capperstrnd
commented
3 months ago Tried it on v4.0.0-beta.312 as well and issue remains
Closed capperstrnd closed 1 month ago
capperstrnd
commented
3 months ago Tried it on v4.0.0-beta.312 as well and issue remains
capperstrnd
commented
3 months ago Managed to solve this from the DNS side of things with a WAF rule that only applies to my internal subdomains, which I think is the better way of doing it should one for whatever reason lose VPN access but still have access to the DNS service.
Marking this as solved since this shouldn't be managed on the resource/reverse proxy level but externally through firewall/DNS service
greendesertsnow
commented
3 months ago I've been looking for an answer to this for a month now. I need to ipAllowList to pocketbase's /api/admins/* route, and I can't/don't know how to use firewall for subpaths. The issue needs to be open. I'm frustrated.
capperstrnd
commented
3 months ago If you are using Cloudflare you can apply a WAF rule that could achieve this, where you check if the domain contains that part and if the user is coming from an allowed ip.
But there are niche cases where this might be required on the resource level I agree so I'll reopen this for you.
A niche I had in mind is being able to block outside access to just VPN users, but then on the ipblocklist being able to block to a per user ip with a wireguard assigned ip adress.
greendesertsnow
commented
3 months ago The problem arises from the auto-magic docker label configuration. When you add a middleware to the compose file it associates it with the main route of your application no matter what.
The work around I found was to create a dynamic traefik file:
http:
middlewares:
pocketbase-auth:
basicAuth:
users:
- 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
pocketbase-ipfilter:
ipWhiteList:
sourceRange:
- '{{env "HOMEIP"}}'
- 222.211.122.112
routers:
pocketbase-admin:
entryPoints:
- https
service: pocketbase-xxxxxxx
rule: 'Host(`pocketbase-xxxxxxx.mydomain.com`) && PathPrefix(`/api/admins`)'
middlewares:
- pocketbase-auth
- pocketbase-ipfilter
tls:
certresolver: letsencrypt
services:
pocketbase-xxxxxxx:
loadBalancer:
servers:
-
url: 'http://pocketbase-xxxxxxx:8080'
Description
Hi! Just started using Coolify and ran into a stumbling block.
I've just set up a wireguard VPN on a docker compose (which is working flawlessly), and I want to use this as a gatekeeper for other resources. Which I hoped to be a one-liner in my docker composes that I want to keep private (and also my nodejs apps in the future but haven't gotten to those yet).
I'm essentially trying to append the following label
- "traefik.http.middlewares.testipblock.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 10.8.0.0/24"Which should block out any IP adresses that aren't within the network through the wireguard VPN, but the auto-compose rewrite doesn't seem to pick it up.
If I click "Show deployable compose" and scroll down to the last instance of middlewares it looks like this:
- traefik.http.routers.<unique route>.middlewares=gzipand has simply ignored the testipblock I added earlier...My temporary solution is to just block it through the firewall, so I have to use the ip-adress + port of my private docker instance to get at them with the VPN. Which isn't as elegant as using my own subdoman+domain.
Minimal Reproduction (if possible, example repository)
Start up any docker compose and add the following label
- "traefik.http.middlewares.hello-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 10.8.0.0/24"Save it, and look at the "Deployable compose" version and verify if it exists in the last instance of "middleware" (search and find).
Exception or Error
No response
Version
v4.0.0-beta.310