docker compose - programmatically updating traefik IP whitelist

Question

I have a docker stack that uses traefik:1.7.28 as an ssl-terminator and reverse proxy for a number of services. One of the services is intended for internal use, so I have an IP whitelist set on it to restrict access.

I would like to enable external access to IP addresses with current SSH connections. That is, when a valid SSH connection is created, I'd like to be able to add the source IP address to the whitelist, and when the session is terminated, remove it from the whitelist.

Is there a way to programmatically add to and remove from arbitrary/individual traefik parameters? Specifically, I want to be able to influence traefik.frontend.whiteList.sourceRange within the internal service.

I'm trying to tie together https://doc.traefik.io/traefik/v1.7/configuration/api/ and https://doc.traefik.io/traefik/v1.7/configuration/backends/rest/. An alternative might be to use dynamic configuration instead of an API.

version: '3.7'
services:
  traefik:
    image: traefik:1.7
    command: --api --docker --docker.exposedbydefault=false 
      --docker.domain=mydomain.com 
      --entryPoints="Name:https Address::443 TLS:/ssl/mydomain-ucc.chained.crt,/ssl/mydomain-cc.key" 
      --entryPoints="Name:http Address::80 Redirect.EntryPoint:https" 
      --accessLog.format="json" 
      --accessLog.filePath="/log/access.log" 
      --traefikLog.format="json" 
      --traefikLog.filePath="/log/traefik.log" 
      --rest.entryPoint='traefik
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
      - "8081:8080" # webui
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/ssl:/ssl:ro
      - /srv/tklogs:/log
  internal:
    image: nginx:1.19
    depends_on:
      - traefik
    volumes:
      - /int/path:/usr/share/nginx/html:ro
    labels:
      - traefik.enable=true
      - traefik.frontend.entryPoints=https
      - traefik.frontend.passHostHeader=true
      - traefik.frontend.whiteList.sourceRange=127.0.0.1/16,172.16.0.0/12
      - traefik.frontend.whiteList.useXForwardedFor=true
      - traefik.frontend.rule=PathPrefixStrip:/int
      - traefik.frontend.headers.referrerPolicy=same-origin
      - traefik.frontend.headers.STSSeconds=315360000

System: ubuntu-16.04, openssh-7.2p2.

Notes:

• If this is possible in traefik-v2 and not in v1.7, that may be the final impetus I need to make the migration.
• It is possible for users to set up a ssh-tunnel and access the internal site that way. That's not what I'm trying to do this time, but will revert to that if needed.

question from:https://stackoverflow.com/questions/65831961/programmatically-updating-traefik-ip-whitelist

Answer 1

Waitting for answers