Renaming IPWhiteList to IPAllowList

This commit is contained in:
Wambugu 2022-10-26 18:16:05 +03:00 committed by GitHub
parent e86f21ae7b
commit 1b9873cae9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
69 changed files with 523 additions and 506 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 58 KiB

View file

@ -15,7 +15,7 @@ It makes reusing the same groups easier.
## Configuration Example
Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
```yaml tab="Docker"
labels:
@ -25,7 +25,7 @@ labels:
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
@ -80,7 +80,7 @@ kind: Middleware
metadata:
name: known-ips
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 192.168.1.7
- 127.0.0.1/32
@ -93,7 +93,7 @@ spec:
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
@ -105,7 +105,7 @@ spec:
"traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
"traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
"traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
"traefik.http.middlewares.known-ips.ipallowlist.sourceRange": "192.168.1.7,127.0.0.1/32",
"traefik.http.services.service1.loadbalancer.server.port": "80"
}
```
@ -118,7 +118,7 @@ labels:
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
@ -150,7 +150,7 @@ http:
scheme: https
known-ips:
ipWhiteList:
ipAllowList:
sourceRange:
- "192.168.1.7"
- "127.0.0.1/32"
@ -180,7 +180,7 @@ http:
[http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
[http.middlewares.known-ips.ipAllowList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.services]

View file

@ -1,32 +1,30 @@
---
title: "Traefik HTTP Middlewares IPWhiteList"
description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
title: "Traefik HTTP Middlewares IPAllowList"
description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
---
# IPWhiteList
# IPAllowList
Limiting Clients to Specific IPs
{: .subtitle }
![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
IPWhitelist accepts / refuses requests based on the client IP.
IPAllowList accepts / refuses requests based on the client IP.
## Configuration Examples
```yaml tab="Docker"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -34,27 +32,27 @@ spec:
```yaml tab="Consul Catalog"
# Accepts request from defined IP
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
@ -63,7 +61,7 @@ http:
```toml tab="File (TOML)"
# Accepts request from defined IP
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
@ -86,7 +84,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
!!! example "Examples of Depth & X-Forwarded-For"
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
@ -95,20 +93,20 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
```yaml tab="Docker"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```yaml tab="Kubernetes"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -117,31 +115,31 @@ spec:
```
```yaml tab="Consul Catalog"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
}
```
```yaml tab="Rancher"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```yaml tab="File (YAML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
@ -150,11 +148,11 @@ http:
```
```toml tab="File (TOML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
depth = 2
```
@ -177,7 +175,7 @@ http:
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
@ -185,9 +183,9 @@ labels:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
@ -196,27 +194,27 @@ spec:
```yaml tab="Consul Catalog"
# Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
```
```yaml tab="Rancher"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="File (YAML)"
# Exclude from `X-Forwarded-For`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
@ -226,7 +224,7 @@ http:
```toml tab="File (TOML)"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
[http.middlewares.test-ipallowlist.ipAllowList]
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```

View file

@ -142,7 +142,7 @@ http:
| [Errors](errorpages.md) | Defines custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Delegates Authentication | Security, Authentication |
| [Headers](headers.md) | Adds / Updates headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limits the allowed client IPs | Security, Request lifecycle |
| [IPAllowList](ipallowlist.md) | Limits the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limits the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limits the call frequency | Security, Request lifecycle |

View file

@ -1,30 +1,30 @@
---
title: "Traefik TCP Middlewares IPWhiteList"
description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
title: "Traefik TCP Middlewares IPAllowList"
description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
---
# IPWhiteList
# IPAllowList
Limiting Clients to Specific IPs
{: .subtitle }
IPWhitelist accepts / refuses connections based on the client IP.
IPAllowList accepts / refuses connections based on the client IP.
## Configuration Examples
```yaml tab="Docker"
# Accepts connections from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: test-ipwhitelist
name: test-ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -32,25 +32,25 @@ spec:
```yaml tab="Consul Catalog"
# Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
"traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[tcp.middlewares]
[tcp.middlewares.test-ipwhitelist.ipWhiteList]
[tcp.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
@ -58,8 +58,8 @@ labels:
# Accepts request from defined IP
tcp:
middlewares:
test-ipwhitelist:
ipWhiteList:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"

View file

@ -18,10 +18,10 @@ whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
```
```yaml tab="Kubernetes IngressRoute"
@ -43,9 +43,9 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: foo-ip-whitelist
name: foo-ip-allowlist
spec:
ipWhiteList:
ipAllowList:
sourcerange:
- 127.0.0.1/32
- 192.168.1.7
@ -60,30 +60,30 @@ spec:
routes:
# more fields...
middlewares:
- name: foo-ip-whitelist
- name: foo-ip-allowlist
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
"traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
"traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7",
"traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@rancher"
```
```toml tab="File (TOML)"
@ -91,11 +91,11 @@ labels:
[tcp.routers]
[tcp.routers.router1]
service = "myService"
middlewares = ["foo-ip-whitelist"]
middlewares = ["foo-ip-allowlist"]
rule = "Host(`example.com`)"
[tcp.middlewares]
[tcp.middlewares.foo-ip-whitelist.ipWhiteList]
[tcp.middlewares.foo-ip-allowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[tcp.services]
@ -114,12 +114,12 @@ tcp:
router1:
service: myService
middlewares:
- "foo-ip-whitelist"
- "foo-ip-allowlist"
rule: "Host(`example.com`)"
middlewares:
foo-ip-whitelist:
ipWhiteList:
foo-ip-allowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
@ -137,4 +137,4 @@ tcp:
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [InFlightConn](inflightconn.md) | Limits the number of simultaneous connections. | Security, Request lifecycle |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs. | Security, Request lifecycle |
| [IPAllowList](ipallowlist.md) | Limit the allowed client IPs. | Security, Request lifecycle |

View file

@ -0,0 +1,18 @@
---
title: "Traefik V3 Migration Documentation"
description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
---
# Migration Guide: From v2 to v3
How to Migrate from Traefik v2 to Traefik v3.
{: .subtitle }
The version 3 of Traefik introduces a number of breaking changes,
which require one to update their configuration when they migrate from v2 to v3.
The goal of this page is to recapitulate all of these changes, and in particular to give examples,
feature by feature, of how the configuration looked like in v2, and how it now looks like in v3.
## IPWhiteList
In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration.

View file

@ -72,7 +72,7 @@ to allow defining:
- One or more security features through [middlewares](../middlewares/overview.md)
like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
[forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
[forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).
- A [router rule](#dashboard-router-rule) for accessing the dashboard,
through Traefik itself (sometimes referred as "Traefik-ception").

View file

@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen
!!! tip
The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)
## Configuration Examples

View file

@ -71,9 +71,9 @@
- "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.middleware10.headers.stspreload=true"
- "traefik.http.middlewares.middleware10.headers.stsseconds=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipallowlist.sourcerange=foobar, foobar"
- "traefik.http.middlewares.middleware12.inflightreq.amount=42"
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
@ -166,7 +166,7 @@
- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
- "traefik.http.services.service01.loadbalancer.server.port=foobar"
- "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
- "traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange=foobar, foobar"
- "traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange=foobar, foobar"
- "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount=42"
- "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
- "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"

View file

@ -203,9 +203,9 @@
name0 = "foobar"
name1 = "foobar"
[http.middlewares.Middleware11]
[http.middlewares.Middleware11.ipWhiteList]
[http.middlewares.Middleware11.ipAllowList]
sourceRange = ["foobar", "foobar"]
[http.middlewares.Middleware11.ipWhiteList.ipStrategy]
[http.middlewares.Middleware11.ipAllowList.ipStrategy]
depth = 42
excludedIPs = ["foobar", "foobar"]
[http.middlewares.Middleware12]
@ -402,7 +402,7 @@
weight = 42
[tcp.middlewares]
[tcp.middlewares.TCPMiddleware00]
[tcp.middlewares.TCPMiddleware00.ipWhiteList]
[tcp.middlewares.TCPMiddleware00.ipAllowList]
sourceRange = ["foobar", "foobar"]
[tcp.middlewares.TCPMiddleware01]
[tcp.middlewares.TCPMiddleware01.inFlightConn]

View file

@ -230,7 +230,7 @@ http:
permissionsPolicy: foobar
isDevelopment: true
Middleware11:
ipWhiteList:
ipAllowList:
sourceRange:
- foobar
- foobar
@ -443,7 +443,7 @@ tcp:
weight: 42
middlewares:
TCPMiddleware00:
ipWhiteList:
ipAllowList:
sourceRange:
- foobar
- foobar

View file

@ -1149,7 +1149,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1174,14 +1174,14 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1345,7 +1345,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1541,8 +1541,8 @@ spec:
format: int64
type: integer
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
ipAllowList:
description: IPAllowList defines the IPAllowList middleware configuration.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

View file

@ -148,7 +148,7 @@ spec:
- name: whoamitcp
port: 8080
middlewares:
- name: ipwhitelist
- name: ipallowlist
tls:
secretName: foosecret
passthrough: false

View file

@ -84,11 +84,11 @@
| `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
| `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
| `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/1` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/inFlightReq/amount` | `42` |
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
@ -247,8 +247,8 @@
| `traefik/http/services/Service04/failover/fallback` | `foobar` |
| `traefik/http/services/Service04/failover/healthCheck` | `` |
| `traefik/http/services/Service04/failover/service` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/0` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/1` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/0` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/1` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware01/inFlightConn/amount` | `42` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |

View file

@ -71,9 +71,9 @@
"traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
"traefik.http.middlewares.middleware10.headers.stspreload": "true",
"traefik.http.middlewares.middleware10.headers.stsseconds": "42",
"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth": "42",
"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips": "foobar, foobar",
"traefik.http.middlewares.middleware11.ipallowlist.sourcerange": "foobar, foobar",
"traefik.http.middlewares.middleware12.inflightreq.amount": "42",
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
@ -166,7 +166,7 @@
"traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
"traefik.http.services.service01.loadbalancer.server.port": "foobar",
"traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
"traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange": "foobar, foobar",
"traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange": "foobar, foobar",
"traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount": "42",
"traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
"traefik.tcp.routers.tcprouter0.middlewares": "foobar, foobar",

View file

@ -572,7 +572,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -597,14 +597,14 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -768,7 +768,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For

View file

@ -47,8 +47,8 @@ spec:
format: int64
type: integer
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
ipAllowList:
description: IPAllowList defines the IPAllowList middleware configuration.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

View file

@ -1287,9 +1287,9 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
@ -1305,13 +1305,13 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/whitelist`)
- match: Host(`example.com`) && PathPrefix(`/allowlist`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: ipwhitelist
- name: ipallowlist
namespace: foo
```

