IPWhiteList
Limiting Clients to Specific IPs
IPWhitelist accepts / refuses requests based on the client IP.
Configuration Examples
Docker
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
Kubernetes
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
Consul Catalog
# Accepts request from defined IP
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
Marathon
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
Rancher
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
File (TOML)
# Accepts request from defined IP
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
File (YAML)
# Accepts request from defined IP
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
Configuration Options
sourceRange
The sourceRange
option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
ipStrategy
The ipStrategy
option defines two parameters that sets how Traefik will determine the client IP: depth
, and excludedIPs
.
ipStrategy.depth
The depth
option tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth
position (starting from the right).
Examples of Depth & X-Forwarded-For
Docker
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
Kubernetes
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testIPwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
ipStrategy:
depth: 2
Consul Catalog
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
Marathon
"labels": {
"traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
}
Rancher
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
File (TOML)
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
depth = 2
File (YAML)
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
ipStrategy:
depth: 2
If depth
was equal to 2, and the request X-Forwarded-For
header was "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"
then the “real” client IP would be "10.0.0.1"
(at depth 4) but the IP used for the whitelisting would be "12.0.0.1"
(depth=2
).
More examples
X-Forwarded-For | depth | clientIP |
---|---|---|
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | 1 | “13.0.0.1” |
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | 3 | “11.0.0.1” |
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | 5 | “” |
Info
- If
depth
is greater than the total number of IPs inX-Forwarded-For
, then the client IP will be empty. depth
is ignored if its value is lesser than or equal to 0.
ipStrategy.excludedIPs
Docker
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
Kubernetes
# Exclude from `X-Forwarded-For`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
Consul Catalog
# Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
Marathon
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
Rancher
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
File (TOML)
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
File (YAML)
# Exclude from `X-Forwarded-For`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
excludedIPs
tells Traefik to scan the X-Forwarded-For
header and pick the first IP not in the list.
If depth
is specified, excludedIPs
is ignored.
Examples of ExcludedIPs & X-Forwarded-For
X-Forwarded-For | excludedIPs | clientIP |
---|---|---|
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | “12.0.0.1,13.0.0.1” | “11.0.0.1” |
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | “15.0.0.1,13.0.0.1” | “12.0.0.1” |
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | “10.0.0.1,13.0.0.1” | “12.0.0.1” |
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | “15.0.0.1,16.0.0.1” | “13.0.0.1” |
“10.0.0.1,11.0.0.1” | “10.0.0.1,11.0.0.1” | “” |