Set local only access for Prometheus and Traefik

2020-09-11 23:16:02 -04:00 · 2020-09-11 23:16:02 -04:00 · 274d8736cb
commit 274d8736cb
parent 8a9dea2ec8
3 changed files with 6 additions and 1 deletions
--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
@ -2,3 +2,4 @@ prom_name: prometheus
 grafana_name: grafana
 prom_root: "/opt/{{ prom_name }}"
 grafana_root: "/opt/{{ prom_name }}/grafana"
+traefik_localonly: "192.168.1.0/24"
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -44,6 +44,9 @@
    labels:
      traefik.http.routers.prometheus.rule: "Host(`{{ prom_domain }}`)"
      traefik.http.routers.prometheus.entrypoints: websecure
+      traefik.http.routers.prometheus.middlewares: "securehttps@file,localonly"
+      traefik.http.routers.prometheus.tls.certresolver: letsencrypt
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
      traefik.docker.network: traefik
      traefik.enable: "true"

--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@ -35,8 +35,9 @@
    labels:
      traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
      traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker"
+      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
      traefik.http.routers.traefik.service: "api@internal"
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.tls: "true"