I have the following setup:
- AWS VPC with multiple subnets
- Docker Swarm single node on EC2 instance
- AWS Load Balancer that routes HTTP/HTTPS traffic to various servers (including the EC2 instance)
- OpenVPN Docker Container (bridge network, binds the port to host), running on the EC2 Instance
- Traefik v1.7 in Docker Swarm with multiple frontends running on the EC2 instance
What I am trying to achieve:
Require access through the VPN to a subset of Traefik Frontends.
I have other services on AWS (e.g. RDS) whose SecurityGroup is configured to only allow access from inside the Subnets (of the VPC) which works fine. I cannot access them when I am disconnected from the VPN and vice versa.
However, when trying to add a whitelist in Traefik with a source range restriction I always get a 403 error, whether I am inside the VPN or not.
I use the following configuration for my entrypoint:
Name:http
Address::80
ProxyProtocol.TrustedIPs:172.31.16.0/20,172.31.20.0/20
ForwardedHeaders.TrustedIPs:172.31.16.0/20,172.31.20.0/20
WhiteList.UseXForwardedFor:true
On my target container I added the following restriction:
traefik.frontend.whiteList.sourceRange=172.31.16.0/20,172.31.20.0/20
The Traefik logs show me the following:
VPN Request -> (Public open to the internet) IP of the EC2 instance
Non VPN Request -> IP of my machine/internet provider
When I change the source range to the IP of the EC2 Server instance IP everything works as expected, however, I would prefer a solution that allows me to use the Subnet Range (in case new servers are added).
