Narrow trusted proxy CIDRs and pin Traefik subnet

2026-04-13 10:16:06 +10:00
parent 417973b1cb
commit 8448f2bb94
3 changed files with 20 additions and 3 deletions
@@ -113,6 +113,8 @@ services:
      - traefik.http.routers.authelia.tls.certresolver=myresolver
      - io.portainer.accesscontrol.public
      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lan.ddnsgeek.com/
+      # Keep trustForwardHeader enabled so Authelia evaluates the real client IP from
+      # X-Forwarded-* headers that Traefik now accepts only from trustedIPs.
      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups
      - traefik.http.middlewares.authelia.forwardauth.maxResponseBodySize=2097152