added new traefik rules

2026-01-18 00:33:49 +01:00
parent 52be4a0e5a
commit b9660c986d
2 changed files with 32 additions and 1 deletions
--- a/infrastructure/apps/traefik-edge/config/dynamic/05-internal-ipwhitelist.yaml
+++ b/infrastructure/apps/traefik-edge/config/dynamic/05-internal-ipwhitelist.yaml
@@ -0,0 +1,30 @@
+http:
+  middlewares:
+    internal-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          - "10.100.0.0/16"  # Internes Netzwerk (VLAN 30, 40, 90, etc.)
+          - "10.200.0.0/24"  # VPN-Netzwerk
+          # Nur VPN-Clients dürfen auf *.apps.internal.* zugreifen
+
+  routers:
+    # Separate Route für interne Apps mit TLS Termination (nicht Passthrough)
+    # Damit können wir IP-Whitelist anwenden
+    internal-apps:
+      rule: "HostRegexp(`^.+\\.apps\\.internal\\.k3s\\.stabify\\.de$`)"
+      entryPoints:
+        - websecure
+      service: k3s-cluster-internal
+      middlewares:
+        - internal-ipwhitelist
+      tls:
+        certResolver: le
+        domains:
+          - main: "*.apps.internal.k3s.stabify.de"
+
+  services:
+    k3s-cluster-internal:
+      loadBalancer:
+        servers:
+          - url: "https://10.100.40.6:443"
+        passHostHeader: true
--- a/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml
+++ b/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml
@@ -1,7 +1,8 @@
 tcp:
  routers:
+    # Öffentliche k3s Domains (NICHT *.apps.internal.*)
    k3s-passthrough:
-      rule: "HostSNIRegexp(`^.+\\.k3s\\.stabify\\.de$`)"
+      rule: "HostSNIRegexp(`^[^.]+\\.(apps|sys)\\.k3s\\.stabify\\.de$`) && !HostSNIRegexp(`^.+\\.apps\\.internal\\.k3s\\.stabify\\.de$`)"
      entryPoints:
        - websecure
      service: k3s-cluster