This push request is about handling Traefik ipallowlist to synapse-ad… (

#4063) * This push request is about handling Traefik ipallowlist to synapse-admin application. It's my first push request. If I forgot something please let me know. :-) * Changed position of variable and naming for better expandebility of traefik options * Remove useless `noqa var-naming` comment and too many blank lines at the end of the file --------- Co-authored-by: AkDk7 <[email protected]> Co-authored-by: Slavi Pantaleev <[email protected]>
spantaleev · Feb 14, 2025 · 15f7f41 · 15f7f41
1 parent ed673bf
commit 15f7f41
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml
@@ -49,6 +49,11 @@ matrix_synapse_admin_container_labels_traefik_priority: 0
 matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure
 matrix_synapse_admin_container_labels_traefik_tls: "{{ matrix_synapse_admin_container_labels_traefik_entrypoints != 'web' }}"
 matrix_synapse_admin_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+# This setting is to define a list ip addresses to allow access to synapse-admin.
+# Each IP address should be in CIDR format, e.g. xxx.xxx.xxx.xxx/xx.
+# For more information, see: https://doc.traefik.io/traefik/middlewares/http/ipallowlist/
+# If the list is empty, all IP addresses are allowed.
+matrix_synapse_admin_container_labels_traefik_ipallowlist_sourcerange: []
 
 # Controls which additional headers to attach to all HTTP responses.
 # To add your own headers, use `matrix_synapse_admin_container_labels_traefik_additional_response_headers_custom`

diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2
@@ -9,6 +9,11 @@ traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80
 
 {% set middlewares = [] %}
 
+{% if matrix_synapse_admin_container_labels_traefik_ipallowlist_sourcerange | length > 0 %}
+traefik.http.middlewares.matrix-synapse-admin-ipallowlist.ipallowlist.sourcerange={{ matrix_synapse_admin_container_labels_traefik_ipallowlist_sourcerange | join(',') }}
+{% set middlewares = middlewares + ['matrix-synapse-admin-ipallowlist'] %}
+{% endif %}
+
 {% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.regex=({{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }})$
 traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.replacement=${1}/