Is a Traefik IP whitelist safe? - eviltoast

So I’m hosting a lot of Docker containers, a lot of which are behind a Traefik reverse proxy. Is it safe to use IPWhitelist middleware? I want to ensure that only the LAN can access the services while using HTTPS, because some services (like Radarr and Sonarr) have a password and I don’t want that information sent without encryption / SSL.

Could someone spoof their client IP address and bypass the Traefik IP whitelist?

  • immortaly007@feddit.nl
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I agree for serious/business applications. In my case, it’s a home server that I and some close friends and family access. But it is indeed exposed (basically, my router routes port 80 and 443 to the server within the NAT).

    To discuss the header-based firewall: the host is used by Traefik to determine which docker container to route (reverse proxy) the traffic to. So I don’t see any obvious ways an attacker can really manipulate that to reach (in my case) the bitwarden instance. My main attack angle this protects if is there is some vulnerability in Bitwarden and bots are going around exploiting that. That way at least Traefik would already block them before they get to bitwarden.

    But yes another service with a vulnerability could be exploited, then escape that docker container and you’re in the whole server.