View file

@ -986,7 +986,7 @@ The middlewares will take effect only if the rule matches, and before connecting
[tcp.routers.my-router]
rule = "HostSNI(`*`)"
# declared elsewhere
middlewares = ["ipwhitelist"]
middlewares = ["ipallowlist"]
service = "service-foo"
```
@ -998,7 +998,7 @@ The middlewares will take effect only if the rule matches, and before connecting
rule: "HostSNI(`*`)"
# declared elsewhere
middlewares:
- ipwhitelist
- ipallowlist
service: service-foo
```

View file

@ -126,7 +126,7 @@ nav:
- 'Errors': 'middlewares/http/errorpages.md'
- 'ForwardAuth': 'middlewares/http/forwardauth.md'
- 'Headers': 'middlewares/http/headers.md'
- 'IpWhitelist': 'middlewares/http/ipwhitelist.md'
- 'IpAllowList': 'middlewares/http/ipallowlist.md'
- 'InFlightReq': 'middlewares/http/inflightreq.md'
- 'PassTLSClientCert': 'middlewares/http/passtlsclientcert.md'
- 'RateLimit': 'middlewares/http/ratelimit.md'
@ -140,7 +140,7 @@ nav:
- 'TCP':
- 'Overview': 'middlewares/tcp/overview.md'
- 'InFlightConn': 'middlewares/tcp/inflightconn.md'
- 'IpWhitelist': 'middlewares/tcp/ipwhitelist.md'
- 'IpAllowList': 'middlewares/tcp/ipallowlist.md'
- 'Traefik Hub': 'traefik-hub/index.md'
- 'Plugins & Plugin Catalog': 'plugins/index.md'
- 'Operations':
@ -177,6 +177,7 @@ nav:
- 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
- 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
- 'Migration':
- 'Traefik v2 to v3': 'migration/v2-to-v3.md'
- 'Traefik v2 minor migrations': 'migration/v2.md'
- 'Traefik v1 to v2': 'migration/v1-to-v2.md'
- 'Contributing':

View file

@ -435,7 +435,7 @@ func (s *AccessLogSuite) TestAccessLogBackendNotFound(c *check.C) {
checkNoOtherTraefikProblems(c)
}
func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
func (s *AccessLogSuite) TestAccessLogFrontendAllowlist(c *check.C) {
ensureWorkingDirectoryIsClean()
expected := []accessLogValue{
@ -443,7 +443,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
formatOnly: false,
code: "403",
user: "-",
routerName: "rt-frontendWhitelist",
routerName: "rt-frontendAllowlist",
serviceURL: "-",
},
}
@ -458,7 +458,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
checkStatsForLogFile(c)
waitForTraefik(c, "frontendWhitelist")
waitForTraefik(c, "frontendAllowlist")
// Verify Traefik started OK
checkTraefikStarted(c)
@ -466,7 +466,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
// Test rate limit
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
c.Assert(err, checker.IsNil)
req.Host = "frontend.whitelist.docker.local"
req.Host = "frontend.allowlist.docker.local"
err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusForbidden), try.HasBody())
c.Assert(err, checker.IsNil)

View file

@ -1149,7 +1149,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1174,14 +1174,14 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1345,7 +1345,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1541,8 +1541,8 @@ spec:
format: int64
type: integer
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
ipAllowList:
description: IPAllowList defines the IPAllowList middleware configuration.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

View file

@ -23,7 +23,7 @@
entryPoints = ["tcp"]
rule = "HostSNI(`whoami-a.test`)"
service = "whoami-a"
middlewares = ["blocking-ipwhitelist"]
middlewares = ["blocking-ipallowlist"]
[tcp.routers.to-whoami-a.tls]
passthrough = true
@ -31,7 +31,7 @@
entryPoints = ["tcp"]
rule = "HostSNI(`whoami-b.test`)"
service = "whoami-b"
middlewares = ["allowing-ipwhitelist"]
middlewares = ["allowing-ipallowlist"]
[tcp.routers.to-whoami-b.tls]
passthrough = true
@ -45,7 +45,7 @@
address = "{{ .WhoamiB }}"
[tcp.middlewares]
[tcp.middlewares.allowing-ipwhitelist.ipWhiteList]
[tcp.middlewares.allowing-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32"]
[tcp.middlewares.blocking-ipwhitelist.ipWhiteList]
[tcp.middlewares.blocking-ipallowlist.ipAllowList]
sourceRange = ["127.127.127.127/32"]

