homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deprecate IPWhiteList middleware in favor of IPAllowList

Browse source 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
Landry Benguigui 2024-01-02 17:04:06 +01:00 committed by GitHub
parent 9662cdca64
commit 0e92b02474
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
36 changed files with 1268 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

114
integration/fixtures/k8s/01-traefik-crd.yml
View file

@ -1151,7 +1151,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1176,14 +1176,43 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position (starting
from the right).
type: integer
excludedIPs:
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
header and select the first IP not in the list.
items:
type: string
type: array
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1347,7 +1376,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -1535,8 +1564,22 @@ spec:
format: int64
type: integer
type: object
ipAllowList:
description: 'IPAllowList defines the IPAllowList middleware configuration.
This middleware accepts/refuses connections based on the client
IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/tcp/ipallowlist/'
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
description: 'IPWhiteList defines the IPWhiteList middleware configuration.
This middleware accepts/refuses connections based on the client
IP. Deprecated: please use IPAllowList instead. More info: https://doc.traefik.io/traefik/v2.10/middlewares/tcp/ipwhitelist/'
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
@ -3415,7 +3458,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -3440,14 +3483,43 @@ spec:
type: boolean
type: object
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
ipAllowList:
description: 'IPAllowList holds the IP allowlist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/'
More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position (starting
from the right).
type: integer
excludedIPs:
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
header and select the first IP not in the list.
items:
type: string
type: array
type: object
sourceRange:
description: SourceRange defines the set of allowed IPs (or ranges
of allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
ipWhiteList:
description: 'IPWhiteList holds the IP whitelist middleware configuration.
This middleware accepts / refuses requests based on the client IP.
More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/
Deprecated: please use IPAllowList instead.'
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration used
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -3611,7 +3683,7 @@ spec:
properties:
ipStrategy:
description: 'IPStrategy holds the IP strategy configuration
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy'
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipallowlist/#ipstrategy'
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
@ -3799,8 +3871,22 @@ spec:
format: int64
type: integer
type: object
ipAllowList:
description: 'IPAllowList defines the IPAllowList middleware configuration.
This middleware accepts/refuses connections based on the client
IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/tcp/ipallowlist/'
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
allowed IPs by using CIDR notation).
items:
type: string
type: array
type: object
ipWhiteList:
description: IPWhiteList defines the IPWhiteList middleware configuration.
description: 'IPWhiteList defines the IPWhiteList middleware configuration.
This middleware accepts/refuses connections based on the client
IP. Deprecated: please use IPAllowList instead. More info: https://doc.traefik.io/traefik/v2.10/middlewares/tcp/ipwhitelist/'
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

18
integration/fixtures/simple_allowlist.toml Normal file
View file

@ -0,0 +1,18 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[entryPoints.web.ForwardedHeaders]
insecure = true
[api]
insecure = true
[providers]
[providers.docker]

41
integration/resources/compose/allowlist.yml Normal file
View file

@ -0,0 +1,41 @@
version: "3.8"
services:
noOverrideAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt1.rule: Host(`no.override.allowlist.docker.local`)
traefik.http.routers.rt1.middlewares: wl1
traefik.http.middlewares.wl1.ipallowlist.sourceRange: 8.8.8.8
overrideIPStrategyRemoteAddrAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt2.rule: Host(`override.remoteaddr.allowlist.docker.local`)
traefik.http.routers.rt2.middlewares: wl2
traefik.http.middlewares.wl2.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl2.ipallowlist.ipStrategy: true
overrideIPStrategyDepthAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt3.rule: Host(`override.depth.allowlist.docker.local`)
traefik.http.routers.rt3.middlewares: wl3
traefik.http.middlewares.wl3.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl3.ipallowlist.ipStrategy.depth: 3
overrideIPStrategyExcludedIPsAllowlist:
image: traefik/whoami
labels:
traefik.enable: true
traefik.http.routers.rt4.rule: Host(`override.excludedips.allowlist.docker.local`)
traefik.http.routers.rt4.middlewares: wl4
traefik.http.middlewares.wl4.ipallowlist.sourceRange: 8.8.8.8
traefik.http.middlewares.wl4.ipallowlist.ipStrategy.excludedIPs: 10.0.0.1,10.0.0.2
networks:
default:
name: traefik-test-network
external: true

70
integration/simple_test.go
View file

@ -546,6 +546,76 @@ func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
}
}
func (s *SimpleSuite) TestIPStrategyAllowlist(c *check.C) {
s.createComposeProject(c, "allowlist")
s.composeUp(c)
defer s.composeDown(c)
cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_allowlist.toml"))
defer output(c)
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer s.killCmd(cmd)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override"))
c.Assert(err, checker.IsNil)
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("override.remoteaddr.allowlist.docker.local"))
c.Assert(err, checker.IsNil)
testCases := []struct {
desc string
xForwardedFor string
host string
expectedStatusCode int
}{
{
desc: "override remote addr reject",
xForwardedFor: "8.8.8.8,8.8.8.8",
host: "override.remoteaddr.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override depth accept",
xForwardedFor: "8.8.8.8,10.0.0.1,127.0.0.1",
host: "override.depth.allowlist.docker.local",
expectedStatusCode: 200,
},
{
desc: "override depth reject",
xForwardedFor: "10.0.0.1,8.8.8.8,127.0.0.1",
host: "override.depth.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override excludedIPs reject",
xForwardedFor: "10.0.0.3,10.0.0.1,10.0.0.2",
host: "override.excludedips.allowlist.docker.local",
expectedStatusCode: 403,
},
{
desc: "override excludedIPs accept",
xForwardedFor: "8.8.8.8,10.0.0.1,10.0.0.2",
host: "override.excludedips.allowlist.docker.local",
expectedStatusCode: 200,
},
}
for _, test := range testCases {
req := httptest.NewRequest(http.MethodGet, "http://127.0.0.1:8000", nil)
req.Header.Set("X-Forwarded-For", test.xForwardedFor)
req.Host = test.host
req.RequestURI = ""
err = try.Request(req, 1*time.Second, try.StatusCodeIs(test.expectedStatusCode))
if err != nil {
c.Fatalf("Error while %s: %v", test.desc, err)
}
}
}
func (s *SimpleSuite) TestXForwardedHeaders(c *check.C) {
s.createComposeProject(c, "whitelist")