Configuring Custom Middleware Rules for Specific IP Addresses: Bypass or Apply Unique Middleware Sets

This setup demonstrates how to configure Traefik routers to apply different sets of middlewares based on the client’s IP address. In this case, all IPs except 192.168.50.16 will go through Authentik for authentication. The specific IP 192.168.50.16 bypasses Authentik but still applies nut-auth and CrowdSec bouncer for security.

http:
  routers:
    peanut:
      entryPoints:
        - "https"
      rule: "Host(`nut.local.macslodge.com`) && !ClientIP(`192.168.50.16`)"  # All IPs except 192.168.50.16 go through Authentik
      middlewares:
        - middlewares-authentik@file
        - nut-auth@file
        - crowdsec-bouncer@file
      tls: {}
      service: peanut

    peanut-local:
      entryPoints:
        - "https"
      rule: "Host(`nut.local.macslodge.com`) && ClientIP(`192.168.50.16`)"  # Only Homepage bypasses Authentik
      middlewares:
        - nut-auth@file
        - crowdsec-bouncer@file
      tls: {}
      service: peanut

Explanation of Each Section

Routers

1. Router peanut

   • Entry Point: https — The router listens on HTTPS.
   • Rule: Matches the hostname nut.local.macslodge.com but excludes connections from IP 192.168.50.16.
   • Middlewares:
     • middlewares-authentik@file: Authentik is required for authentication.
     • nut-auth@file: Applied to all requests for additional authentication.
     • crowdsec-bouncer@file: Adds CrowdSec’s security checks to block unauthorized access.
   • TLS: Enabled for secure HTTPS connections.
   • Service: Forwards requests to the backend service named peanut.

2. Router peanut-local

   • Entry Point: https — This router also listens on HTTPS.
   • Rule: Matches the hostname nut.local.macslodge.com only for requests originating from IP 192.168.50.16.
   • Middlewares:
     • nut-auth@file: Applies custom authentication.
     • crowdsec-bouncer@file: Adds CrowdSec’s security layer.
     • Note: This router does not apply the middlewares-authentik@file middleware, allowing IP 192.168.50.16 to bypass the Authentik middleware.
   • TLS: Enabled for secure HTTPS connections.
   • Service: Forwards requests to the same backend service, peanut.

Use Cases

This configuration can be useful in scenarios where:

• Specific users (based on IP) need direct access to a service without going through the usual authentication flow.
• Different levels of security and access controls are required based on the origin IP.

Notes

• The ClientIP rule only matches for a single IP; ranges or multiple IPs may need additional routers or a range configuration.
• Ensure that all required middlewares are defined in the external middlewares files referenced here.

Troubleshooting

1. Middleware Application: Confirm each middleware is defined correctly in Traefik’s configuration file.
2. IP Rules: Ensure the ClientIP rule accurately reflects the IPs that should bypass certain middlewares.
3. TLS Configuration: Double-check TLS settings if errors arise when accessing over HTTPS.

This setup enables fine-grained control over middleware application, enhancing security and flexibility based on the client’s IP.