Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[Bug]: Unable to add Traefik ipallowlist to limit access to resource #2818

Closed
capperstrnd opened this issue Jul 12, 2024 · 5 comments · Fixed by #3708
Closed

[Bug]: Unable to add Traefik ipallowlist to limit access to resource #2818

capperstrnd opened this issue Jul 12, 2024 · 5 comments · Fixed by #3708

Comments

@capperstrnd
Copy link

Description

Hi! Just started using Coolify and ran into a stumbling block.

I've just set up a wireguard VPN on a docker compose (which is working flawlessly), and I want to use this as a gatekeeper for other resources. Which I hoped to be a one-liner in my docker composes that I want to keep private (and also my nodejs apps in the future but haven't gotten to those yet).

I'm essentially trying to append the following label

- "traefik.http.middlewares.testipblock.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 10.8.0.0/24"

Which should block out any IP adresses that aren't within the network through the wireguard VPN, but the auto-compose rewrite doesn't seem to pick it up.

If I click "Show deployable compose" and scroll down to the last instance of middlewares it looks like this:

- traefik.http.routers.<unique route>.middlewares=gzip and has simply ignored the testipblock I added earlier...

My temporary solution is to just block it through the firewall, so I have to use the ip-adress + port of my private docker instance to get at them with the VPN. Which isn't as elegant as using my own subdoman+domain.

Minimal Reproduction (if possible, example repository)

Start up any docker compose and add the following label

- "traefik.http.middlewares.hello-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 10.8.0.0/24"

Save it, and look at the "Deployable compose" version and verify if it exists in the last instance of "middleware" (search and find).

Exception or Error

No response

Version

v4.0.0-beta.310

@capperstrnd
Copy link
Author

Tried it on v4.0.0-beta.312 as well and issue remains

@capperstrnd capperstrnd changed the title [Bug]: Unable to enforce Traefik ipallowlist [Bug]: Unable to add Traefik ipallowlist to limit access to resource Jul 12, 2024
@capperstrnd
Copy link
Author

Managed to solve this from the DNS side of things with a WAF rule that only applies to my internal subdomains, which I think is the better way of doing it should one for whatever reason lose VPN access but still have access to the DNS service.

Marking this as solved since this shouldn't be managed on the resource/reverse proxy level but externally through firewall/DNS service

@greendesertsnow
Copy link

I've been looking for an answer to this for a month now.
I need to ipAllowList to pocketbase's /api/admins/* route, and I can't/don't know how to use firewall for subpaths.
The issue needs to be open. I'm frustrated.

@capperstrnd
Copy link
Author

If you are using Cloudflare you can apply a WAF rule that could achieve this, where you check if the domain contains that part and if the user is coming from an allowed ip.

But there are niche cases where this might be required on the resource level I agree so I'll reopen this for you.

A niche I had in mind is being able to block outside access to just VPN users, but then on the ipblocklist being able to block to a per user ip with a wireguard assigned ip adress.

@capperstrnd capperstrnd reopened this Jul 25, 2024
@greendesertsnow
Copy link

The problem arises from the auto-magic docker label configuration. When you add a middleware to the compose file it associates it with the main route of your application no matter what.

The work around I found was to create a dynamic traefik file:

http:
  middlewares:
    pocketbase-auth:
      basicAuth:
        users:
          - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
    pocketbase-ipfilter:
      ipWhiteList:
        sourceRange:
          - '{{env "HOMEIP"}}'
          - 222.211.122.112
  routers:
    pocketbase-admin:
      entryPoints:
        - https
      service: pocketbase-xxxxxxx
      rule: 'Host(`pocketbase-xxxxxxx.mydomain.com`) && PathPrefix(`/api/admins`)'
      middlewares:
        - pocketbase-auth
        - pocketbase-ipfilter
      tls:
        certresolver: letsencrypt
  services:
    pocketbase-xxxxxxx:
      loadBalancer:
        servers:
          -
            url: 'http://pocketbase-xxxxxxx:8080'

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 3, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants