IPAllowList

Limiting Clients to Specific IPs

IPAllowList limits allowed requests based on the client IP.

Configuration Examples

Docker

  1. # Accepts request from defined IP
  2. labels:
  3.   - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"

Kubernetes

  1. apiVersion: traefik.io/v1alpha1
  2. kind: Middleware
  3. metadata:
  4.   name: test-ipallowlist
  5. spec:
  6.   ipAllowList:
  7.     sourceRange:
  8.       - 127.0.0.1/32
  9.       - 192.168.1.7

Consul Catalog

  1. # Accepts request from defined IP
  2. - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"

File (YAML)

  1. # Accepts request from defined IP
  2. http:
  3.   middlewares:
  4.     test-ipallowlist:
  5.       ipAllowList:
  6.         sourceRange:
  7.           - "127.0.0.1/32"
  8.           - "192.168.1.7"

File (TOML)

  1. # Accepts request from defined IP
  2. [http.middlewares]
  3.   [http.middlewares.test-ipallowlist.ipAllowList]
  4.     sourceRange = ["127.0.0.1/32", "192.168.1.7"]

Configuration Options

sourceRange

Required

The sourceRange option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

ipStrategy

The ipStrategy option defines two parameters that set how Traefik determines the client IP: depth, and excludedIPs.
If no strategy is set, the default behavior is to match sourceRange against the Remote address found in the request.

As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to X-Forwarded-For during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in X-Forwarded-For, it cannot be matched against sourceRange.

ipStrategy.depth

The depth option tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).

  • If depth is greater than the total number of IPs in X-Forwarded-For, then the client IP will be empty.
  • depth is ignored if its value is less than or equal to 0.

If ipStrategy.ipv6Subnet is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
See ipStrategy.ipv6Subnet for more details.

Examples of Depth & X-Forwarded-For

If depth is set to 2, and the request X-Forwarded-For header is "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" then the “real” client IP is "10.0.0.1" (at depth 4) but the IP used is "12.0.0.1" (depth=2).

X-Forwarded-FordepthclientIP
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1”1“13.0.0.1”
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1”3“11.0.0.1”
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1”5“”

Docker

  1. # Allowlisting Based on `X-Forwarded-For` with `depth=2`
  2. labels:
  3.   - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
  4.   - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"

Kubernetes

  1. # Allowlisting Based on `X-Forwarded-For` with `depth=2`
  2. apiVersion: traefik.io/v1alpha1
  3. kind: Middleware
  4. metadata:
  5.   name: test-ipallowlist
  6. spec:
  7.   ipAllowList:
  8.     sourceRange:
  9.       - 127.0.0.1/32
  10.       - 192.168.1.7
  11.     ipStrategy:
  12.       depth: 2

Consul Catalog

  1. # Allowlisting Based on `X-Forwarded-For` with `depth=2`
  2. - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
  3. - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"

File (YAML)

  1. # Allowlisting Based on `X-Forwarded-For` with `depth=2`
  2. http:
  3.   middlewares:
  4.     test-ipallowlist:
  5.       ipAllowList:
  6.         sourceRange:
  7.           - "127.0.0.1/32"
  8.           - "192.168.1.7"
  9.         ipStrategy:
  10.           depth: 2

File (TOML)

  1. # Allowlisting Based on `X-Forwarded-For` with `depth=2`
  2. [http.middlewares]
  3.   [http.middlewares.test-ipallowlist.ipAllowList]
  4.     sourceRange = ["127.0.0.1/32", "192.168.1.7"]
  5.     [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
  6.       depth = 2

ipStrategy.excludedIPs

excludedIPs configures Traefik to scan the X-Forwarded-For header and select the first IP not in the list.

If depth is specified, excludedIPs is ignored.

Example of ExcludedIPs & X-Forwarded-For

X-Forwarded-ForexcludedIPsclientIP
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1”“12.0.0.1,13.0.0.1”“11.0.0.1”
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1”“15.0.0.1,13.0.0.1”“12.0.0.1”
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1”“10.0.0.1,13.0.0.1”“12.0.0.1”
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1”“15.0.0.1,16.0.0.1”“13.0.0.1”
“10.0.0.1,11.0.0.1”“10.0.0.1,11.0.0.1”“”

Docker

  1. # Exclude from `X-Forwarded-For`
  2. labels:
  3.     - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
  4.     - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"

Kubernetes

  1. # Exclude from `X-Forwarded-For`
  2. apiVersion: traefik.io/v1alpha1
  3. kind: Middleware
  4. metadata:
  5.   name: test-ipallowlist
  6. spec:
  7.   ipAllowList:
  8.     sourceRange:
  9.       - 127.0.0.1/32
  10.       - 192.168.1.0/24
  11.     ipStrategy:
  12.       excludedIPs:
  13.         - 127.0.0.1/32
  14.         - 192.168.1.7

Consul Catalog

  1. # Exclude from `X-Forwarded-For`
  2. - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
  3. - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"

File (YAML)

  1. # Exclude from `X-Forwarded-For`
  2. http:
  3.   middlewares:
  4.     test-ipallowlist:
  5.       ipAllowList:
  6.         sourceRange:
  7.          - 127.0.0.1/32
  8.          - 192.168.1.0/24
  9.         ipStrategy:
  10.           excludedIPs:
  11.             - 127.0.0.1/32
  12.             - 192.168.1.7

File (TOML)

  1. # Exclude from `X-Forwarded-For`
  2. [http.middlewares]
  3.   [http.middlewares.test-ipallowlist.ipAllowList]
  4.     sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
  5.     [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
  6.       excludedIPs = ["127.0.0.1/32", "192.168.1.7"]

ipStrategy.ipv6Subnet

This strategy applies to Depth and RemoteAddr strategy only. If ipv6Subnet is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.

This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.

  • ipv6Subnet is ignored if its value is outside of 0-128 interval

Example of ipv6Subnet

If ipv6Subnet is provided, the IP is transformed in the following way.

IPipv6SubnetclientIP
“::abcd:1111:2222:3333”64“::0:0:0:0”
“::abcd:1111:2222:3333”80“::abcd:0:0:0:0”
“::abcd:1111:2222:3333”96“::abcd:1111:0:0:0”

Docker & Swarm

  1. labels:
  2.   - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"

Kubernetes

  1. apiVersion: traefik.io/v1alpha1
  2. kind: Middleware
  3. metadata:
  4.   name: test-ipallowlist
  5. spec:
  6.   ipallowlist:
  7.     sourceCriterion:
  8.       ipStrategy:
  9.         ipv6Subnet: 64

Consul Catalog

  1. - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"

File (YAML)

  1. http:
  2.   middlewares:
  3.     test-ipallowlist:
  4.       ipallowlist:
  5.         sourceCriterion:
  6.           ipStrategy:
  7.             ipv6Subnet: 64

File (TOML)

  1. [http.middlewares]
  2.   [http.middlewares.test-ipallowlist.ipallowlist]
  3.     [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
  4.       ipv6Subnet = 64