DenyIP is a middleware plugin for Traefik which accepts IP addresses or IP address ranges and blocks requests originating from those IPs.
In the example below fowardedHeaders.insecure
is enabled in order to allow the IP address to be available from proxied requests. In a production environment, you may want to consider using forwardedHeaders.trustedIPs
experimental:pilot:token: "xxxxx"plugins:denyip:modulename = "github.com/kevtainer/denyip"version = "v1.0.0"entryPoints:http:address: ":80"forwardedHeaders:insecure: true
To configure the DenyIP
plugin you should create a middleware in your dynamic configuration as explained here. The following example creates and uses the denyip
middleware plugin to deny all requests originating from Comcast. ipDenyList
will also accept non-CIDR ips, eg. 127.0.0.1
.
Note: Providing invalid ip addresses or ranges in
ipDenyList
will cause an error and the plugin will not load.
http:# Add the routerrouters:my-router:entryPoints:- httpmiddlewares:- denyipservice: service-foorule: Path(`/foo`)# Add the middlewaremiddlewares:denyip:plugin:ipDenyList:- 24.0.0.0/12- 24.16.0.0/13- 24.30.0.0/17- 24.34.0.0/16- 24.60.0.0/14- 24.91.0.0/16- 24.98.0.0/15- 24.118.0.0/16- 24.125.0.0/16- 24.126.0.0/15- 24.128.0.0/16- 24.129.0.0/17- 24.130.0.0/15- 24.147.0.0/16- 24.218.0.0/16- 24.245.0.0/18- 50.128.0.0/10- 65.34.128.0/17- 65.96.0.0/16- 66.30.0.0/15- 66.41.0.0/16- 66.56.0.0/18- 66.176.0.0/15- 66.229.0.0/16- 67.160.0.0/12- 67.176.0.0/15- 67.180.0.0/14- 67.184.0.0/13- 68.32.0.0/11- 68.80.0.0/14- 68.84.0.0/16- 69.136.0.0/15- 69.138.0.0/16- 69.139.0.0/17- 69.140.0.0/14- 69.180.0.0/15- 69.242.0.0/15- 69.244.0.0/14- 69.248.0.0/14- 69.253.0.0/16- 69.254.0.0/15- 71.56.0.0/13- 71.192.0.0/12- 71.224.0.0/12- 73.0.0.0/8- 75.64.0.0/13- 75.72.0.0/15- 75.74.0.0/16- 75.75.0.0/17- 75.75.128.0/18- 76.16.0.0/12- 76.97.0.0/16- 76.98.0.0/15- 76.100.0.0/14- 76.104.0.0/13- 76.112.0.0/12- 98.192.0.0/13- 98.200.0.0/14- 98.204.0.0/16- 98.206.0.0/15- 98.208.0.0/12- 98.224.0.0/12- 98.240.0.0/16- 98.242.0.0/15- 98.244.0.0/14- 98.248.0.0/13- 107.2.0.0/15- 107.4.0.0/15- 174.48.0.0/12# Add the serviceservices:service-foo:loadBalancer:servers:- url: http://localhost:5000/passHostHeader: false