[Feature Request] CDN whitelist feature

[kkimdev]

Often production servers are behind CDN, and it's useful to only allow traffic from CDN servers for security.

For example, ClouldFlare and other CDNs provide their servers' IP range for such purpose:

• https://www.cloudflare.com/ips
• https://www.maxcdn.com/one/tutorial/ip-blocks/
• https://ip-ranges.amazonaws.com/ip-ranges.json
• https://api.fastly.com/public-ip-list

It would be great to have a feature that updates whitelites from CloudFlare and other CDNs and only allow traffic from those sources.

[diegoernestofarias]

I think that this feature is not necessary. You can only allow requests that comes from your CDN in a very simple way:

In your traefik toml configuration file you can define a centralized ip-whitelist middleware like this:

[http.middlewares.cloudflare-ip-whitelist.ipWhiteList]
  sourceRange = ["173.245.48.0/20", "103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22", "141.101.64.0/18", "108.162.192.0/18", "190.93.240.0/20", "188.114.96.0/20", "197.234.240.0/22", "198.41.128.0/17", "162.158.0.0/15", "104.16.0.0/12", "172.64.0.0/13", "131.0.72.0/22"]

And then in the routers, you can apply the middleware in a simple way:

[http.routers.sample-app]
  rule = "Host(`app.sample.com`)"
  service = "mysampleservice"
  entrypoints = ["web"]
  middlewares = ["cloudflare-ip-whitelist"] #<-----

Or, if you are using docker provider, you can apply the middleware to the container using labels, continuing the example, adding this is sufficient:

- "traefik.http.routers.sample-app.middlewares=cloudflare-ip-whitelist@file"

It is not a good idea to put this class of logic embbeded/hardcoded in the source code of a reverse proxy.

[rlees85]

Whilst I agree this might not be "traefik's problem" your proposed solution will need a lot of manual intervention. Checking when CDN IP whitelists update and then updating the middleware manually.

Unfortunately, this doesn't really sit anywhere. Traefik can't do it, Helm can't do it, Terraform with the Kubernetes and CloudFlare provider can though... but then we need to convert all the publicly available Helm charts to Terraform (another huge task). This is a ballache to solve....

[fracture-point]

I think a more elegant solution would be to authenticate inbound requests using a certificate provided by the upstream reverse proxy, as is the case with Cloudflare's "Authenticated Original Pull" - https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls. I am trying to enable this validation using Traefik, but I haven't found any documentation. @diegoernestofarias do you know if this is possible in Traefik v2?

[ccpz]

@fracture-point

It is possible by client authentication

IIRC, this configuration can only be changed by dynamic configuration file, So I put the origin CA at $project/traefik/cloudflare.pem, then create a file:

$project/traefik/dynamic/clientAuthentication.toml

[tls.options]
  [tls.options.default]
    [tls.options.default.clientAuth]
      caFiles = ["/etc/traefik/cloudflare.pem"]
      clientAuthType = "RequireAndVerifyClientCert"

Finally modify the command & volume section of Traefik service in docker compose:

services:
  traefik:
    command:
       - "--providers.file.directory=/etc/traefik/dynamic/"
    volumes:     
       - "./traefik/:/etc/traefik/"

[yfhyou]

Hi @fracture-point - I think this is what i am trying to do, but I'm a bit stuck and hope you can add a little more detail.

Which orgin CA did you use? the one for my site located here? https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin Do I need to use the mTLS option on my CF dashboard? https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates Or some other file? I've tried several different option and I end up with a 520 error for my site with ="http: TLS handshake error from 172.70.254.28:58830: tls: failed to verify client certificate: x509: certificate signed by unknown authority" in the traefik logs Hopefully its easier than I'm making it in my mind :)

[ccpz]

Hi, I guess you're referring the config I posted?

Maybe I am wrong that calling it Origin CA, It is from authenticated origin pulls, the PEM file is from section Zone-Level — Cloudflare certificate

[yfhyou]

Yes. I was referring to the post above mine. Doing this worked! Thank you so much. I also needed to enable Authenticated Origin Pulls as referenced on that page.

This basically makes it so that all traffic to my server must go through CF right? Essentially removing the need for ipwhitelisting.

[ccpz]

Yes, it can authorize clients are from Cloudflare server (By TLS client authentication)