UpdatingHTTP Routes, cluster-admin, Allow access from (optional) Error

Bug
1

When I add an ip address range now I get:
Traceback (most recent call last):
File “/home/traefik1/.config/pypkg/get_route.py”, line 119, in get_route
with urllib.request.urlopen(f’http://127.0.0.1/{api_path}/api/http/middlewares/{module}-ipallowlist@file’) as res:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 216, in urlopen
return opener.open(url, data, timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 525, in open
response = meth(req, response)
^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 634, in http_response
response = self.parent.error(
^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 563, in error
return self._call_chain(*args)
^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 496, in _call_chain
result = func(*args)
^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 643, in http_error_default
raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/home/traefik1/.config/actions/set-route/29waitsync”, line 16, in
while get_route(data).get(‘instance’) != data[‘instance’] and retry <= 10:
^^^^^^^^^^^^^^^
File “/home/traefik1/.config/pypkg/get_route.py”, line 122, in get_route
raise Exception(f’Error reaching traefik daemon (middlewares): {e.reason}')
Exception: Error reaching traefik daemon (middlewares): Not Found

Which if I read correctly mean’s it can’t find the ipallowlist@file?, and yet all my routes are working, and I have access to cluster-admin, but the new changes to allow list are not being applied.

Any help would be greatly appreciated. Do I need to check redis again? or start debugging python code. *ie modify the module to display {api_path}{module} and see if the paths have allowed access for the required traefik1 user.

ps: Looking at the configuration files, it looks okay:
-rw-r–r-- 1 traefik1 traefik1 461 Apr 11 2025 _api.yml
-rw-r–r-- 1 traefik1 traefik1 202 May 30 2025 _default_cert.yml
-rw-r–r-- 1 traefik1 traefik1 120 Apr 11 2025 _http2https.yml
-rw-r–r-- 1 traefik1 traefik1 1265 Mar 18 08:19 cluster-admin.yml

2

I can’t reproduce. Which IP range did you want to add to the cluster-admin route?

This is my cluster-admin.yml to compare it to yours. I set the IP restriction to 192.168.3.0/24.

http:
  services:
    cluster-admin:
      loadBalancer:
        servers:
        - url: http://127.0.0.1:9311
  routers:
    cluster-admin-http:
      rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
      priority: 100000
      service: cluster-admin
      middlewares:
      - http2https-redirectscheme
      entryPoints:
      - http
    cluster-admin-https:
      rule: Path(`/cluster-admin`) || PathPrefix(`/cluster-admin/`)
      priority: 100000
      service: cluster-admin
      middlewares:
      - cluster-admin-ipallowlist
      - cluster-admin-slashredirect
      - cluster-admin-stripprefix
      entryPoints:
      - https
      tls: {}
  middlewares:
    cluster-admin-ipallowlist:
      ipAllowList:
        sourceRange:
        - 192.168.3.0/24
        ipStrategy:
          depth: '{{ env "PROXIES_DEPTH" | default "0"}}'
    cluster-admin-slashredirect:
      redirectRegex:
        regex: ^.*/cluster-admin$
        replacement: /cluster-admin/
        permanent: true
    cluster-admin-stripprefix:
      stripPrefix:
        prefixes: /cluster-admin

You could check if you can reach the API.

The following command

runagent -m traefik1 grep API_PATH environment

should return the API_PATH like

API_PATH=7961b1c0-a7eb-4eb8-b191-a8d824c7af18

Replace the {api-path} with the above result and {module} with cluster-admin

http://127.0.0.1/{api_path}/api/http/middlewares/{module}-ipallowlist@file'

and use curl like

curl http://127.0.0.1/7961b1c0-a7eb-4eb8-b191-a8d824c7af18/api/http/middlewares/cluster-admin-ipallowlist@file

I get following result:

{"ipAllowList":{"sourceRange":["192.168.3.0/24"],"ipStrategy":{}},"status":"enabled","usedBy":["cluster-admin-https@file"],"name":"cluster-admin-ipallowlist@file","provider":"file","type":"ipallowlist"}
1 Like
3

Thanks for those commands mrmarkuz,
They worked a treat,but the list I got back was very old.
root@mot:~# runagent -m traefik1 grep API_PATH environment
API_PATH=c32fa5ef-e976-4b60-85e5-43aac257bcbb
root@mot:~# curl http://127.0.0.1/c32fa5ef-e976-4b60-85e5-43aac257bcbb/api/http/middlewares/cluster-admin-ipallowlist@file
{“ipAllowList”:{“sourceRange”:[“xxx.xx.xxx.xx”,“xxx.xx.xx.xxx”,“xxx.xx.xxx.xxx”,“192.168.160.0/24”,“192.168.150.0/24”,“10.61.157.0/24”,“xxx.xxx.xxx.xxx”,“10.245.197.0/24”],“ipStrategy”:{}},“status”:“enabled”,“usedBy”:[“cluster-admin-https@file”],“name”:“cluster-admin-ipallowlist@file”,“provider”:“file”,“type”:“ipallowlist”}
(I’ve crossed out the public ip addresses, apart from the SSL tunnels, so you have an idea how I’ve set it up.

So I’m not sure what is causing the error, apart from a permission error. Where is this file stored so I can check it’s permissions? Or is this self generated? which means my cluster-admin.yml which looks correct is not :slight_smile:

Thanks

4

And now its working… I wonder if crowdsec got in the way. I have no idea :rofl::rofl::rofl:

1 Like