Is a Traefik IP whitelist safe?

So I’m hosting a lot of Docker containers, a lot of which are behind a Traefik reverse proxy. Is it safe to use IPWhitelist middleware? I want to ensure that only the LAN can access the services while using HTTPS, because some services (like Radarr and Sonarr) have a password and I don’t want that information sent without encryption / SSL.

Could someone spoof their client IP address and bypass the Traefik IP whitelist?

johntash,

As an alternative, have you considered putting those services behind a vpn like tailscale/wire guard/head scale?

vzq,

It should be ok, but it sounds like you’re trying to solve the problem at the wrong layer.

If you want to filter by IP you should do it at the layer where IPs have meaning, which means doing it in the firewall rules.

Also blocking out at the http layer provides some defense in depth.

JVT038,

Thank you for your comment.

What do you mean with the http layer? I’m already automatically redirecting from HTTP to HTTPS.

x3i,

Meaning layer 7 in OSI model https://en.m.wikipedia.org/wiki/OSI_model

immortaly007,

Something to keep in mind here. I am also using an IP white-list, but only on some services Traefik hosts.

So for example bitwarden is behind an IP white-list, but subsonic is reachable from any IP.

I think in that case it’s not really possible (or doable) to write L2 firewall routes.

But if you want all traffic to port 80 on your server to be IP whitelisted, then a regular firewall would be good.

vzq,

I can see how this would be a useful property in a pinch, but personally it would make me rather uncomfortable.

First of all, IP white lists in general make less and less sense in a world of carrier grade NAT and mobile Internet. The position of a device or user on the network is fluid and not particularly meaningful. If you want to authenticate the user, authenticate the user.

Second, while an IP white list at the http level is fishy, an IP white list at the http level that is conditional on information in an http header (the Host: field) is a huge screaming red flag. I can think of a dozen ways for everything to go sideways.

Third, serving both internal and external traffic from the same httpd process/reverse proxy is a huge smell for your network architecture. The only hardware that gets to see both internal and external traffic should be your router, and it should have no business serving web applications.

I’m sure you have your reasons for doing things this way, as does OP, but I really urge you to take a good look and evaluate whether it’s worth it.

immortaly007,

I agree for serious/business applications. In my case, it’s a home server that I and some close friends and family access. But it is indeed exposed (basically, my router routes port 80 and 443 to the server within the NAT).

To discuss the header-based firewall: the host is used by Traefik to determine which docker container to route (reverse proxy) the traffic to. So I don’t see any obvious ways an attacker can really manipulate that to reach (in my case) the bitwarden instance. My main attack angle this protects if is there is some vulnerability in Bitwarden and bots are going around exploiting that. That way at least Traefik would already block them before they get to bitwarden.

But yes another service with a vulnerability could be exploited, then escape that docker container and you’re in the whole server.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • [email protected]
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • Socialism
  • KbinCafe
  • TheResearchGuardian
  • Ask_kbincafe
  • oklahoma
  • feritale
  • SuperSentai
  • KamenRider
  • All magazines
    •