From 8448f2bb94d9ee8236ebca9086eb3df62d7fef2e Mon Sep 17 00:00:00 2001
From: beatz174-bit <beatz174@gmail.com>
Date: Mon, 13 Apr 2026 10:16:06 +1000
Subject: [PATCH] Narrow trusted proxy CIDRs and pin Traefik subnet

---
 core/docker-compose.yml  |  2 ++
 core/traefik/traefik.yml | 17 +++++++++++++++--
 default-network.yml      |  4 +++-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/core/docker-compose.yml b/core/docker-compose.yml
index 63eaa40..e807fb1 100644
--- a/core/docker-compose.yml
+++ b/core/docker-compose.yml
@@ -113,6 +113,8 @@ services:
       - traefik.http.routers.authelia.tls.certresolver=myresolver
       - io.portainer.accesscontrol.public
       - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lan.ddnsgeek.com/
+      # Keep trustForwardHeader enabled so Authelia evaluates the real client IP from
+      # X-Forwarded-* headers that Traefik now accepts only from trustedIPs.
       - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
       - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups
       - traefik.http.middlewares.authelia.forwardauth.maxResponseBodySize=2097152
diff --git a/core/traefik/traefik.yml b/core/traefik/traefik.yml
index d333401..8dd1987 100644
--- a/core/traefik/traefik.yml
+++ b/core/traefik/traefik.yml
@@ -23,7 +23,16 @@ entryPoints:
   web:
     address: ":80"
     forwardedHeaders:
-      insecure: true
+      # Trust forwarding headers only from upstream proxies/LBs under our control.
+      # Network assumptions for this stack:
+      # - 127.0.0.1/32: local host-side reverse-proxy hops
+      # - 192.168.2.0/24: LAN edge proxies
+      # - 172.21.0.0/16: pinned Docker subnet for the traefik bridge network
+      insecure: false
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "192.168.2.0/24"
+        - "172.21.0.0/16"
     http:
       redirections:
         entryPoint:
@@ -33,7 +42,11 @@ entryPoints:
   websecure:
     address: ":443"
     forwardedHeaders:
-      insecure: true
+      insecure: false
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "192.168.2.0/24"
+        - "172.21.0.0/16"
     http:
       middlewares:
         - default-chain@file
diff --git a/default-network.yml b/default-network.yml
index 31e199d..8dacf6c 100644
--- a/default-network.yml
+++ b/default-network.yml
@@ -1,5 +1,7 @@
 networks:
   traefik:
     driver: bridge
+    ipam:
+      config:
+        - subnet: 172.21.0.0/16
   monitor:
-