View file

@ -75,14 +75,14 @@ services:
traefik.http.middlewares.rate.ratelimit.burst: 2
traefik.http.services.service3.loadbalancer.server.port: 80
frontendWhitelist:
frontendAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt-frontendWhitelist.entryPoints: web
traefik.http.routers.rt-frontendWhitelist.rule: Host(`frontend.whitelist.docker.local`)
traefik.http.routers.rt-frontendWhitelist.middlewares: wl
traefik.http.middlewares.wl.ipwhitelist.sourcerange: 8.8.8.8/32
traefik.http.routers.rt-frontendAllowlist.entryPoints: web
traefik.http.routers.rt-frontendAllowlist.rule: Host(`frontend.allowlist.docker.local`)
traefik.http.routers.rt-frontendAllowlist.middlewares: wl
traefik.http.middlewares.wl.ipallowlist.sourcerange: 8.8.8.8/32
traefik.http.services.service3.loadbalancer.server.port: 80
networks:

View file

@ -0,0 +1,41 @@
version: "3.8"
services:
noOverrideAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt1.rule: Host(`no.override.allowlist.docker.local`)
traefik.http.routers.rt1.middlewares: wl1
traefik.http.middlewares.wl1.ipallowList.sourceRange: 8.8.8.8
overrideIPStrategyRemoteAddrAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt2.rule: Host(`override.remoteaddr.allowlist.docker.local`)
traefik.http.routers.rt2.middlewares: wl2
traefik.http.middlewares.wl2.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl2.ipallowlist.ipStrategy: true
overrideIPStrategyDepthAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt3.rule: Host(`override.depth.allowlist.docker.local`)
traefik.http.routers.rt3.middlewares: wl3
traefik.http.middlewares.wl3.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl3.ipallowlist.ipStrategy.depth: 3
overrideIPStrategyExcludedIPsAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt4.rule: Host(`override.excludedips.allowlist.docker.local`)
traefik.http.routers.rt4.middlewares: wl4
traefik.http.middlewares.wl4.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl4.ipallowlist.ipStrategy.excludedIPs: 10.0.0.1,10.0.0.2
networks:
default:
name: traefik-test-network
external: true

View file

@ -1,41 +0,0 @@
version: "3.8"
services:
noOverrideWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt1.rule: Host(`no.override.whitelist.docker.local`)
traefik.http.routers.rt1.middlewares: wl1
traefik.http.middlewares.wl1.ipwhiteList.sourceRange: 8.8.8.8
overrideIPStrategyRemoteAddrWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt2.rule: Host(`override.remoteaddr.whitelist.docker.local`)
traefik.http.routers.rt2.middlewares: wl2
traefik.http.middlewares.wl2.ipwhitelist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl2.ipwhitelist.ipStrategy: true
overrideIPStrategyDepthWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt3.rule: Host(`override.depth.whitelist.docker.local`)
traefik.http.routers.rt3.middlewares: wl3
traefik.http.middlewares.wl3.ipwhitelist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl3.ipwhitelist.ipStrategy.depth: 3
overrideIPStrategyExcludedIPsWhitelist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt4.rule: Host(`override.excludedips.whitelist.docker.local`)
traefik.http.routers.rt4.middlewares: wl4
traefik.http.middlewares.wl4.ipwhitelist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl4.ipwhitelist.ipStrategy.excludedIPs: 10.0.0.1,10.0.0.2
networks:
default:
name: traefik-test-network
external: true

View file

@ -397,13 +397,13 @@ func (s *SimpleSuite) TestMultipleProviderSameBackendName(c *check.C) {
c.Assert(err, checker.IsNil)
}
func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
s.createComposeProject(c, "whitelist")
func (s *SimpleSuite) TestIPStrategyAllowlist(c *check.C) {
s.createComposeProject(c, "allowlist")
s.composeUp(c)
defer s.composeDown(c)
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_whitelist.toml"))
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_allowlist.toml"))
defer output(c)
err := cmd.Start()
@ -413,7 +413,7 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.whitelist.docker.local"))
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.allowlist.docker.local"))
c.Assert(err, checker.IsNil)
testCases := []struct {
@ -425,31 +425,31 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
{
desc: "override remote addr reject",
xForwardedFor: "8.8.8.8,8.8.8.8",
host: "override.remoteaddr.whitelist.docker.local",
host: "override.remoteaddr.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override depth accept",
xForwardedFor: "8.8.8.8,10.0.0.1,127.0.0.1",
host: "override.depth.whitelist.docker.local",
host: "override.depth.allowlist.docker.local",
expectedStatusCode: 200,
},
{
desc: "override depth reject",
xForwardedFor: "10.0.0.1,8.8.8.8,127.0.0.1",
host: "override.depth.whitelist.docker.local",
host: "override.depth.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override excludedIPs reject",
xForwardedFor: "10.0.0.3,10.0.0.1,10.0.0.2",
host: "override.excludedips.whitelist.docker.local",
host: "override.excludedips.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override excludedIPs accept",
xForwardedFor: "8.8.8.8,10.0.0.1,10.0.0.2",
host: "override.excludedips.whitelist.docker.local",
host: "override.excludedips.allowlist.docker.local",
expectedStatusCode: 200,
},
}
@ -468,12 +468,12 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
}
func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
s.createComposeProject(c, "whitelist")
s.createComposeProject(c, "allowlist")
s.composeUp(c)
defer s.composeDown(c)
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_whitelist.toml"))
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_allowlist.toml"))
defer output(c)
err := cmd.Start()
@ -481,13 +481,13 @@ func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second,
try.BodyContains("override.remoteaddr.whitelist.docker.local"))
try.BodyContains("override.remoteaddr.allowlist.docker.local"))
c.Assert(err, checker.IsNil)
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000", nil)
c.Assert(err, checker.IsNil)
req.Host = "override.depth.whitelist.docker.local"
req.Host = "override.depth.allowlist.docker.local"
req.Header.Set("X-Forwarded-For", "8.8.8.8,10.0.0.1,127.0.0.1")
err = try.Request(req, 1*time.Second,

View file

@ -241,8 +241,8 @@ func (s *TCPSuite) TestCatchAllNoTLSWithHTTPS(c *check.C) {
c.Assert(err, checker.IsNil)
}
func (s *TCPSuite) TestMiddlewareWhiteList(c *check.C) {
file := s.adaptFile(c, "fixtures/tcp/ip-whitelist.toml", struct {
func (s *TCPSuite) TestMiddlewareAllowList(c *check.C) {
file := s.adaptFile(c, "fixtures/tcp/ipallowlist.toml", struct {
WhoamiA string
WhoamiB string
}{
@ -261,7 +261,7 @@ func (s *TCPSuite) TestMiddlewareWhiteList(c *check.C) {
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 5*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`whoami-a.test`)"))
c.Assert(err, checker.IsNil)
// Traefik not passes through, ipWhitelist closes connection
// Traefik not passes through, ipAllowList closes connection
_, err = guessWhoTLSPassthrough("127.0.0.1:8093", "whoami-a.test")
c.Assert(err, checker.ErrorMatches, "EOF")

