Limit access to HTTP routes by client IP

[DavidePrincipi]

Sysadmin wants to limit access to certain NS8 services (exposed by module routes like the user portals, or by custom routes) to trusted networks/IPs, similarly to NS7 Apache configuration.

Same for cluster-admin, which has a special configuration.

Proposed solution

Add IPAllowList settings in the Traefik router configuration.

Alternative solutions

Custom configuration could be a way but it is currently not preserved by module updates.

Additional context

Traefik docs https://doc.traefik.io/traefik/master/middlewares/http/ipallowlist/#ipallowlist

See also

• Links to many discussions in the forum

[DavidePrincipi]

In testing:

• core 3.6.0-dev.1
• traefik 3.0.0-testing.2

Test case

Goal: restrict access for certain HTTP routes to some IPs or Networks. The restriction must persist after subsequent changes from the UI and after applications are re-configured or updated.

This new feature is not exposed in the UI, for the QA api-cli is needed.

1. Set the restriction and check if access is limited as wanted. For example, for cluster-admin route

   api-cli run module/traefik1/set-route --data '{"instance": "cluster-admin", "ip_allowlist": ["192.168.47.0/24"]}'
   

   You see the full list of existing routes under Settings > HTTP Routes page.

2. With NethVoice ensure that after saving the Settings page, restricted routes are still accessible from the configured IPs (e.g. CTI host). With Mail, ensure that after saving Settings > General page, rspamd route is still accessible as configured.

3. Pass invalid values, a validation error must be returned.

4. Set an empty list to obtain unlimited access again.

---

Useful actions to check the current settings:

api-cli run module/traefik1/list-routes | jq
api-cli run module/traefik1/get-route --data '{"instance":"cluster-admin"}' | jq