|
| 1 | +# Allow IP Request Plugin |
| 2 | + |
| 3 | +This is a **Traefik middleware plugin** that implements a dynamic IP whitelisting mechanism. It protects your services by blocking all requests by default while allowing users to self-whitelist their IP address by visiting a specific "knock" URL. |
| 4 | + |
| 5 | +## Features |
| 6 | + |
| 7 | +- **Block by Default**: Denies access to all unauthorized requests with a `403 Forbidden` status. |
| 8 | +- **Dynamic "Knock" Whitelisting**: Users can grant themselves temporary access by visiting a specific URL (default: `/knock-knock`). |
| 9 | +- **Static Trusted Subnets**: Define a list of CIDR ranges (e.g., local networks, VPNs) that always have access. |
| 10 | +- **Admin Dashboard**: Trusted subnets can access a dashboard (at `/view-allow-ips`) to monitor active whitelisted IPs and their expiration times. |
| 11 | +- **Configurable Duration**: Control how long a dynamic whitelist entry remains valid. |
| 12 | + |
| 13 | +## Configuration |
| 14 | + |
| 15 | +To use this plugin, you must configure it in your Traefik dynamic configuration. |
| 16 | + |
| 17 | +### Configuration Options |
| 18 | + |
| 19 | +| Option | Type | Default | Description | |
| 20 | +|:--- |:--- |:--- |:--- | |
| 21 | +| `knockUrl` | `string` | `"/knock-knock"` | The specific URL path users must visit to whitelist their IP. | |
| 22 | +| `whitelistDuration` | `string` | `"24h"` | How long the IP remains whitelisted (e.g., "1h", "30m"). | |
| 23 | +| `allowedSubnets` | `[]string` | `["192.168.0.0/16", ...]` | List of CIDR ranges that bypass the knock check and can view the admin page. | |
| 24 | + |
| 25 | +### Example Middleware Configuration |
| 26 | + |
| 27 | +```yaml |
| 28 | +http: |
| 29 | + middlewares: |
| 30 | + my-ip-allowlist: |
| 31 | + plugin: |
| 32 | + allowiprequest: |
| 33 | + knockUrl: "/knock-knock" |
| 34 | + whitelistDuration: "24h" |
| 35 | + allowedSubnets: |
| 36 | + - "127.0.0.1/32" |
| 37 | + - "192.168.1.0/24" |
| 38 | +``` |
| 39 | +
|
| 40 | +## How It Works |
| 41 | +
|
| 42 | +1. **Initial Access**: When an unknown user tries to access your service, they receive a `403 Forbidden` error. |
| 43 | +2. **Whitelisting**: The user visits the configured `knockUrl` (e.g., `https://your-service.com/secret-knock`). |
| 44 | +3. **Confirmation**: The plugin displays an "Access Granted" page and records the user's IP. |
| 45 | +4. **Access**: The user can now access the service normally until the `whitelistDuration` expires. |
| 46 | +5. **Monitoring**: Administrators connecting from an IP in `allowedSubnets` can visit `/view-allow-ips` to see the table of currently allowed IPs. |
0 commit comments