docs: excludedIPs with IPWhiteList and IPAllowList middleware

This commit is contained in:
Michel Loiseleur 2024-04-04 11:32:05 +02:00 committed by GitHub
parent 945ff9b0f9
commit d3516aec31
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 100 additions and 31 deletions

View file

@ -8,11 +8,11 @@ description: "Learn how to use IPAllowList in HTTP middleware for limiting clien
Limiting Clients to Specific IPs
{: .subtitle }
IPAllowList accepts / refuses requests based on the client IP.
IPAllowList limits allowed requests based on the client IP.
## Configuration Examples
```yaml tab="Docker & Swarm"
```yaml tab="Docker"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
@ -35,6 +35,18 @@ spec:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
@ -57,6 +69,8 @@ http:
### `sourceRange`
_Required_
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
### `ipStrategy`
@ -83,7 +97,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
```yaml tab="Docker & Swarm"
```yaml tab="Docker"
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
@ -111,6 +125,20 @@ spec:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
}
```
```yaml tab="Rancher"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
```
```yaml tab="File (YAML)"
# Allowlisting Based on `X-Forwarded-For` with `depth=2`
http:
@ -149,9 +177,10 @@ http:
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
```yaml tab="Docker & Swarm"
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
@ -163,6 +192,9 @@ metadata:
name: test-ipallowlist
spec:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.0/24
ipStrategy:
excludedIPs:
- 127.0.0.1/32
@ -171,6 +203,21 @@ spec:
```yaml tab="Consul Catalog"
# Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
"traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
```
```yaml tab="Rancher"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
@ -180,16 +227,20 @@ http:
middlewares:
test-ipallowlist:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.0/24
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
- 127.0.0.1/32
- 192.168.1.7
```
```toml tab="File (TOML)"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
[http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```

View file

@ -10,7 +10,7 @@ Limiting Clients to Specific IPs
![IPWhiteList](../../assets/img/middleware/ipwhitelist.png)
IPWhiteList accepts / refuses requests based on the client IP.
IPWhiteList limits allowed requests based on the client IP.
!!! warning
@ -75,6 +75,8 @@ http:
### `sourceRange`
_Required_
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
### `ipStrategy`
@ -184,6 +186,7 @@ http:
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
@ -196,6 +199,9 @@ metadata:
spec:
ipWhiteList:
ipStrategy:
sourceRange:
- 127.0.0.1/32
- 192.168.1.0/24
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
@ -203,11 +209,13 @@ spec:
```yaml tab="Consul Catalog"
# Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
```
@ -215,6 +223,7 @@ spec:
```yaml tab="Rancher"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
@ -224,16 +233,20 @@ http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.0/24
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
- 127.0.0.1/32
- 192.168.1.7
```
```toml tab="File (TOML)"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```

View file

@ -8,7 +8,7 @@ description: "Learn how to use IPAllowList in TCP middleware for limiting client
Limiting Clients to Specific IPs
{: .subtitle }
IPAllowList accepts / refuses connections based on the client IP.
IPAllowList limits allowed requests based on the client IP.
## Configuration Examples

View file

@ -1241,7 +1241,7 @@ spec:
ipAllowList:
description: |-
IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
properties:
ipStrategy:
@ -1271,7 +1271,7 @@ spec:
ipWhiteList:
description: |-
IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
@ -1294,7 +1294,7 @@ spec:
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
of allowed IPs by using CIDR notation). Required.
items:
type: string
type: array
@ -3671,7 +3671,7 @@ spec:
ipAllowList:
description: |-
IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
properties:
ipStrategy:
@ -3701,7 +3701,7 @@ spec:
ipWhiteList:
description: |-
IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
@ -3724,7 +3724,7 @@ spec:
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
of allowed IPs by using CIDR notation). Required.
items:
type: string
type: array

View file

@ -626,7 +626,7 @@ spec:
ipAllowList:
description: |-
IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
properties:
ipStrategy:
@ -656,7 +656,7 @@ spec:
ipWhiteList:
description: |-
IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
@ -679,7 +679,7 @@ spec:
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
of allowed IPs by using CIDR notation). Required.
items:
type: string
type: array

View file

@ -626,7 +626,7 @@ spec:
ipAllowList:
description: |-
IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
properties:
ipStrategy:
@ -656,7 +656,7 @@ spec:
ipWhiteList:
description: |-
IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
@ -679,7 +679,7 @@ spec:
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
of allowed IPs by using CIDR notation). Required.
items:
type: string
type: array

View file

@ -1241,7 +1241,7 @@ spec:
ipAllowList:
description: |-
IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
properties:
ipStrategy:
@ -1271,7 +1271,7 @@ spec:
ipWhiteList:
description: |-
IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
@ -1294,7 +1294,7 @@ spec:
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
of allowed IPs by using CIDR notation). Required.
items:
type: string
type: array
@ -3671,7 +3671,7 @@ spec:
ipAllowList:
description: |-
IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
properties:
ipStrategy:
@ -3701,7 +3701,7 @@ spec:
ipWhiteList:
description: |-
IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
@ -3724,7 +3724,7 @@ spec:
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
of allowed IPs by using CIDR notation). Required.
items:
type: string
type: array

View file

@ -387,11 +387,11 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
// +k8s:deepcopy-gen=true
// IPWhiteList holds the IP whitelist middleware configuration.
// This middleware accepts / refuses requests based on the client IP.
// This middleware limits allowed requests based on the client IP.
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipwhitelist/
// Deprecated: please use IPAllowList instead.
type IPWhiteList struct {
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation). Required.
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
}
@ -399,7 +399,7 @@ type IPWhiteList struct {
// +k8s:deepcopy-gen=true
// IPAllowList holds the IP allowlist middleware configuration.
// This middleware accepts / refuses requests based on the client IP.
// This middleware limits allowed requests based on the client IP.
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/http/ipallowlist/
type IPAllowList struct {
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).

View file

@ -24,6 +24,9 @@ type TCPInFlightConn struct {
// +k8s:deepcopy-gen=true
// TCPIPWhiteList holds the TCP IPWhiteList middleware configuration.
// This middleware limits allowed requests based on the client IP.
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/tcp/ipwhitelist/
// Deprecated: please use IPAllowList instead.
type TCPIPWhiteList struct {
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
@ -32,6 +35,8 @@ type TCPIPWhiteList struct {
// +k8s:deepcopy-gen=true
// TCPIPAllowList holds the TCP IPAllowList middleware configuration.
// This middleware limits allowed requests based on the client IP.
// More info: https://doc.traefik.io/traefik/v2.11/middlewares/tcp/ipallowlist/
type TCPIPAllowList struct {
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`