Merge pull request #20 from beatz174-bit/codex/update-traefik-configuration-for-trusted-proxies

Restrict Traefik forwarded headers to trusted IPs, enable Authelia trustForwardHeader, and add traefik network subnet
2026-04-13 10:16:25 +10:00
parent cfbefed2e3 8448f2bb94
commit 47a5908430
3 changed files with 20 additions and 3 deletions
@@ -122,6 +122,8 @@ services:
      - traefik.http.routers.authelia.tls.certresolver=myresolver
      - io.portainer.accesscontrol.public
      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lan.ddnsgeek.com/
+      # Keep trustForwardHeader enabled so Authelia evaluates the real client IP from
+      # X-Forwarded-* headers that Traefik now accepts only from trustedIPs.
      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups
      - traefik.http.middlewares.authelia.forwardauth.maxResponseBodySize=2097152
@@ -24,7 +24,16 @@ entryPoints:
  web:
    address: ":80"
    forwardedHeaders:
-      insecure: true
+      # Trust forwarding headers only from upstream proxies/LBs under our control.
+      # Network assumptions for this stack:
+      # - 127.0.0.1/32: local host-side reverse-proxy hops
+      # - 192.168.2.0/24: LAN edge proxies
+      # - 172.21.0.0/16: pinned Docker subnet for the traefik bridge network
+      insecure: false
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "192.168.2.0/24"
+        - "172.21.0.0/16"
    http:
      redirections:
        entryPoint:
@@ -34,7 +43,11 @@ entryPoints:
  websecure:
    address: ":443"
    forwardedHeaders:
-      insecure: true
+      insecure: false
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "192.168.2.0/24"
+        - "172.21.0.0/16"
    http:
      middlewares:
        - default-chain@file