I have a docker stack that uses traefik:1.7.28
as an ssl-terminator and reverse proxy for a number of services. One of the services is intended for internal use, so I have an IP whitelist set on it to restrict access.
I would like to enable external access to IP addresses with current SSH connections. That is, when a valid SSH connection is created, I'd like to be able to add the source IP address to the whitelist, and when the session is terminated, remove it from the whitelist.
Is there a way to programmatically add to and remove from arbitrary/individual traefik parameters? Specifically, I want to be able to influence traefik.frontend.whiteList.sourceRange
within the internal
service.
I'm trying to tie together https://doc.traefik.io/traefik/v1.7/configuration/api/ and https://doc.traefik.io/traefik/v1.7/configuration/backends/rest/. An alternative might be to use dynamic configuration instead of an API.
version: '3.7'
services:
traefik:
image: traefik:1.7
command: --api --docker --docker.exposedbydefault=false
--docker.domain=mydomain.com
--entryPoints="Name:https Address::443 TLS:/ssl/mydomain-ucc.chained.crt,/ssl/mydomain-cc.key"
--entryPoints="Name:http Address::80 Redirect.EntryPoint:https"
--accessLog.format="json"
--accessLog.filePath="/log/access.log"
--traefikLog.format="json"
--traefikLog.filePath="/log/traefik.log"
--rest.entryPoint='traefik
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- "8081:8080" # webui
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/ssl:/ssl:ro
- /srv/tklogs:/log
internal:
image: nginx:1.19
depends_on:
- traefik
volumes:
- /int/path:/usr/share/nginx/html:ro
labels:
- traefik.enable=true
- traefik.frontend.entryPoints=https
- traefik.frontend.passHostHeader=true
- traefik.frontend.whiteList.sourceRange=127.0.0.1/16,172.16.0.0/12
- traefik.frontend.whiteList.useXForwardedFor=true
- traefik.frontend.rule=PathPrefixStrip:/int
- traefik.frontend.headers.referrerPolicy=same-origin
- traefik.frontend.headers.STSSeconds=315360000
System: ubuntu-16.04, openssh-7.2p2.
Notes:
- If this is possible in
traefik-v2
and not in v1.7
, that may be the final impetus I need to make the migration.
- It is possible for users to set up a ssh-tunnel and access the internal site that way. That's not what I'm trying to do this time, but will revert to that if needed.
question from:
https://stackoverflow.com/questions/65831961/programmatically-updating-traefik-ip-whitelist 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…