View file

@ -173,24 +173,24 @@ func TestHandler_Overview(t *testing.T) {
},
},
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist1@myprovider": {
"ipallowlist1@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
Status: runtime.StatusEnabled,
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
},
"ipwhitelist3@myprovider": {
"ipallowlist3@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},

View file

@ -512,25 +512,25 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist1@myprovider": {
"ipallowlist1@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
},
"ipwhitelist1@anotherprovider": {
"ipallowlist1@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -549,27 +549,27 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares?status=enabled",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
Status: runtime.StatusEnabled,
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
Status: runtime.StatusDisabled,
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -586,30 +586,30 @@ func TestHandler_TCP(t *testing.T) {
},
{
desc: "middlewares filtered by search",
path: "/api/tcp/middlewares?search=ipwhitelist",
path: "/api/tcp/middlewares?search=ipallowlist",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"bad@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
Status: runtime.StatusEnabled,
},
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"test@myprovider"},
Status: runtime.StatusDisabled,
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -629,25 +629,25 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares?page=2&per_page=1",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -663,28 +663,28 @@ func TestHandler_TCP(t *testing.T) {
},
{
desc: "one middleware by id",
path: "/api/tcp/middlewares/ipwhitelist@myprovider",
path: "/api/tcp/middlewares/ipallowlist@myprovider",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
UsedBy: []string{"bar@myprovider", "test@myprovider"},
},
"ipwhitelist2@myprovider": {
"ipallowlist2@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.2/32"},
},
},
UsedBy: []string{"test@myprovider"},
},
"ipwhitelist@anotherprovider": {
"ipallowlist@anotherprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -694,7 +694,7 @@ func TestHandler_TCP(t *testing.T) {
},
expected: expected{
statusCode: http.StatusOK,
jsonFile: "testdata/tcpmiddleware-ipwhitelist.json",
jsonFile: "testdata/tcpmiddleware-ipallowlist.json",
},
},
{
@ -702,9 +702,9 @@ func TestHandler_TCP(t *testing.T) {
path: "/api/tcp/middlewares/foo@myprovider",
conf: runtime.Configuration{
TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
"ipwhitelist@myprovider": {
"ipallowlist@myprovider": {
TCPMiddleware: &dynamic.TCPMiddleware{
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},

View file

@ -1,11 +1,11 @@
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@myprovider",
"name": "ipallowlist@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider",
"test@myprovider"

View file

@ -1,24 +1,24 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@anotherprovider",
"name": "ipallowlist@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@myprovider",
"name": "ipallowlist@myprovider",
"provider": "myprovider",
"status": "disabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"test@myprovider"
]

View file

@ -1,24 +1,24 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@anotherprovider",
"name": "ipallowlist@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@myprovider",
"name": "ipallowlist@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider",
"test@myprovider"

View file

@ -1,12 +1,12 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist@anotherprovider",
"name": "ipallowlist@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]

View file

@ -1,37 +1,37 @@
[
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist1@anotherprovider",
"name": "ipallowlist1@anotherprovider",
"provider": "anotherprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.1/32"]
},
"name": "ipwhitelist1@myprovider",
"name": "ipallowlist1@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"bar@myprovider",
"test@myprovider"
]
},
{
"ipWhiteList": {
"ipAllowList": {
"sourceRange": ["127.0.0.2/32"]
},
"name": "ipwhitelist2@myprovider",
"name": "ipallowlist2@myprovider",
"provider": "myprovider",
"status": "enabled",
"type": "ipwhitelist",
"type": "ipallowlist",
"usedBy": [
"test@myprovider"
]

View file

@ -358,11 +358,11 @@
[http.middlewares.Middleware5.chain]
middlewares = ["foobar", "foobar"]
[http.middlewares.Middleware6]
[http.middlewares.Middleware6.ipWhiteList]
[http.middlewares.Middleware6.ipAllowList]
sourceRange = ["foobar", "foobar"]
[http.middlewares.Middleware7]
[http.middlewares.Middleware7.ipWhiteList]
[http.middlewares.Middleware7.ipWhiteList.ipStrategy]
[http.middlewares.Middleware7.ipAllowList]
[http.middlewares.Middleware7.ipAllowList.ipStrategy]
depth = 42
excludedIPs = ["foobar", "foobar"]
[http.middlewares.Middleware8]

View file

@ -18,7 +18,7 @@ type Middleware struct {
ReplacePath *ReplacePath `json:"replacePath,omitempty" toml:"replacePath,omitempty" yaml:"replacePath,omitempty" export:"true"`
ReplacePathRegex *ReplacePathRegex `json:"replacePathRegex,omitempty" toml:"replacePathRegex,omitempty" yaml:"replacePathRegex,omitempty" export:"true"`
Chain *Chain `json:"chain,omitempty" toml:"chain,omitempty" yaml:"chain,omitempty" export:"true"`
IPWhiteList *IPWhiteList `json:"ipWhiteList,omitempty" toml:"ipWhiteList,omitempty" yaml:"ipWhiteList,omitempty" export:"true"`
IPAllowList *IPAllowList `json:"ipAllowList,omitempty" toml:"ipAllowList,omitempty" yaml:"ipAllowList,omitempty" export:"true"`
Headers *Headers `json:"headers,omitempty" toml:"headers,omitempty" yaml:"headers,omitempty" export:"true"`
Errors *ErrorPage `json:"errors,omitempty" toml:"errors,omitempty" yaml:"errors,omitempty" export:"true"`
RateLimit *RateLimit `json:"rateLimit,omitempty" toml:"rateLimit,omitempty" yaml:"rateLimit,omitempty" export:"true"`
@ -346,7 +346,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
// +k8s:deepcopy-gen=true
// IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/#ipstrategy
type IPStrategy struct {
// Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
@ -385,10 +385,10 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
// +k8s:deepcopy-gen=true
// IPWhiteList holds the IP whitelist middleware configuration.
// IPAllowList holds the IP allowlist middleware configuration.
// This middleware accepts / refuses requests based on the client IP.
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/
type IPWhiteList struct {
// More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipallowlist/
type IPAllowList struct {
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`

View file

@ -5,7 +5,7 @@ package dynamic
// TCPMiddleware holds the TCPMiddleware configuration.
type TCPMiddleware struct {
InFlightConn *TCPInFlightConn `json:"inFlightConn,omitempty" toml:"inFlightConn,omitempty" yaml:"inFlightConn,omitempty" export:"true"`
IPWhiteList *TCPIPWhiteList `json:"ipWhiteList,omitempty" toml:"ipWhiteList,omitempty" yaml:"ipWhiteList,omitempty" export:"true"`
IPAllowList *TCPIPAllowList `json:"ipAllowList,omitempty" toml:"ipAllowList,omitempty" yaml:"ipAllowList,omitempty" export:"true"`
}
// +k8s:deepcopy-gen=true
@ -22,9 +22,9 @@ type TCPInFlightConn struct {
// +k8s:deepcopy-gen=true
// TCPIPWhiteList holds the TCP IPWhiteList middleware configuration.
// TCPIPAllowList holds the TCP IPAllowList middleware configuration.
// This middleware accepts/refuses connections based on the client IP.
type TCPIPWhiteList struct {
type TCPIPAllowList struct {
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
}

