IPRules is a Traefik middleware plugin that filters incoming requests by allowing or denying access based on specified IP addresses, ranges, or subnets.
Add plugin
# helm-values.yamlexperimental:plugins:iprules:moduleName: "github.com/sproutmaster/TraefikIPRules"version: "v1.0.3"
Configure Middleware
# middleware.yamlapiVersion: traefik.io/v1alpha1kind: Middlewaremetadata:name: ip-filterspec:plugin:iprules:allow:- "192.168.1.1" # Single IP- "10.0.0.0/8" # CIDR range- "172.16.1.1-172.16.1.255" # IP rangedeny:- "192.168.1.100-192.168.1.200" # Block this IP range- "10.0.1.0/24" # Block this subnetprecedence: "deny" # deny firstcustomMessage: "Access denied" # Custom deny message (default: "Access denied"). Set to "" for empty body.customMessageStatusCode: 403 # Custom HTTP status code 100-599 (default: 403)customMessageContentType: "text/plain" # Custom Content-Type header (default: text/plain)
Reference it in ingressRoute
# ingress-route.yamlapiVersion: traefik.io/v1alpha1kind: IngressRoutemetadata:name: my-ingspec:entryPoints:- webroutes:- match: Host(`svc.example.com`)kind: Ruleservices:- name: my-svcport: 80middlewares:- name: ip-filter
labels:- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.allow=192.168.1.1"- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.allow=10.0.0.0/8"- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.allow=172.16.1.1-172.16.1.255"- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.deny=192.168.1.100-192.168.1.200"- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.precedence=deny"- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.customMessage=Access denied"- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.customMessageStatusCode=403"- "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.customMessageContentType=application/json"