Allow whitlist ips on internal services - closes #8

sergioisidoro · Jun 2, 2022 · a82bc5b · a82bc5b
1 parent 68b2a10
commit a82bc5b
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 1 deletion.
diff --git a/ansible/clusters/cluster_template/group_vars/all.yml b/ansible/clusters/cluster_template/group_vars/all.yml
@@ -69,4 +69,10 @@ letsencrypt_email: admin@{{ domains.main }}
 deploly_portainer: true
 
 ## SECURITY
-disable_password_ssh: true
+disable_password_ssh: true
+
+## INTERNAL SERVICE IP WHITELIST
+## Allow only certain IP ranges to connect to internal services, such as
+## traefik dashboard and portainer web interface.
+
+# internal_services_ip_whitelist: "100.64.0.0/10, 127.0.0.1/32"
diff --git a/ansible/stacks/portainer/portainer.yml.j2 b/ansible/stacks/portainer/portainer.yml.j2
@@ -35,6 +35,10 @@ services:
         - traefik.http.services.portainer.loadbalancer.server.port=9000
         - traefik.http.routers.portainer.rule=Host(`portainer.{{ domains.main }}`)
         - traefik.http.routers.portainer.entrypoints=http,https
+{% if internal_services_ip_whitelist is defined %}
+        - traefik.http.middlewares.portainer-allowed-ips.ipwhitelist.sourcerange={{ internal_services_ip_whitelist }}
+        - traefik.http.routers.traefik-api.middlewares=portainer-allowed-ips
+{% endif %%}
       placement:
         constraints: [node.role == manager]
       update_config:

diff --git a/ansible/stacks/traefik/traefik.yml.j2 b/ansible/stacks/traefik/traefik.yml.j2
@@ -50,6 +50,10 @@ services:
         - traefik.http.routers.traefik-api.rule=Host(`traefik.{{ domains.main }}`)
         - traefik.http.routers.traefik-api.entrypoints=http,https
         - traefik.http.routers.traefik-api.service=api@internal
+{% if internal_services_ip_whitelist is defined %}
+        - traefik.http.middlewares.traefik-allowed-ips.ipwhitelist.sourcerange={{ internal_services_ip_whitelist }}
+        - traefik.http.routers.traefik-api.middlewares=traefik-allowed-ips
+{% endif %%}
       restart_policy:
         condition: any
         delay: 2s

diff --git a/readme.md b/readme.md
@@ -10,6 +10,7 @@ This is heavily inspired and a lot of things replicated from [TADS Boilerplate p
 
 ## Important notes
 - `public-network` is the network all services need to be if you want them public so Traefik can find them.
+- It is strongly advised to put Portainer behind a VPN or internal network. To block access from the internet, you can add `internal_services_ip_whitelist` to the variables, allowing only certain IPs. If you're using Tailscale you could do `internal_services_ip_whitelist="100.64.0.0/10"` such that only devices and nodes in that network can communicate with the web interfaces.
 - Remember to put annotations on the `deploy` section so that Traefik can find your services across all nodes.
 
 # 🚀 Quickstart