View file

@ -532,6 +532,32 @@ func (in *HealthCheck) DeepCopy() *HealthCheck {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IPAllowList) DeepCopyInto(out *IPAllowList) {
*out = *in
if in.SourceRange != nil {
in, out := &in.SourceRange, &out.SourceRange
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPStrategy != nil {
in, out := &in.IPStrategy, &out.IPStrategy
*out = new(IPStrategy)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAllowList.
func (in *IPAllowList) DeepCopy() *IPAllowList {
if in == nil {
return nil
}
out := new(IPAllowList)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IPStrategy) DeepCopyInto(out *IPStrategy) {
*out = *in
@ -553,32 +579,6 @@ func (in *IPStrategy) DeepCopy() *IPStrategy {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IPWhiteList) DeepCopyInto(out *IPWhiteList) {
*out = *in
if in.SourceRange != nil {
in, out := &in.SourceRange, &out.SourceRange
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPStrategy != nil {
in, out := &in.IPStrategy, &out.IPStrategy
*out = new(IPStrategy)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPWhiteList.
func (in *IPWhiteList) DeepCopy() *IPWhiteList {
if in == nil {
return nil
}
out := new(IPWhiteList)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *InFlightReq) DeepCopyInto(out *InFlightReq) {
*out = *in
@ -654,9 +654,9 @@ func (in *Middleware) DeepCopyInto(out *Middleware) {
*out = new(Chain)
(*in).DeepCopyInto(*out)
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(IPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(IPAllowList)
(*in).DeepCopyInto(*out)
}
if in.Headers != nil {
@ -1382,7 +1382,7 @@ func (in *TCPConfiguration) DeepCopy() *TCPConfiguration {
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TCPIPWhiteList) DeepCopyInto(out *TCPIPWhiteList) {
func (in *TCPIPAllowList) DeepCopyInto(out *TCPIPAllowList) {
*out = *in
if in.SourceRange != nil {
in, out := &in.SourceRange, &out.SourceRange
@ -1392,12 +1392,12 @@ func (in *TCPIPWhiteList) DeepCopyInto(out *TCPIPWhiteList) {
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPIPWhiteList.
func (in *TCPIPWhiteList) DeepCopy() *TCPIPWhiteList {
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPIPAllowList.
func (in *TCPIPAllowList) DeepCopy() *TCPIPAllowList {
if in == nil {
return nil
}
out := new(TCPIPWhiteList)
out := new(TCPIPAllowList)
in.DeepCopyInto(out)
return out
}
@ -1426,9 +1426,9 @@ func (in *TCPMiddleware) DeepCopyInto(out *TCPMiddleware) {
*out = new(TCPInFlightConn)
**out = **in
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(TCPIPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(TCPIPAllowList)
(*in).DeepCopyInto(*out)
}
return

View file

@ -82,9 +82,9 @@ func TestDecodeConfiguration(t *testing.T) {
"traefik.http.middlewares.Middleware8.headers.stsincludesubdomains": "true",
"traefik.http.middlewares.Middleware8.headers.stspreload": "true",
"traefik.http.middlewares.Middleware8.headers.stsseconds": "42",
"traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.depth": "42",
"traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.excludedips": "foobar, fiibar",
"traefik.http.middlewares.Middleware9.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.depth": "42",
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.excludedips": "foobar, fiibar",
"traefik.http.middlewares.Middleware9.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.http.middlewares.Middleware10.inflightreq.amount": "42",
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.depth": "42",
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, fiibar",
@ -180,7 +180,7 @@ func TestDecodeConfiguration(t *testing.T) {
"traefik.http.services.Service1.loadbalancer.sticky": "false",
"traefik.http.services.Service1.loadbalancer.sticky.cookie.name": "fui",
"traefik.tcp.middlewares.Middleware0.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware0.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware2.inflightconn.amount": "42",
"traefik.tcp.routers.Router0.rule": "foobar",
"traefik.tcp.routers.Router0.priority": "42",
@ -244,7 +244,7 @@ func TestDecodeConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware0": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},
@ -611,7 +611,7 @@ func TestDecodeConfiguration(t *testing.T) {
},
},
"Middleware9": {
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{
"foobar",
"fiibar",
@ -741,7 +741,7 @@ func TestEncodeConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware0": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},
@ -1113,7 +1113,7 @@ func TestEncodeConfiguration(t *testing.T) {
},
},
"Middleware9": {
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{
"foobar",
"fiibar",
@ -1265,9 +1265,9 @@ func TestEncodeConfiguration(t *testing.T) {
"traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains": "true",
"traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload": "true",
"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds": "42",
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.Depth": "42",
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.ExcludedIPs": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware9.IPWhiteList.SourceRange": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.Depth": "42",
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.ExcludedIPs": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.SourceRange": "foobar, fiibar",
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.Amount": "42",
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.Depth": "42",
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.ExcludedIPs": "foobar, fiibar",
@ -1360,7 +1360,7 @@ func TestEncodeConfiguration(t *testing.T) {
"traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme": "foobar",
"traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0": "foobar",
"traefik.TCP.Middlewares.Middleware0.IPWhiteList.SourceRange": "foobar, fiibar",
"traefik.TCP.Middlewares.Middleware0.IPAllowList.SourceRange": "foobar, fiibar",
"traefik.TCP.Middlewares.Middleware2.InFlightConn.Amount": "42",
"traefik.TCP.Routers.Router0.Rule": "foobar",
"traefik.TCP.Routers.Router0.Priority": "42",

View file

@ -11,25 +11,25 @@ import (
func TestIsAuthorized(t *testing.T) {
testCases := []struct {
desc string
whiteList []string
allowList []string
remoteAddr string
authorized bool
}{
{
desc: "remoteAddr not in range",
whiteList: []string{"1.2.3.4/24"},
allowList: []string{"1.2.3.4/24"},
remoteAddr: "10.2.3.1:123",
authorized: false,
},
{
desc: "remoteAddr in range",
whiteList: []string{"1.2.3.4/24"},
allowList: []string{"1.2.3.4/24"},
remoteAddr: "1.2.3.1:123",
authorized: true,
},
{
desc: "octal ip in remoteAddr",
whiteList: []string{"127.2.3.4/24"},
allowList: []string{"127.2.3.4/24"},
remoteAddr: "0127.2.3.1:123",
authorized: false,
},
@ -40,7 +40,7 @@ func TestIsAuthorized(t *testing.T) {
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
ipChecker, err := NewChecker(test.whiteList)
ipChecker, err := NewChecker(test.allowList)
require.NoError(t, err)
err = ipChecker.IsAuthorized(test.remoteAddr)

View file

@ -1,4 +1,4 @@
package ipwhitelist
package ipallowlist
import (
"context"
@ -15,29 +15,29 @@ import (
)
const (
typeName = "IPWhiteLister"
typeName = "IPAllowLister"
)
// ipWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists.
type ipWhiteLister struct {
// ipAllowLister is a middleware that provides Checks of the Requesting IP against a set of Allowlists.
type ipAllowLister struct {
next http.Handler
whiteLister *ip.Checker
allowLister *ip.Checker
strategy ip.Strategy
name string
}
// New builds a new IPWhiteLister given a list of CIDR-Strings to whitelist.
func New(ctx context.Context, next http.Handler, config dynamic.IPWhiteList, name string) (http.Handler, error) {
// New builds a new IPAllowLister given a list of CIDR-Strings to allow.
func New(ctx context.Context, next http.Handler, config dynamic.IPAllowList, name string) (http.Handler, error) {
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
logger.Debug("Creating middleware")
if len(config.SourceRange) == 0 {
return nil, errors.New("sourceRange is empty, IPWhiteLister not created")
return nil, errors.New("sourceRange is empty, IPAllowLister not created")
}
checker, err := ip.NewChecker(config.SourceRange)
if err != nil {
return nil, fmt.Errorf("cannot parse CIDR whitelist %s: %w", config.SourceRange, err)
return nil, fmt.Errorf("cannot parse CIDRs %s: %w", config.SourceRange, err)
}
strategy, err := config.IPStrategy.Get()
@ -45,26 +45,26 @@ func New(ctx context.Context, next http.Handler, config dynamic.IPWhiteList, nam
return nil, err
}
logger.Debugf("Setting up IPWhiteLister with sourceRange: %s", config.SourceRange)
logger.Debugf("Setting up IPAllowLister with sourceRange: %s", config.SourceRange)
return &ipWhiteLister{
return &ipAllowLister{
strategy: strategy,
whiteLister: checker,
allowLister: checker,
next: next,
name: name,
}, nil
}
func (wl *ipWhiteLister) GetTracingInformation() (string, ext.SpanKindEnum) {
return wl.name, tracing.SpanKindNoneEnum
func (al *ipAllowLister) GetTracingInformation() (string, ext.SpanKindEnum) {
return al.name, tracing.SpanKindNoneEnum
}
func (wl *ipWhiteLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
ctx := middlewares.GetLoggerCtx(req.Context(), wl.name, typeName)
func (al *ipAllowLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
ctx := middlewares.GetLoggerCtx(req.Context(), al.name, typeName)
logger := log.FromContext(ctx)
clientIP := wl.strategy.GetIP(req)
err := wl.whiteLister.IsAuthorized(clientIP)
clientIP := al.strategy.GetIP(req)
err := al.allowLister.IsAuthorized(clientIP)
if err != nil {
msg := fmt.Sprintf("Rejecting IP %s: %v", clientIP, err)
logger.Debug(msg)
@ -74,7 +74,7 @@ func (wl *ipWhiteLister) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
}
logger.Debugf("Accepting IP %s", clientIP)
wl.next.ServeHTTP(rw, req)
al.next.ServeHTTP(rw, req)
}
func reject(ctx context.Context, rw http.ResponseWriter) {

View file

@ -1,4 +1,4 @@
package ipwhitelist
package ipallowlist
import (
"context"
@ -11,22 +11,22 @@ import (
"github.com/traefik/traefik/v2/pkg/config/dynamic"
)
func TestNewIPWhiteLister(t *testing.T) {
func TestNewIPAllowLister(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.IPWhiteList
allowList dynamic.IPAllowList
expectedError bool
}{
{
desc: "invalid IP",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"foo"},
},
expectedError: true,
},
{
desc: "valid IP",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"10.10.10.10"},
},
},
@ -38,28 +38,28 @@ func TestNewIPWhiteLister(t *testing.T) {
t.Parallel()
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
if test.expectedError {
assert.Error(t, err)
} else {
require.NoError(t, err)
assert.NotNil(t, whiteLister)
assert.NotNil(t, allowLister)
}
})
}
}
func TestIPWhiteLister_ServeHTTP(t *testing.T) {
func TestIPAllowLister_ServeHTTP(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.IPWhiteList
allowList dynamic.IPAllowList
remoteAddr string
expected int
}{
{
desc: "authorized with remote address",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.20:1234",
@ -67,7 +67,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
},
{
desc: "non authorized with remote address",
whiteList: dynamic.IPWhiteList{
allowList: dynamic.IPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.21:1234",
@ -81,7 +81,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
t.Parallel()
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
require.NoError(t, err)
recorder := httptest.NewRecorder()
@ -92,7 +92,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
req.RemoteAddr = test.remoteAddr
}
whiteLister.ServeHTTP(recorder, req)
allowLister.ServeHTTP(recorder, req)
assert.Equal(t, test.expected, recorder.Code)
})

View file

@ -1,4 +1,4 @@
package tcpipwhitelist
package tcpipallowlist
import (
"context"
@ -13,46 +13,46 @@ import (
)
const (
typeName = "IPWhiteListerTCP"
typeName = "IPAllowListerTCP"
)
// ipWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists.
type ipWhiteLister struct {
// ipAllowLister is a middleware that provides Checks of the Requesting IP against a set of Allowlists.
type ipAllowLister struct {
next tcp.Handler
whiteLister *ip.Checker
allowLister *ip.Checker
name string
}
// New builds a new TCP IPWhiteLister given a list of CIDR-Strings to whitelist.
func New(ctx context.Context, next tcp.Handler, config dynamic.TCPIPWhiteList, name string) (tcp.Handler, error) {
// New builds a new TCP IPAllowLister given a list of CIDR-Strings to allow.
func New(ctx context.Context, next tcp.Handler, config dynamic.TCPIPAllowList, name string) (tcp.Handler, error) {
logger := log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName))
logger.Debug("Creating middleware")
if len(config.SourceRange) == 0 {
return nil, errors.New("sourceRange is empty, IPWhiteLister not created")
return nil, errors.New("sourceRange is empty, IPAllowLister not created")
}
checker, err := ip.NewChecker(config.SourceRange)
if err != nil {
return nil, fmt.Errorf("cannot parse CIDR whitelist %s: %w", config.SourceRange, err)
return nil, fmt.Errorf("cannot parse CIDRs %s: %w", config.SourceRange, err)
}
logger.Debugf("Setting up IPWhiteLister with sourceRange: %s", config.SourceRange)
logger.Debugf("Setting up IPAllowLister with sourceRange: %s", config.SourceRange)
return &ipWhiteLister{
whiteLister: checker,
return &ipAllowLister{
allowLister: checker,
next: next,
name: name,
}, nil
}
func (wl *ipWhiteLister) ServeTCP(conn tcp.WriteCloser) {
ctx := middlewares.GetLoggerCtx(context.Background(), wl.name, typeName)
func (al *ipAllowLister) ServeTCP(conn tcp.WriteCloser) {
ctx := middlewares.GetLoggerCtx(context.Background(), al.name, typeName)
logger := log.FromContext(ctx)
addr := conn.RemoteAddr().String()
err := wl.whiteLister.IsAuthorized(addr)
err := al.allowLister.IsAuthorized(addr)
if err != nil {
logger.Errorf("Connection from %s rejected: %v", addr, err)
conn.Close()
@ -61,5 +61,5 @@ func (wl *ipWhiteLister) ServeTCP(conn tcp.WriteCloser) {
logger.Debugf("Connection from %s accepted", addr)
wl.next.ServeTCP(conn)
al.next.ServeTCP(conn)
}

View file

@ -1,4 +1,4 @@
package tcpipwhitelist
package tcpipallowlist
import (
"context"
@ -12,27 +12,27 @@ import (
"github.com/traefik/traefik/v2/pkg/tcp"
)
func TestNewIPWhiteLister(t *testing.T) {
func TestNewIPAllowLister(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.TCPIPWhiteList
allowList dynamic.TCPIPAllowList
expectedError bool
}{
{
desc: "Empty config",
whiteList: dynamic.TCPIPWhiteList{},
allowList: dynamic.TCPIPAllowList{},
expectedError: true,
},
{
desc: "invalid IP",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"foo"},
},
expectedError: true,
},
{
desc: "valid IP",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"10.10.10.10"},
},
},
@ -44,28 +44,28 @@ func TestNewIPWhiteLister(t *testing.T) {
t.Parallel()
next := tcp.HandlerFunc(func(conn tcp.WriteCloser) {})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
if test.expectedError {
assert.Error(t, err)
} else {
require.NoError(t, err)
assert.NotNil(t, whiteLister)
assert.NotNil(t, allowLister)
}
})
}
}
func TestIPWhiteLister_ServeHTTP(t *testing.T) {
func TestIPAllowLister_ServeHTTP(t *testing.T) {
testCases := []struct {
desc string
whiteList dynamic.TCPIPWhiteList
allowList dynamic.TCPIPAllowList
remoteAddr string
expected string
}{
{
desc: "authorized with remote address",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.20:1234",
@ -73,7 +73,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
},
{
desc: "non authorized with remote address",
whiteList: dynamic.TCPIPWhiteList{
allowList: dynamic.TCPIPAllowList{
SourceRange: []string{"20.20.20.20"},
},
remoteAddr: "20.20.20.21:1234",
@ -94,13 +94,13 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
require.NoError(t, err)
})
whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
require.NoError(t, err)
server, client := net.Pipe()
go func() {
whiteLister.ServeTCP(&contextWriteCloser{client, addr{test.remoteAddr}})
allowLister.ServeTCP(&contextWriteCloser{client, addr{test.remoteAddr}})
}()
read, err := io.ReadAll(server)

View file

@ -2022,7 +2022,7 @@ func Test_buildConfiguration(t *testing.T) {
Name: "Test",
Labels: map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
},
Address: "127.0.0.1",
@ -2041,7 +2041,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

View file

@ -2611,7 +2611,7 @@ func Test_buildConfiguration(t *testing.T) {
Name: "Test",
Labels: map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
},
NetworkSettings: networkSettings{
@ -2638,7 +2638,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

View file

@ -2333,7 +2333,7 @@ func Test_buildConfiguration(t *testing.T) {
name("Test"),
labels(map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
}),
iMachine(
@ -2356,7 +2356,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

View file

@ -1,10 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
@ -12,10 +12,10 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: foo
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
---
@ -36,6 +36,6 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipwhitelist
- name: ipallowlist
- name: ipallowlist
namespace: foo

View file

@ -1,10 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
@ -12,10 +12,10 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: foo
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
---
@ -36,9 +36,9 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipwhitelist
- name: ipallowlist
- name: ipallowlist
namespace: foo
- name: ipwhitelist@file
- name: ipwhitelist-foo@file
- name: ipallowlist@file
- name: ipallowlist-foo@file
namespace: foo

View file

@ -4,7 +4,7 @@ metadata:
name: multiple---hyphens
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32

View file

@ -1,10 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: default
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
@ -12,10 +12,10 @@ spec:
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipwhitelist
name: ipallowlist
namespace: cross-ns
spec:
ipWhiteList:
ipAllowList:
sourceRange:
- 127.0.0.1/32
---
@ -36,7 +36,7 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipallowlist
- match: HostSNI(`bar.com`)
services:
@ -44,5 +44,5 @@ spec:
port: 8000
middlewares:
- name: ipwhitelist
- name: ipallowlist
namespace: cross-ns

View file

@ -263,7 +263,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
ReplacePath: middleware.Spec.ReplacePath,
ReplacePathRegex: middleware.Spec.ReplacePathRegex,
Chain: createChainMiddleware(ctxMid, middleware.Namespace, middleware.Spec.Chain),
IPWhiteList: middleware.Spec.IPWhiteList,
IPAllowList: middleware.Spec.IPAllowList,
Headers: middleware.Spec.Headers,
Errors: errorPage,
RateLimit: rateLimit,
@ -288,7 +288,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
conf.TCP.Middlewares[id] = &dynamic.TCPMiddleware{
InFlightConn: middlewareTCP.Spec.InFlightConn,
IPWhiteList: middlewareTCP.Spec.IPWhiteList,
IPAllowList: middlewareTCP.Spec.IPAllowList,
}
}

View file

@ -119,18 +119,18 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist", "foo-ipwhitelist"},
Middlewares: []string{"default-ipallowlist", "foo-ipallowlist"},
Rule: "HostSNI(`foo.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"foo-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"foo-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -178,7 +178,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-multiple-hyphens": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -220,18 +220,18 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist", "foo-ipwhitelist", "ipwhitelist@file", "ipwhitelist-foo@file"},
Middlewares: []string{"default-ipallowlist", "foo-ipallowlist", "ipallowlist@file", "ipallowlist-foo@file"},
Rule: "HostSNI(`foo.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"foo-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"foo-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -5459,18 +5459,18 @@ func TestCrossNamespace(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist"},
Middlewares: []string{"default-ipallowlist"},
Rule: "HostSNI(`foo.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"cross-ns-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"cross-ns-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
@ -5513,24 +5513,24 @@ func TestCrossNamespace(t *testing.T) {
"default-test.route-fdd3e9338e47a45efefc": {
EntryPoints: []string{"foo"},
Service: "default-test.route-fdd3e9338e47a45efefc",
Middlewares: []string{"default-ipwhitelist"},
Middlewares: []string{"default-ipallowlist"},
Rule: "HostSNI(`foo.com`)",
},
"default-test.route-f44ce589164e656d231c": {
EntryPoints: []string{"foo"},
Service: "default-test.route-f44ce589164e656d231c",
Middlewares: []string{"cross-ns-ipwhitelist"},
Middlewares: []string{"cross-ns-ipallowlist"},
Rule: "HostSNI(`bar.com`)",
},
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"default-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"default-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},
"cross-ns-ipwhitelist": {
IPWhiteList: &dynamic.TCPIPWhiteList{
"cross-ns-ipallowlist": {
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"127.0.0.1/32"},
},
},

View file

@ -32,7 +32,7 @@ type MiddlewareSpec struct {
ReplacePath *dynamic.ReplacePath `json:"replacePath,omitempty"`
ReplacePathRegex *dynamic.ReplacePathRegex `json:"replacePathRegex,omitempty"`
Chain *Chain `json:"chain,omitempty"`
IPWhiteList *dynamic.IPWhiteList `json:"ipWhiteList,omitempty"`
IPAllowList *dynamic.IPAllowList `json:"ipAllowList,omitempty"`
Headers *dynamic.Headers `json:"headers,omitempty"`
Errors *ErrorPage `json:"errors,omitempty"`
RateLimit *RateLimit `json:"rateLimit,omitempty"`

View file

@ -25,8 +25,8 @@ type MiddlewareTCP struct {
type MiddlewareTCPSpec struct {
// InFlightConn defines the InFlightConn middleware configuration.
InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
// IPWhiteList defines the IPWhiteList middleware configuration.
IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
// IPAllowList defines the IPAllowList middleware configuration.
IPAllowList *dynamic.TCPIPAllowList `json:"ipAllowList,omitempty"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

View file

@ -689,9 +689,9 @@ func (in *MiddlewareSpec) DeepCopyInto(out *MiddlewareSpec) {
*out = new(Chain)
(*in).DeepCopyInto(*out)
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(dynamic.IPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(dynamic.IPAllowList)
(*in).DeepCopyInto(*out)
}
if in.Headers != nil {
@ -857,9 +857,9 @@ func (in *MiddlewareTCPSpec) DeepCopyInto(out *MiddlewareTCPSpec) {
*out = new(dynamic.TCPInFlightConn)
**out = **in
}
if in.IPWhiteList != nil {
in, out := &in.IPWhiteList, &out.IPWhiteList
*out = new(dynamic.TCPIPWhiteList)
if in.IPAllowList != nil {
in, out := &in.IPAllowList, &out.IPAllowList
*out = new(dynamic.TCPIPAllowList)
(*in).DeepCopyInto(*out)
}
return

View file

@ -140,11 +140,11 @@ func Test_buildConfiguration(t *testing.T) {
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name0": "foobar",
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name1": "foobar",
"traefik/http/middlewares/Middleware09/headers/browserXssFilter": "true",
"traefik/http/middlewares/Middleware10/ipWhiteList/sourceRange/0": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/sourceRange/1": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/excludedIPs/0": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/excludedIPs/1": "foobar",
"traefik/http/middlewares/Middleware10/ipWhiteList/ipStrategy/depth": "42",
"traefik/http/middlewares/Middleware10/ipAllowList/sourceRange/0": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/sourceRange/1": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/excludedIPs/0": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/excludedIPs/1": "foobar",
"traefik/http/middlewares/Middleware10/ipAllowList/ipStrategy/depth": "42",
"traefik/http/middlewares/Middleware11/inFlightReq/amount": "42",
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/requestHost": "true",
"traefik/http/middlewares/Middleware11/inFlightReq/sourceCriterion/ipStrategy/depth": "42",
@ -340,7 +340,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.Middleware{
"Middleware10": {
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{
"foobar",
"foobar",

View file

@ -196,14 +196,14 @@ func TestBuildConfiguration(t *testing.T) {
},
},
{
desc: "TCP with IP whitelist",
desc: "TCP with IP allowlist",
applications: withApplications(
application(
appID("/app"),
appPorts(80),
withLabel("traefik.tcp.routers.Test.rule", "HostSNI(`foo.bar`)"),
withLabel("traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange", "foobar, fiibar"),
withLabel("traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange", "foobar, fiibar"),
withLabel("traefik.tcp.routers.Test.middlewares", "Middleware1"),
withTasks(localhostTask(taskPorts(80))),
)),
@ -218,7 +218,7 @@ func TestBuildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

View file

@ -1621,7 +1621,7 @@ func Test_buildConfig(t *testing.T) {
Name: "Test",
Tags: []string{
"traefik.tcp.routers.Test.rule = HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange = foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange = foobar, fiibar",
"traefik.tcp.routers.Test.middlewares = Middleware1",
},
Address: "127.0.0.1",
@ -1640,7 +1640,7 @@ func Test_buildConfig(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

View file

@ -508,7 +508,7 @@ func Test_buildConfiguration(t *testing.T) {
Name: "Test",
Labels: map[string]string{
"traefik.tcp.routers.Test.rule": "HostSNI(`foo.bar`)",
"traefik.tcp.middlewares.Middleware1.ipwhitelist.sourcerange": "foobar, fiibar",
"traefik.tcp.middlewares.Middleware1.ipallowlist.sourcerange": "foobar, fiibar",
"traefik.tcp.routers.Test.middlewares": "Middleware1",
},
Port: "80/tcp",
@ -528,7 +528,7 @@ func Test_buildConfiguration(t *testing.T) {
},
Middlewares: map[string]*dynamic.TCPMiddleware{
"Middleware1": {
IPWhiteList: &dynamic.TCPIPWhiteList{
IPAllowList: &dynamic.TCPIPAllowList{
SourceRange: []string{"foobar", "fiibar"},
},
},

View file

@ -191,7 +191,7 @@ func init() {
Chain: &dynamic.Chain{
Middlewares: []string{"foo"},
},
IPWhiteList: &dynamic.IPWhiteList{
IPAllowList: &dynamic.IPAllowList{
SourceRange: []string{"foo"},
IPStrategy: &dynamic.IPStrategy{
Depth: 42,

View file

@ -119,7 +119,7 @@
"foo"
]
},
"ipWhiteList": {
"ipAllowList": {
"sourceRange": [
"xxxx"
],

View file

@ -119,7 +119,7 @@
"foo"
]
},
"ipWhiteList": {
"ipAllowList": {
"sourceRange": [
"foo"
],

View file

@ -19,7 +19,7 @@ import (
"github.com/traefik/traefik/v2/pkg/middlewares/customerrors"
"github.com/traefik/traefik/v2/pkg/middlewares/headers"
"github.com/traefik/traefik/v2/pkg/middlewares/inflightreq"
"github.com/traefik/traefik/v2/pkg/middlewares/ipwhitelist"
"github.com/traefik/traefik/v2/pkg/middlewares/ipallowlist"
"github.com/traefik/traefik/v2/pkg/middlewares/passtlsclientcert"
"github.com/traefik/traefik/v2/pkg/middlewares/ratelimiter"
"github.com/traefik/traefik/v2/pkg/middlewares/redirect"
@ -229,13 +229,13 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
}
}
// IPWhiteList
if config.IPWhiteList != nil {
// IPAllowList
if config.IPAllowList != nil {
if middleware != nil {
return nil, badConf
}
middleware = func(next http.Handler) (http.Handler, error) {
return ipwhitelist.New(ctx, next, *config.IPWhiteList, middlewareName)
return ipallowlist.New(ctx, next, *config.IPAllowList, middlewareName)
}
}

View file

@ -7,7 +7,7 @@ import (
"github.com/traefik/traefik/v2/pkg/config/runtime"
inflightconn "github.com/traefik/traefik/v2/pkg/middlewares/tcp/inflightconn"
ipwhitelist "github.com/traefik/traefik/v2/pkg/middlewares/tcp/ipwhitelist"
ipallowlist "github.com/traefik/traefik/v2/pkg/middlewares/tcp/ipallowlist"
"github.com/traefik/traefik/v2/pkg/server/provider"
"github.com/traefik/traefik/v2/pkg/tcp"
)
@ -94,10 +94,10 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
}
}
// IPWhiteList
if config.IPWhiteList != nil {
// IPAllowList
if config.IPAllowList != nil {
middleware = func(next tcp.Handler) (tcp.Handler, error) {
return ipwhitelist.New(ctx, next, *config.IPWhiteList, middlewareName)
return ipallowlist.New(ctx, next, *config.IPAllowList, middlewareName)
}
}

View file

@ -675,8 +675,8 @@
</div>
</q-card-section>
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - sourceRange -->
<q-card-section v-if="middleware.ipWhiteList">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - sourceRange -->
<q-card-section v-if="middleware.ipAllowList">
<div class="row items-start no-wrap">
<div class="col">
<div class="text-subtitle2">Source Range</div>
@ -689,8 +689,8 @@
</div>
</div>
</q-card-section>
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - ipStrategy -->
<q-card-section v-if="middleware.ipWhiteList">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - ipStrategy -->
<q-card-section v-if="middleware.ipAllowList">
<div class="row items-start">
<div class="col-12">
<div class="text-subtitle2">IP Strategy</div>
@ -1076,8 +1076,8 @@
</q-card-section>
<q-card-section v-if="protocol === 'tcp'">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipWhiteList] - sourceRange -->
<q-card-section v-if="middleware.ipWhiteList">
<!-- EXTRA FIELDS FROM MIDDLEWARES - [ipAllowList] - sourceRange -->
<q-card-section v-if="middleware.ipAllowList">
<div class="row items-start no-wrap">
<div class="col">
<div class="text-subtitle2">Source Range</div>