From 69e8e4518889905884eab7ab7d7f667aa17eb82a Mon Sep 17 00:00:00 2001 From: tchivert Date: Wed, 1 Mar 2023 18:29:00 +0100 Subject: [PATCH] Add global ipwhitelist on traefik --- README.md | 1 + templates/compose/grafana.yml.j2 | 3 +++ templates/compose/maildev.yml.j2 | 3 +++ templates/compose/redisinsight.yml.j2 | 3 +++ templates/compose/traefik.yml.j2 | 5 ++++- 5 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2b1b4a7..b71cab5 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ Example variables traefik_domain: 'mydomain.com' traefik_letsencrypt_email: 'cert@mydomain.com' + traefik_ipwhitelist: '42.42.42.42/32, 192.168.1.0/24, 127.0.0.1/32' maildev_domain: 'maildev.mydomain.com' diff --git a/templates/compose/grafana.yml.j2 b/templates/compose/grafana.yml.j2 index 60054db..2852842 100644 --- a/templates/compose/grafana.yml.j2 +++ b/templates/compose/grafana.yml.j2 @@ -29,6 +29,9 @@ services: traefik.http.routers.grafana.tls: true traefik.http.routers.grafana.tls.certresolver: letsencrypt traefik.http.routers.grafana.entrypoints: websecure +{% if traefik_ipwhitelist is defined %} + ¦ traefik.http.routers.grafana.middlewares: "clientips@docker" +{% endif %} traefik.http.services.grafana.loadbalancer.server.port: 3000 environment: GF_AUTH_ANONYMOUS_ENABLED: "{{ grafana_auth_anonymous_enabled|string|lower }}" diff --git a/templates/compose/maildev.yml.j2 b/templates/compose/maildev.yml.j2 index d7abba9..24b5ef2 100644 --- a/templates/compose/maildev.yml.j2 +++ b/templates/compose/maildev.yml.j2 @@ -19,6 +19,9 @@ services: traefik.http.routers.maildev.tls: true traefik.http.routers.maildev.tls.certresolver: letsencrypt traefik.http.routers.maildev.entrypoints: websecure +{% if traefik_ipwhitelist is defined %} + traefik.http.routers.maildev.middlewares: "clientips@docker" +{% endif %} traefik.http.services.maildev.loadbalancer.server.port: 1080 networks: - traefik diff --git a/templates/compose/redisinsight.yml.j2 b/templates/compose/redisinsight.yml.j2 index dc3e6d2..917261a 100644 --- a/templates/compose/redisinsight.yml.j2 +++ b/templates/compose/redisinsight.yml.j2 @@ -23,6 +23,9 @@ services: traefik.http.routers.redisinsight.entrypoints: "websecure" traefik.http.routers.redisinsight.tls.certresolver: "letsencrypt" traefik.http.services.redisinsight.loadbalancer.server.port: "5000" +{% if traefik_ipwhitelist is defined %} + ¦ traefik.http.routers.redisinsight.middlewares: "clientips@docker" +{% endif %} {% if redisinsight_auth is defined %} ## AUTH traefik.http.routers.redisinsight-auth.rule: "Host(`{{ redisinsight_domain }}`)" diff --git a/templates/compose/traefik.yml.j2 b/templates/compose/traefik.yml.j2 index 0f49890..4c58884 100644 --- a/templates/compose/traefik.yml.j2 +++ b/templates/compose/traefik.yml.j2 @@ -34,8 +34,11 @@ services: traefik.http.routers.traefik.tls.certresolver: letsencrypt traefik.http.routers.traefik.middlewares: auth traefik.http.routers.dashboard.rule: Host(`{{ traefik_domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) +{% if traefik_ipwhitelist is defined %} + traefik.http.middlewares.clientips.ipwhitelist.sourcerange: {{ traefik_ipwhitelist }} +{% endif %} traefik.http.middlewares.auth.basicauth.users: "ludal:$$apr1$$N3vklVTY$$zrq2kwkaVdynGlakyb4J7." - traefik.http.middlewares.auth.basicauth.realm: {{ traefik_domain}} - restricted access + traefik.http.middlewares.auth.basicauth.realm: {{ traefik_domain }} - restricted access logging: driver: syslog options: