IPAllowList
IPAllowList accepts / refuses requests based on the client IP.
Configuration Example
- Middleware IPAllowList
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ipallowlist
spec:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
Configuration Options
Field | Description | Default | Required |
---|---|---|---|
sourceRange | List of allowed IPs (or ranges of allowed IPs by using CIDR notation). | Yes | |
ipStrategy.depth | Depth position of the IP to select in the X-Forwarded-For header (starting from the right).0 means no depth. If greater than the total number of IPs in X-Forwarded-For , then the client IP is emptyIf higher than 0, the excludedIPs options is not evaluated.More information about ipStrategy](#ipstrategy), and [ depth` below. | 0 | No |
ipStrategy.excludedIPs | Allows Traefik to scan the X-Forwarded-For header and select the first IP not in the list.If depth is specified, excludedIPs is ignored.More information about ipStrategy](#ipstrategy), and [ excludedIPs` below. | No |
ipStrategy
The ipStrategy
option defines two parameters that configures how Traefik determines the client IP: depth
, and excludedIPs
.
If no strategy is set, the default behavior is to match sourceRange
against the Remote address found in the request.
As a middleware, passlisting happens before the actual proxying to the backend takes place.
In addition, the previous network hop only gets appended to X-Forwarded-For
during the last stages of proxying, that is after it has already passed through passlisting.
Therefore, during passlisting, as the previous network hop is not yet present in X-Forwarded-For
, it cannot be matched against sourceRange
.
Example of Depth & X-Forwarded-For
If depth
is set to 2, and the request X-Forwarded-For
header is "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"
then the "real" client IP is "10.0.0.1"
(at depth 4) but the IP used as the criterion is "12.0.0.1"
(depth=2
).
X-Forwarded-For | depth | clientIP |
---|---|---|
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" | 1 | "13.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" | 3 | "11.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" | 5 | "" |
Example of ExcludedIPs & X-Forwarded-For
X-Forwarded-For | excludedIPs | clientIP |
---|---|---|
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" | "12.0.0.1,13.0.0.1" | "11.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" | "15.0.0.1,13.0.0.1" | "12.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" | "10.0.0.1,13.0.0.1" | "12.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" | "15.0.0.1,16.0.0.1" | "13.0.0.1" |
"10.0.0.1,11.0.0.1" | "10.0.0.1,11.0.0.1" | "" |