Allow whitlist ips on internal services - closes #8

sergioisidoro · Jan 26, 2024 · cde0538 · cde0538
1 parent de94f89
commit cde0538
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/ansible/clusters/cluster_template/group_vars/all.yml b/ansible/clusters/cluster_template/group_vars/all.yml
@@ -85,4 +85,10 @@ deploly_portainer: true
 # portainer_agent_image: "portainer/agent"
 
 ## SECURITY
-disable_password_ssh: true
+disable_password_ssh: true
+
+## INTERNAL SERVICE IP WHITELIST
+## Allow only certain IP ranges to connect to internal services, such as
+## traefik dashboard and portainer web interface.
+
+# internal_services_ip_whitelist: "100.64.0.0/10, 127.0.0.1/32"
diff --git a/ansible/stacks/portainer/portainer.yml.j2 b/ansible/stacks/portainer/portainer.yml.j2
@@ -35,6 +35,10 @@ services:
         - traefik.http.services.portainer.loadbalancer.server.port=9000
         - traefik.http.routers.portainer.rule=Host(`portainer.{{ domains.main }}`)
         - traefik.http.routers.portainer.entrypoints=http,https
+{% if internal_services_ip_whitelist is defined %}
+        - traefik.http.middlewares.portainer-allowed-ips.ipwhitelist.sourcerange={{ internal_services_ip_whitelist }}
+        - traefik.http.routers.portainer.middlewares=portainer-allowed-ips
+{% endif %%}
       placement:
         constraints: [node.role == manager]
       update_config:

diff --git a/ansible/stacks/traefik/traefik.yml.j2 b/ansible/stacks/traefik/traefik.yml.j2
@@ -43,15 +43,23 @@ services:
       labels:
         # It is here to ensure labels are not empty
         - dummy=hello
+{% set middlewares = [] %}
 {% if traefik_api_enabled %}
         - traefik.enable=true
         - traefik.http.services.traefik-api.loadbalancer.server.port=8080
         - traefik.http.routers.traefik-api.rule=Host(`traefik.{{ domains.main }}`)
         - traefik.http.routers.traefik-api.entrypoints=http,https
         - traefik.http.routers.traefik-api.service=api@internal
 {% if traefik_web_password is defined and traefik_web_username is defined %}
-        - "traefik.http.middlewares.traefik-api-auth.basicauth.users={{traefik_web_username}}:{{  traefik_web_password }}"
-        - traefik.http.routers.traefik-api.middlewares=traefik-api-auth
+        - "traefik.http.middlewares.traefik-api-auth.basicauth.users={{traefik_web_username}}:{{  traefik_web_password }}" {% set middlewares = middlewares + ['traefik-api-auth'] %}
+{% endif %}
+{% if internal_services_ip_whitelist is defined %}
+        - traefik.http.middlewares.traefik-allowed-ips.ipwhitelist.sourcerange={{ internal_services_ip_whitelist }} {% set middlewares = middlewares + ['traefik-allowed-ips'] %}
+{% endif %%}
+{% if middlewares %}
+{% for middleware in traefik_middlewares %}
+        - traefik.http.middlewares.traefik-api.middlewares={% for middleware in traefik_middlewares %}{{ middleware }},{% endfor %}
+{% endfor %}
 {% endif %}
 {% endif %}
       restart_policy:

diff --git a/readme.md b/readme.md
@@ -20,6 +20,7 @@ This is heavily inspired and a lot of things replicated from [TADS Boilerplate p
 
 ## Important notes
 - `public-network` is the network all services need to be if you want them public so Traefik can find them.
+- It is strongly advised to put Portainer behind a VPN or internal network. To block access from the internet, you can add `internal_services_ip_whitelist` to the variables, allowing only certain IPs. If you're using Tailscale you could do `internal_services_ip_whitelist="100.64.0.0/10"` such that only devices and nodes in that network can communicate with the web interfaces.
 - Remember to put annotations on the `deploy` section so that Traefik can find your services across all nodes.
 - By default all non necessary incoming ports are CLOSED in the firewall. SSH is limited. If you want to open other ports
   - set `default_ufw_default_inbound_rule: 'allow'` on your cluster variables to accept traffic from any port - SCARY