipAllowList">
|
||||||
<div class="row items-start no-wrap">
|
<div class="row items-start no-wrap">
|
||||||
<div class="col">
|
<div class="col">
|
||||||
<div class="text-subtitle2">Source Range</div>
|
<div class="text-subtitle2">Source Range</div>
|
||||||
|
|
Loading…
Reference in a new issue