Home / server / Questions / 1168185
Accepted
mschau
Asked: 2024-11-26 21:18:09 +0800 CST

Traefik - filter part of URL

  • 772

I've got following scenario: One Docker Host with several CMS projects and a Traefik up and running. I'd like to filter out the backend URL from Public IP addresses, since it should only be accessible from private IP Ranges.

publicly available: https://www.project.com/xyz https://www.project.com/abc

restricted to internal IP's only: https://www.project.com/backend

Can I realize that with an IP whitelist and e.g. 2 Routers - 1 for public access and 1 for backend access?

I've tried something like:

  # Backend Router (Restricted Access)
  - "traefik.http.routers.project-backend.rule=Host(`${DOMAINNAME}`) && PathPrefix(`/backend`)"
  - "traefik.http.routers.project-backend.entrypoints=https"
  - "traefik.http.routers.project-backend.tls=true"
  - "traefik.http.routers.project-backend.middlewares=backend-ipwhitelist"
  - "traefik.http.routers.project-backend.priority=100"

But the filter didn't work - could still access backend.

Any suggestions?

docker

1 Answers

  1. Best Answer

    Without seeing the rest of your configuration it's hard to identify the problem. I attempted to re-create your situation with the following compose.yaml:

    services:

  traefik:
    image: traefik:latest
    container_name: traefik
    ports:
      - "8080:80"
      - "8443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command:
    - --providers.docker
    - --providers.docker.exposedbydefault=false
    - --accesslog=true
    - --log.level=INFO

  project:
    image: traefik/whoami
    hostname: www.project.com
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.project.rule=Host(`www.project.com`)"

      # create a router for the /backend path
      - "traefik.http.routers.project-backend.rule=Host(`www.project.com`) && PathPrefix(`/backend`)"

      # create the allow list middleware
      - "traefik.http.middlewares.backend-ipallowlist.ipAllowList.sourceRange=192.168.1.0/24"

      # attach the backend-ipallowlist middleware to the router for /backend
      - "traefik.http.routers.project-backend.middlewares=backend-ipallowlist"

    This prohibits access to the /backend path as expected. A request to / from anywhere succeeds:

    $ curl -i -H Host:www.project.com http://localhost:8080/
HTTP/1.1 200 OK
Content-Length: 361
Content-Type: text/plain; charset=utf-8
Date: Tue, 26 Nov 2024 18:24:03 GMT

Hostname: www.project.com
.
.
.
X-Real-Ip: 172.18.0.1

    While a request to /backend is rejected:

    $ curl -i -H Host:www.project.com http://localhost:8080/backend/
HTTP/1.1 403 Forbidden
Date: Tue, 26 Nov 2024 18:23:00 GMT
Content-Length: 9

Foribidden

    If I make the same request from a system on the 192.168.1.0/24 network, it succeeds:

    $ curl -i -H Host:www.project.com http://192.168.100:8080/backend/
HTTP/1.1 200 OK
Content-Length: 375
Content-Type: text/plain; charset=utf-8
Date: Tue, 26 Nov 2024 18:40:59 GMT

Hostname: www.project.com
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.2
.
.
.
X-Real-Ip: 192.168.1.20
    • 0