IPAllowList

IPAllowList accepts / refuses requests based on the client IP.

Configuration Options

`sourceRange`

Field	Description
`sourceRange`	The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-ipallowlist
spec:
  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7

`ipStrategy`

The ipStrategy option defines two parameters that set how Traefik determines the client IP: depth, and excludedIPs.
If no strategy is set, the default behavior is to match sourceRange against the Remote address found in the request.

As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to X-Forwarded-For during the last stages of proxying, that is after it has already passed through whitelisting.
Therefore, during whitelisting, as the previous network hop is not yet present in X-Forwarded-For, it cannot be matched against sourceRange.

`ipStrategy.depth`

Field	Description
`ipStrategy.depth`	The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).

note

If depth is greater than the total number of IPs in X-Forwarded-For, then the client IP will be empty.
depth is ignored if its value is less than or equal to 0.

Examples of Depth & X-Forwarded-For

If depth is set to 2, and the request X-Forwarded-For header is "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" then the "real" client IP is "10.0.0.1" (at depth 4) but the IP used is "12.0.0.1" (depth=2).

`X-Forwarded-For`	`depth`	clientIP
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`1`	`"13.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`3`	`"11.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`5`	`""`

Allowlisting Based on X-Forwarded-For with depth=2
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-ipallowlist
spec:
  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
    ipStrategy:
      depth: 2

`ipStrategy.excludedIPs`

Field	Description
`ipStrategy.excludedIPs`	`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.

note

If depth is specified, excludedIPs is ignored.

Example of ExcludedIPs & X-Forwarded-For

`X-Forwarded-For`	`excludedIPs`	clientIP
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"12.0.0.1,13.0.0.1"`	`"11.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"15.0.0.1,13.0.0.1"`	`"12.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"10.0.0.1,13.0.0.1"`	`"12.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"15.0.0.1,16.0.0.1"`	`"13.0.0.1"`
`"10.0.0.1,11.0.0.1"`	`"10.0.0.1,11.0.0.1"`	`""`

Exclude from X-Forwarded-For
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-ipallowlist
spec:
  ipAllowList:
    ipStrategy:
      excludedIPs:
        - 127.0.0.1/32
        - 192.168.1.7

Configuration Options​

sourceRange​

ipStrategy​

ipStrategy.depth​

ipStrategy.excludedIPs​

Configuration Options

`sourceRange`

`ipStrategy`

`ipStrategy.depth`

`ipStrategy.excludedIPs`