Fix Cloudflare Trusted IP settings

2025-04-21 18:59:59 +08:00 · 2025-04-21 18:59:59 +08:00 · 44a8560f5a
commit 44a8560f5a
parent 0826bb4502
3 changed files with 6 additions and 29 deletions
--- a/README.md
+++ b/README.md
@ -90,5 +90,7 @@ PS: Because I access my traefik dashboard through my local network. I commented

 2. ChangeLog: 

+- 2025.4.21 Add the defaulthost rule for container name for lazy writing. But commented out for precision.  
+- 2025.4.21 Fix the trused IP settings to let the traefik-plugin-cloudflare tackle it. 
 - 2025.4.18 Add Souin HTTP Cache Middleware (in feature branch, not merge into main)
 - 2025.4.18 Temp disable the compression middleware. It has MIME type bugs. 
--- a/traefik.yml
+++ b/traefik.yml
@ -18,31 +18,7 @@ entryPoints:
  web:
   address: "10.0.0.225:80"
   forwardedHeaders:
-      trustedIPs: &trustedIps
-        # Start of Cloudlare's public IP list
-        - 103.21.244.0/22
-        - 103.22.200.0/22
-        - 103.31.4.0/22
-        - 104.16.0.0/13
-        - 104.24.0.0/14
-        - 108.162.192.0/18
-        - 131.0.72.0/22
-        - 141.101.64.0/18
-        - 162.158.0.0/15
-        - 172.64.0.0/13
-        - 173.245.48.0/20
-        - 188.114.96.0/20
-        - 190.93.240.0/20
-        - 197.234.240.0/22
-        - 198.41.128.0/17
-        - 2400:cb00::/32
-        - 2606:4700::/32
-        - 2803:f800::/32
-        - 2405:b500::/32
-        - 2405:8100::/32
-        - 2a06:98c0::/29
-        - 2c0f:f248::/32
-        # End of Cloudlare's public IP list
+      insecure: true #traefik-plugin-cloudflare already handle the real-ip from cloudflare to X-Forwarded-For
   http:
      redirections:                           # HTTPS redirection (80 to 443)
        entryPoint:
@ -51,8 +27,7 @@ entryPoints:
  websecure:
    address: "10.0.0.225:443"
    forwardedHeaders:
-      # Reuse the list of Cloudflare's public IPs from above
-      trustedIPs: *trustedIps
+      insecure: true
    http3: {}
  internal_web:
    address: "192.168.50.4:80"
@ -76,7 +51,7 @@ global:
 providers:
  docker:
    exposedByDefault: false
-#    network: traefik_default  # Ensure this matches the Docker network
+    # defaultRule: "Host(`{{ .ContainerName }}.gbanyan.net`)"
  file:
    filename: "/dynamic.yml"  # Enable dynamic configuration file
 certificatesResolvers: