docs: excludedIPs with IPWhiteList and IPAllowList middleware
This commit is contained in:
parent
945ff9b0f9
commit
d3516aec31
9 changed files with 100 additions and 31 deletions
|
@ -8,11 +8,11 @@ description: "Learn how to use IPAllowList in HTTP middleware for limiting clien
|
|||
Limiting Clients to Specific IPs
|
||||
{: .subtitle }
|
||||
|
||||
IPAllowList accepts / refuses requests based on the client IP.
|
||||
IPAllowList limits allowed requests based on the client IP.
|
||||
|
||||
## Configuration Examples
|
||||
|
||||
```yaml tab="Docker & Swarm"
|
||||
```yaml tab="Docker"
|
||||
# Accepts request from defined IP
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||
|
@ -35,6 +35,18 @@ spec:
|
|||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
```json tab="Marathon"
|
||||
"labels": {
|
||||
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
|
||||
}
|
||||
```
|
||||
|
||||
```yaml tab="Rancher"
|
||||
# Accepts request from defined IP
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
# Accepts request from defined IP
|
||||
http:
|
||||
|
@ -57,6 +69,8 @@ http:
|
|||
|
||||
### `sourceRange`
|
||||
|
||||
_Required_
|
||||
|
||||
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
|
||||
### `ipStrategy`
|
||||
|
@ -83,7 +97,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
|
|||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
|
||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
|
||||
|
||||
```yaml tab="Docker & Swarm"
|
||||
```yaml tab="Docker"
|
||||
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||
|
@ -111,6 +125,20 @@ spec:
|
|||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
|
||||
```
|
||||
|
||||
```json tab="Marathon"
|
||||
"labels": {
|
||||
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
|
||||
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
|
||||
}
|
||||
```
|
||||
|
||||
```yaml tab="Rancher"
|
||||
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
|
||||
```
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
|
||||
http:
|
||||
|
@ -149,9 +177,10 @@ http:
|
|||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
|
||||
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
|
||||
|
||||
```yaml tab="Docker & Swarm"
|
||||
```yaml tab="Docker"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
|
@ -163,6 +192,9 @@ metadata:
|
|||
name: test-ipallowlist
|
||||
spec:
|
||||
ipAllowList:
|
||||
sourceRange:
|
||||
- 127.0.0.1/32
|
||||
- 192.168.1.0/24
|
||||
ipStrategy:
|
||||
excludedIPs:
|
||||
- 127.0.0.1/32
|
||||
|
@ -171,6 +203,21 @@ spec:
|
|||
|
||||
```yaml tab="Consul Catalog"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
```json tab="Marathon"
|
||||
"labels": {
|
||||
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
|
||||
}
|
||||
```
|
||||
|
||||
```yaml tab="Rancher"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
|
@ -180,16 +227,20 @@ http:
|
|||
middlewares:
|
||||
test-ipallowlist:
|
||||
ipAllowList:
|
||||
sourceRange:
|
||||
- 127.0.0.1/32
|
||||
- 192.168.1.0/24
|
||||
ipStrategy:
|
||||
excludedIPs:
|
||||
- "127.0.0.1/32"
|
||||
- "192.168.1.7"
|
||||
- 127.0.0.1/32
|
||||
- 192.168.1.7
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
[http.middlewares]
|
||||
[http.middlewares.test-ipallowlist.ipAllowList]
|
||||
sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
|
||||
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
|
||||
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
||||
```
|
||||
|
|
|
@ -10,7 +10,7 @@ Limiting Clients to Specific IPs
|
|||
|
||||
![IPWhiteList](../../assets/img/middleware/ipwhitelist.png)
|
||||
|
||||
IPWhiteList accepts / refuses requests based on the client IP.
|
||||
IPWhiteList limits allowed requests based on the client IP.
|
||||
|
||||
!!! warning
|
||||
|
||||
|
@ -75,6 +75,8 @@ http:
|
|||
|
||||
### `sourceRange`
|
||||
|
||||
_Required_
|
||||
|
||||
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
|
||||
### `ipStrategy`
|
||||
|
@ -184,6 +186,7 @@ http:
|
|||
```yaml tab="Docker"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
|
@ -196,6 +199,9 @@ metadata:
|
|||
spec:
|
||||
ipWhiteList:
|
||||
ipStrategy:
|
||||
sourceRange:
|
||||
- 127.0.0.1/32
|
||||
- 192.168.1.0/24
|
||||
excludedIPs:
|
||||
- 127.0.0.1/32
|
||||
- 192.168.1.7
|
||||
|
@ -203,11 +209,13 @@ spec:
|
|||
|
||||
```yaml tab="Consul Catalog"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
```json tab="Marathon"
|
||||
"labels": {
|
||||
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
|
||||
}
|
||||
```
|
||||
|
@ -215,6 +223,7 @@ spec:
|
|||
```yaml tab="Rancher"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
|
||||
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
|
||||
```
|
||||
|
||||
|
@ -224,16 +233,20 @@ http:
|
|||
middlewares:
|
||||
test-ipwhitelist:
|
||||
ipWhiteList:
|
||||
sourceRange:
|
||||
- 127.0.0.1/32
|
||||
- 192.168.1.0/24
|
||||
ipStrategy:
|
||||
excludedIPs:
|
||||
- "127.0.0.1/32"
|
||||
- "192.168.1.7"
|
||||
- 127.0.0.1/32
|
||||
- 192.168.1.7
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
# Exclude from `X-Forwarded-For`
|
||||
[http.middlewares]
|
||||
[http.middlewares.test-ipwhitelist.ipWhiteList]
|
||||
sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
|
||||
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
|
||||
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
||||
```
|
||||
|
|
|
@ -8,7 +8,7 @@ description: "Learn how to use IPAllowList in TCP middleware for limiting client
|
|||
Limiting Clients to Specific IPs
|
||||
{: .subtitle }
|
||||
|
||||
IPAllowList accepts / refuses connections based on the client IP.
|
||||
IPAllowList limits allowed requests based on the client IP.
|
||||
|
||||
## Configuration Examples
|
||||
|
||||
|
|
|
@ -1241,7 +1241,7 @@ spec:
|
|||
ipAllowList:
|
||||
description: |-
|
||||
IPAllowList holds the IP allowlist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
|
||||
properties:
|
||||
ipStrategy:
|
||||
|
@ -1271,7 +1271,7 @@ spec:
|
|||
ipWhiteList:
|
||||
description: |-
|
||||
IPWhiteList holds the IP whitelist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
|
||||
Deprecated: please use IPAllowList instead.
|
||||
properties:
|
||||
|
@ -1294,7 +1294,7 @@ spec:
|
|||
type: object
|
||||
sourceRange:
|
||||
description: SourceRange defines the set of allowed IPs (or ranges
|
||||
of allowed IPs by using CIDR notation).
|
||||
of allowed IPs by using CIDR notation). Required.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
@ -3671,7 +3671,7 @@ spec:
|
|||
ipAllowList:
|
||||
description: |-
|
||||
IPAllowList holds the IP allowlist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
|
||||
properties:
|
||||
ipStrategy:
|
||||
|
@ -3701,7 +3701,7 @@ spec:
|
|||
ipWhiteList:
|
||||
description: |-
|
||||
IPWhiteList holds the IP whitelist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
|
||||
Deprecated: please use IPAllowList instead.
|
||||
properties:
|
||||
|
@ -3724,7 +3724,7 @@ spec:
|
|||
type: object
|
||||
sourceRange:
|
||||
description: SourceRange defines the set of allowed IPs (or ranges
|
||||
of allowed IPs by using CIDR notation).
|
||||
of allowed IPs by using CIDR notation). Required.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
|
|
@ -626,7 +626,7 @@ spec:
|
|||
ipAllowList:
|
||||
description: |-
|
||||
IPAllowList holds the IP allowlist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
|
||||
properties:
|
||||
ipStrategy:
|
||||
|
@ -656,7 +656,7 @@ spec:
|
|||
ipWhiteList:
|
||||
description: |-
|
||||
IPWhiteList holds the IP whitelist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
|
||||
Deprecated: please use IPAllowList instead.
|
||||
properties:
|
||||
|
@ -679,7 +679,7 @@ spec:
|
|||
type: object
|
||||
sourceRange:
|
||||
description: SourceRange defines the set of allowed IPs (or ranges
|
||||
of allowed IPs by using CIDR notation).
