Ok i think i got this.
I successfully added “ipAllowlist” to several .yml in /home/traefik1/.config/state/configs
Please do not do this on a production system !!!
As example i will post here my
- mariadb1.yml to restrict access to phpmyadmin
http:
middlewares: <-- Add
pma-ipallowlist: <-- Add
ipAllowList: <-- Add
sourceRange: <-- Add
- "127.0.0.1/32" <-- Add, i'm not sure if this is needed
- "xxx.xxx.xxx.xxx" <-- Add, here you can add ip's to allow access
services:
mariadb1:
loadBalancer:
servers:
- url: http://127.0.0.1:20014
routers:
mariadb1-http:
rule: Path(`/phpmyadmin`) || PathPrefix(`/phpmyadmin/`)
middlewares: <-- Add
- pma-ipallowlist <-- Add
priority: '1'
entryPoints: http,https
service: mariadb1
mariadb1-https:
rule: Path(`/pma`) || PathPrefix(`/pma/`)
middlewares: <-- Add
- pma-ipallowlist <-- Add
priority: '1'
entryPoints: http,https
service: mariadb1
tls: {}
i added everything with “<-- Add” to the existing config.
Restart of container was not necessary.
- _api_server.yml to restrict access to cluster-admin
http:
middlewares: <-- Add
cluster-ipallowlist: <-- Add
ipAllowList: <-- Add
sourceRange: <-- Add
- "127.0.0.1/32" <-- Add, i'm not sure if this is needed
- "xxx.xxx.xxx.xxx" <-- Add, here you can add ip's to allow access
ApiServer-stripprefix:
stripPrefix:
forceSlash: 'false'
prefixes:
- /cluster-admin
ApiServerMw2:
redirectRegex:
regex: ^.*/cluster-admin$
replacement: /cluster-admin/
routers:
ApiServer-http:
entrypoints:
- http
middlewares:
- http2https-redirectscheme
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
priority: '100000'
ApiServer-https:
entrypoints:
- https
middlewares:
- cluster-ipallowlist <-- Add
- ApiServerMw2
- ApiServer-stripprefix
priority: '100000'
rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
service: ApiServer
tls: {}
services:
ApiServer:
loadBalancer:
servers:
- url: http://127.0.0.1:9311
i added everything with “<-- Add” to the existing config.
Restart of container was not necessary.
As you can see the “<-- Add” are on different places.
It looks like the is no “one fit’s all” solution here, but i might be wrong.
The openldap1-amld.yml also has to modified different.
Directly after the last “middlewares:” add the following:
uadmin-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "xxx.xxx.xxx.xxx"
Then look for “middlewares:” in “openldap1-amld-http:” and “openldap1-amld-https:”.
Add “- uadmin-ipallowlist” as first entry.
It seems that “ipAllowList” can be applied for all .yml files where you want to restrict access.
Can someone confirm that this is the right way to do it ?
Another thing is that i don’t believe this will survive update’s, am i right ?
Lastly, in my opinion, it would be nice to have something like this in the cluster-admin gui.
Even when i run ns8 in LAN only, it should be possible to restrict access to certain web services, again this is my opinion.