Ipallowlist
Closed this issue · 3 comments
Hi! Im using your traefiksetup and try to allow on lan connection to some service. But I cant get it to work.
I should only use it as a middleware but it would´t block anything.
Do you have tip on where to look?
Hey @joulester ,
there are a few things to look at:
- Have you ensured that the middleware is applied to your proxied service? Check your Traefik labels or the Traefik dashboard.
- Are you running Traefik behind another proxy like Cloudflare or a local firewall (OPNSense)? If so, make sure that you configure those proxies as trusted IPs in your entrypoints. Otherwise, Traefik will not forward the correct IPs for access checking at the middleware, as it ignores headers like
X-Forwarded-For,CF-Connecting-IPand others.
You can always enable verbose debug logs in your Traefik. Can be done via the traefik.yaml config. It will print the IPs that are available at middleware level. Alternatively, spawn a whoami container by Traefiklabs. It will print all headers and the IP address seen.
I assume the middleware does not see the real IP address and only sees an internal LAN IP if another proxy is in front of Traefik like a firewall. Therefore, all requests seem coming from the same local LAN IP and allowed.
Thanks for taking your time!
- I can see that the middleware gets applied to the services.
- Im running pfsense with dns resolver. I did setup a whoiami server and I see my firewalls ip for external and local connections.
How can I get the correct ip?
I solved it. my firewall was configured wrong and outbound NAT was active to all.