|
||||
of allowed IPs by using CIDR notation). Required.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
|
|
@ -626,7 +626,7 @@ spec:
|
|||
ipAllowList:
|
||||
description: |-
|
||||
IPAllowList holds the IP allowlist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
|
||||
properties:
|
||||
ipStrategy:
|
||||
|
@ -656,7 +656,7 @@ spec:
|
|||
ipWhiteList:
|
||||
description: |-
|
||||
IPWhiteList holds the IP whitelist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
|
||||
Deprecated: please use IPAllowList instead.
|
||||
properties:
|
||||
|
@ -679,7 +679,7 @@ spec:
|
|||
type: object
|
||||
sourceRange:
|
||||
description: SourceRange defines the set of allowed IPs (or ranges
|
||||
of allowed IPs by using CIDR notation).
|
||||
of allowed IPs by using CIDR notation). Required.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
|
|
@ -1241,7 +1241,7 @@ spec:
|
|||
ipAllowList:
|
||||
description: |-
|
||||
IPAllowList holds the IP allowlist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
|
||||
properties:
|
||||
ipStrategy:
|
||||
|
@ -1271,7 +1271,7 @@ spec:
|
|||
ipWhiteList:
|
||||
description: |-
|
||||
IPWhiteList holds the IP whitelist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
|
||||
Deprecated: please use IPAllowList instead.
|
||||
properties:
|
||||
|
@ -1294,7 +1294,7 @@ spec:
|
|||
type: object
|
||||
sourceRange:
|
||||
description: SourceRange defines the set of allowed IPs (or ranges
|
||||
of allowed IPs by using CIDR notation).
|
||||
of allowed IPs by using CIDR notation). Required.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
@ -3671,7 +3671,7 @@ spec:
|
|||
ipAllowList:
|
||||
description: |-
|
||||
IPAllowList holds the IP allowlist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
|
||||
properties:
|
||||
ipStrategy:
|
||||
|
@ -3701,7 +3701,7 @@ spec:
|
|||
ipWhiteList:
|
||||
description: |-
|
||||
IPWhiteList holds the IP whitelist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
This middleware limits allowed requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
|
||||
Deprecated: please use IPAllowList instead.
|
||||
properties:
|
||||
|
@ -3724,7 +3724,7 @@ spec:
|
|||
type: object
|
||||
sourceRange:
|
||||
description: SourceRange defines the set of allowed IPs (or ranges
|
||||
of allowed IPs by using CIDR notation).
|
||||
of allowed IPs by using CIDR notation). Required.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
|
|
@ -387,11 +387,11 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
|
|||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// IPWhiteList holds the IP whitelist middleware configuration.
|
||||
// This middleware accepts / refuses requests based on the client IP.
|
||||
// This middleware limits allowed requests based on the client IP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
|
||||
// Deprecated: please use IPAllowList instead.
|
||||
type IPWhiteList struct {
|
||||
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation). Required.
|
||||
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
||||
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
|
||||
}
|
||||
|
@ -399,7 +399,7 @@ type IPWhiteList struct {
|
|||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// IPAllowList holds the IP allowlist middleware configuration.
|
||||
// This middleware accepts / refuses requests based on the client IP.
|
||||
// This middleware limits allowed requests based on the client IP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
|
||||
type IPAllowList struct {
|
||||
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
|
|
|
@ -24,6 +24,9 @@ type TCPInFlightConn struct {
|
|||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// TCPIPWhiteList holds the TCP IPWhiteList middleware configuration.
|
||||
// This middleware limits allowed requests based on the client IP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/tcp/ipwhitelist/
|
||||
// Deprecated: please use IPAllowList instead.
|
||||
type TCPIPWhiteList struct {
|
||||
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
||||
|
@ -32,6 +35,8 @@ type TCPIPWhiteList struct {
|
|||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// TCPIPAllowList holds the TCP IPAllowList middleware configuration.
|
||||
// This middleware limits allowed requests based on the client IP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/tcp/ipallowlist/
|
||||
type TCPIPAllowList struct {
|
||||
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
||||
|
|
Loading…
Reference in a new issue