Docker - Traefik - IPWhitelist

Page content

Whitelist IP Range

docker-compose.yml

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, x.x.x.x/y"
      - "traefik.http.routers.whoami.middlewares=test-ipwhitelist@docker"
      - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.tls=true"

-> only “localhost” and SRC IP x.x.x.x/y can access this URL. Rest will be blocked. -> Disadvantage. Container needs to be restartet if the Source Range gets modified!

we can do this better :)

Move to File

you may want to put your “IP Ranges” to a dedicated File and import it where needed.

dynamic/middlewares.toml

mkdir dynamic

cat << 'EOF' > dynamic/middlewares.yml
http:
  # Use @file prefix for middlewares from fileprovider
  middlewares:
    my-ipwhitelist:
      ipwhitelist:
        sourcerange: "127.0.0.1, 192.168.0.0/16, 1.2.3.4/32"
EOF

docker-compose.yml

-> add Volume to traefik

  traefik:
    ...
    volumes:
      ...
      - "./dynamic:/etc/traefik/dynamic"

docker-compose.yml

-> add label to the Container

  whoami:
    ...
    labels:
      ...
      - "traefik.http.routers.whoami.middlewares=my-ipwhitelist@file"

Bring them up

docker compose up -d

Any Comments ?

sha256: 7ce8db334efa0b88f635dcb371a15ae295e5d83f26c793f738c4861ff7d30c9b