D
Dokploy7mo ago
𝔇𝔬𝔫𝔞𝔩𝔡

Deploy App and Dokploy Admin on specific Net/IP

Hi, I can't find anywhere the solution to my 2 issues: 1. How to start App2 so that it is only available on the VPN network and App1 so that it is available both on the VPN network and on the Public IP 2. How and where to properly configure Dokploy Admin to be accessible not from the Public IP address but only from the VPN site
No description
2 Replies
Catur
Catur7mo ago
Question #1 To restrict IP access, you can add additional configuration to the Traefik file. Find the Treafik configuration file on the App2 container, you can find it in /dashboard/traefik in 📁 dynamic find the App2 container name. You can also find the Treafik configuration file on the app menu, select the advance menu, find the configuration at the bottom. Step 1 Add configuration at least as below: 
http:
  ...
  middlewares:
    ip-allow: # 👈🏻 you can give it a name as you wish
      ipAllowList:
        sourceRange:
          - "100.52.0.xxx" # you can add as many IP whitelists as you like
  ...
http:
  ...
  middlewares:
    ip-allow: # 👈🏻 you can give it a name as you wish
      ipAllowList:
        sourceRange:
          - "100.52.0.xxx" # you can add as many IP whitelists as you like
  ...
Step 2 Then in routes please add the middleware we just created, only in routes entryPoints = websecure. Here is an example, adjust it to your configuration: 
  ...
  routers:
    your-container-router:
      rule: Host(`your.domain.name`)
      service: your-container-service
      middlewares:
        - redirect-to-https
      entryPoints:
        - web
    your-container-router-websecure:
      rule: Host(`your.domain.name`)
      service: your-container-service
      middlewares: 
        - ip-allow # 👈🏻 add middleware with the name of the middleware
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
  ...
  ...
  routers:
    your-container-router:
      rule: Host(`your.domain.name`)
      service: your-container-service
      middlewares:
        - redirect-to-https
      entryPoints:
        - web
    your-container-router-websecure:
      rule: Host(`your.domain.name`)
      service: your-container-service
      middlewares: 
        - ip-allow # 👈🏻 add middleware with the name of the middleware
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
  ...
Done, now if App2 access is anything other than the IP whitelist, it will be forbidden. For App1, I think there is no need for additional configuration for IP whitelist because it can be accessed with any IP. Question #2 To make Dokploy accessible only from your VPN, you can use the same steps in question number 1 above, and implement them in the Traefik configuration file on Dokploy. The configuration file for Dokploy can be found in /dashboard/traefik in 📁 dynamic select the dokploy.yml file. --------------- For more tips: Tip 1: Because the middleware is used in two different configuration files, to be more efficient, you can add the middleware to the middleware.yml file in /dashboard/traefik in 📁 dynamic, then add to the routers as per the steps above. Tip 2: In addition to adding to the configuration file, if you have a compose file for your application, you can also add it to your application's compose file, by adding the following label to the compose file: 
# Accepts request from defined IP
labels:
  - "traefik.http.middlewares.ip-allow.ipallowlist.sourcerange=100.52.0.xxx, 100.52.0.yyy"
# Accepts request from defined IP
labels:
  - "traefik.http.middlewares.ip-allow.ipallowlist.sourcerange=100.52.0.xxx, 100.52.0.yyy"
Below for reference: https://doc.traefik.io/traefik/routing/routers/#middlewares
𝔇𝔬𝔫𝔞𝔩𝔡
𝔇𝔬𝔫𝔞𝔩𝔡OP6mo ago
Thank you very much for the very precise and detailed description of how to do it. I have set it up and it seems to work. I just need to find out how I can now call the endpoints that I have built using App2 via HTTP requests within the VPN site. Because until now, before I had the service limited to a specific network, I used to use the generated link from traefik.me, but now this traefik.me domain doesn't work. How else can I fix this ? I need to be able to call App2 endpoints within the VPN site. I need advice on how to make HTTP requests if my service is available only within a specific subnet ?

Did you find this page helpful?