HTTP Middlewares on Traefik

Introduction to Traefik:

Traefik is a web server that provides more features in the open-source version for the administrators to configure. In other web servers like Nginx rate limiting and IP whitelisting features are available only in the Enterprise version whereas Traefik comes with the open-source version. Traefik is easy to install and configure.

Traefik supports multiple cluster technology that includes Kubernetes, Mesos, Docker, Docker Swarm, AWS, Mesos, Marathon, and so on. In this article, we will look into the Kubernetes implementation of Middlewares from Traefik.

HTTP Middlewares:

Middleware is one such feature that administrators can tweak the requests before sending them to the application servers. There are several available middlewares in Traefik, some can modify the request, and the headers, some are in charge of redirections, some add authentication, and so on.

In this article, we will discuss on stripPrefix and IP whitelisting.

StripPrefix:

Remove the specified prefixes from the URL path.

The StripPrefix middleware strips the matching path prefix and stores it in a X-Forwarded-Prefix header. Below is a sample implementation of the stripprefix in the Kubernetes Ingress route.

# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: stripprefix
spec:
  stripPrefix:
    prefixes:
      - /stripit

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroute
spec:
# more fields...
  routes:
    # more fields...
    middlewares:
      - name: stripprefix

Stripprefix is useful when you want to expose your service with specific prefix however your backend listens on the root path(/)

IPWhiteList:

IPwhitelist is useful if you want to allow access to your service only from known client IP addresses. If your client IP is not whitelisted user will get HTTP Status 403: Forbidden response from the Traefik

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ipwhitelist
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7

In reality, your backend services will be behind the load balancer and client IP addresses will have a group of IP addresses that include the load balancer and your actual client IP address

with the Ip strategy, you can configure the middleware to determine the actual client by providing the depth.

Below is an example implementation of depth to determine the client's IP

Example of Depth & X-Forwarded-For
  X-Forwarded-For                      depth    clientIP
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"   1         "13.0.0.1"
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"   3         "11.0.0.1"
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"   5         ""

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ipwhitelist
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
    ipStrategy:
      depth: 2

Also, make sure you update the settings in your cloud load balancer to pass the x-forwarded-for header to the traefik pods