[REQUEST] Configure Traefik whitelist so all apps can be accessed via FQDN

[bcurran3]

Is your feature request related to a problem? Please describe. No.

Describe the solution you'd like Access all apps via FQDN (appname.domainname.tld) no matter if they are Internet enabled (Expose app) or not.

Describe alternatives you've considered None. I dislike remembering what IP port is assigned to an app and link dashboards (Heimdell, Homarr, etc. only slow me down).

Additional context s/a

How to accomplish this This can be accomplished via Traefik's IPWhiteList feature. Tipi would need to define arrays for LAN (i.e. 192.168.1.x/24 - auto configure, along with any other possible subnets or VPN networks - user defined) and WAN (0.0.0.0/0). Then all app traefik.enable statements get set to true and some additional traefik labels are added to use either LAN or WAN as the whitelist. The Tipi app install Expose app choice would toggle between the LAN and WAN whitelist so that Expose app false would default to LAN and Expose app true would default to WAN.

TRAEFIK LABELS EXAMPLE:

Tipi's Portainer docker-compose labels:

    labels:
      traefik.enable: ${APP_EXPOSED}
      traefik.http.routers.portainer.rule: Host(`${APP_DOMAIN}`)
      traefik.http.routers.portainer.entrypoints: websecure
      traefik.http.routers.portainer.service: portainer
      traefik.http.routers.portainer.tls.certresolver: myresolver
      traefik.http.services.portainer.loadbalancer.server.port: 9000

My (modified) Ansible-NAS Portainer Ansible script labels: (not hard to translate, so I won't)

    labels:
      traefik.enable: "{{ portainer_available_externally | string }}"
      traefik.http.routers.portainer.rule: "Host(`{{ portainer_hostname }}.{{ ansible_nas_domain }}`)"
      traefik.http.routers.portainer.tls.certresolver: "letsencrypt"
      traefik.http.routers.portainer.tls.domains[0].main: "{{ ansible_nas_domain }}"
      traefik.http.routers.portainer.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
      traefik.http.routers.frontend.middlewares: "{{ portainer_hostname }}"
      traefik.http.routers.portainer.middlewares: "{{ portainer_hostname }}@docker"
      traefik.http.middlewares.portainer.ipwhitelist.sourcerange: "{{ portainer_traefik_whitelist }}"
      traefik.http.services.portainer.loadbalancer.server.port: "9000"

For clarity on the Ansible stuff, my variables:

portainer_available_externally: true
portainer_hostname: "portainer"
portainer_traefik_whitelist: "{{ lan }}"
lan_whitelist: 192.168.69.0/24
iotlan: 192.168.9.0/24
unifivpn: 192.168.69.22.0/24
unifiwg: 192.168.99.0/24
wireguard: 172.17.0.27/16
lan: "{{ lan_whitelist }}, {{ iotlan }}, {{ wireguard }}, {{ unifiwg }}"
wan: "0.0.0.0/0"
ansible_nas_domain: redacted

The end result will be that all apps will be accessible from the LAN by their appname.domainname.tld. When not enabled for WAN access, Traefik will simply give an error saying "Forbidden" when accessed from the WAN.

PRIVACY DISCLAIMER: That Forbidden message from non-Internet enabled apps is a tell that you are running that app (or something using that FQDN) otherwise a 404 will be thrown. If this is a concern then you can obfuscate the app name by adding a prefix or postfix onto it to make it less easily discoverable.

IMPLEMENTATION WARNING: I just noticed that Tipi's Traefik is using HTTP-01 challenge. When I was using this previously everything from the WAN still came through. Everything from the WAN showed as being from my router's LAN IP so it was in the whitelist. I couldn't figure out how to check and filter the http header x-forwarded-host (?) so I changed my LAN whitelist to "192.168.69.2/31, 192.168.69.4/30, 192.168.69.8/29, 192.168.69.16/28, 192.168.69.32/27" to exclude the .1 address. You guys are smarter than me and I'm sure you can figure out reading the forwarding headers to make it cleaner. :-) Upon switching to DNS-01 challenge I don't have the issue and can use a simple CIDR subnet block.

PRE-REQ: Have local DNS server (hybrid) to resolve the domain name locally.

SCARY? Hell yeah. I'm sure you've got an app or two that requires no authentication such as a file management app that you are extremely paranoid of some random stranger on the Internet getting into. Instead of the time needed running to McDonalds or Starbucks for some free WiFi to remotely test... just use Opera's free VPN feature.

[meienberger]

Thanks for sharing this detailed issue, this has been prioritized thanks to multiple requests for this feature

[RobotsAreCrazy]

Thanks for sharing this detailed issue, this has been prioritized thanks to multiple requests for this feature

Can you add a way to use certs from cloudflare etc if exposing an app please as i pay for a domain from them and would like to benefit from what they offer. thanks

[meienberger]

@RobotsAreCrazy I can add a way to upload custom certs yes. Can you describe exactly what you want to achieve? What is the format of your certificate?

[RobotsAreCrazy]

@RobotsAreCrazy I can add a way to upload custom certs yes. Can you describe exactly what you want to achieve? What is the format of your certificate?

It's a cert.pem and key.pem from cloudflare also how do i even expose apps or dashboard as it's quite a bit different coming from casaos as i just used nginx and added the certs with that?

[steveiliop56]

@meienberger that's not going to work. Its not up to traefik if foo.example.local points to the machine it's a DNS problem.