Skip to content

Traefik Integration

This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.


Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.

Find:

UI_IP = ""


Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4

UI_IP = "::ffff:172.17.0.1"


The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.


Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:

http:
  routers:
    csf-http:
      service: "csf"
      rule: "Host(`csf.domain.com`)"
      entryPoints:
        - "http"
      middlewares:
        - https-redirect@file

    csf-https:
      service: "csf"
      rule: "Host(`csf.domain.com`)"
      entryPoints:
        - "https"
      middlewares:
        - authentik@file
        - whitelist@file
        - geoblock@file
      tls:
        certResolver: cloudflare
        domains:
          - main: "domain.com"
            sans:
              - "*.domain.com"
http:
  middlewares:
    authentik:
      forwardauth:
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

    geoblock:
      plugin:
        GeoBlock:
          allowLocalRequests: "true"
          allowUnknownCountries: "false"
          blackListMode: "false"
          api: https://get.geojs.io/v1/ip/country/{ip}
          ipGeolocationHttpHeaderField: "Cf-Ipcountry"
          xForwardedFor: "X-Forwarded-For"
          apiTimeoutMs: "150"
          cacheSize: "15"
          addCountryHeader: "true"
          forceMonthlyUpdate: "true"
          logAllowedRequests: "true"
          logApiRequests: "true"
          logLocalRequests: "true"
          silentStartUp: "false"
          unknownCountryApiResponse: nil
          countries:
            - US

    whitelist:
      ipAllowList:
        sourceRange:
          - "127.0.0.0/8"
        ipStrategy:
          excludedIPs:
            # Cloudflare IP List
            # These will be ignored and the next IP in line will be checked
            - 173.245.48.0/20
            - 103.21.244.0/22
            - 103.22.200.0/22
            - 103.31.4.0/22
            - 141.101.64.0/18
            - 108.162.192.0/18
            - 190.93.240.0/20
            - 188.114.96.0/20
            - 197.234.240.0/22
            - 198.41.128.0/17
            - 162.158.0.0/15
            - 104.16.0.0/13
            - 104.24.0.0/14
            - 172.64.0.0/13
            - 131.0.72.0/22
            - 2400:cb00::/32
            - 2606:4700::/32
            - 2803:f800::/32
            - 2405:b500::/32
            - 2405:8100::/32
            - 2a06:98c0::/29
            - 2c0f:f248::/32


At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:

http:
  routers:
    [CODE FROM ABOVE]
  services:
    csf:
      loadBalancer:
        servers:
          - url: "https://172.17.0.1:8546/"


With the example above, we are also going to add a few middlewares:


By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.


You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:


Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:

docker compose down && docker compose up -d




Next Steps

Instructions for adding Authentik middleware to ConfigServer via Traefik