Skip to main content

Reverse Proxy

Traefik Blocklist Tutorial

Use Traefik's IPAllowList middleware with a CSV/TXT deny list to block proxy and VPN IP addresses at the reverse proxy layer in Docker or Kubernetes environments.

Supported formats: TXT (one IP/CIDR per line) YAML list

Steps

  1. 1

    Download the blocklist

    Fetch the TXT blocklist from your AntiProxies dashboard. You'll convert this to a YAML list for Traefik's dynamic configuration.

  2. 2

    Generate dynamic config

    Write a script that converts the TXT list into a Traefik dynamic configuration YAML file defining an IPAllowList middleware in deny mode.

  3. 3

    Point Traefik to the config file

    Configure Traefik's file provider to watch the directory containing your dynamic config so changes are picked up automatically.

  4. 4

    Attach middleware to routers

    Add the blocklist middleware to your Traefik router using labels (Docker) or IngressRoute annotations (Kubernetes).

Need the blocklist files?

Download free sample data or subscribe for daily-updated lists.

Free Sample

Dynamic config – IPDenyList middleware

Generated Traefik dynamic config defining a deny-list middleware.

/etc/traefik/dynamic/antiproxies.yml 
http:
  middlewares:
    antiproxies-block:
      ipAllowList:
        # Empty allow-list = allow all; we invert with a deny approach.
        # Traefik 3.x supports ipDenyList natively:
        ipDenyList:
          sourceRange:
            - "1.2.3.4/32"
            - "5.6.7.0/24"
            - "10.0.0.1/32"
            - "192.168.100.0/22"

traefik.yml – enable file provider

Enable the file provider so Traefik watches the dynamic config directory.

/etc/traefik/traefik.yml 
providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true   # Hot-reload on file change

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

Docker Compose – attach middleware

Apply the antiproxies-block middleware to a service via labels.

docker-compose.yml 
services:
  app:
    image: my-app:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`example.com`)"
      - "traefik.http.routers.app.middlewares=antiproxies-block@file"

Frequently asked questions

Does Traefik need a restart to pick up the new YAML file?
No. The file provider with watch: true detects changes and reloads dynamic configuration automatically, with zero downtime.
What is the difference between ipAllowList and ipDenyList?
ipAllowList specifies IPs that are allowed (block everyone else). ipDenyList (Traefik 3.x) specifies IPs that are blocked. For a blocklist use ipDenyList. On Traefik 2.x you can invert an allowList using the NotIp plugin.
How do I get the real client IP in Docker / Kubernetes?
Configure the forwardedHeaders section in Traefik to trust your ingress/LB IP and set X-Real-IP or X-Forwarded-For so the middleware sees the real client address.

More blocklist guides

Nginx

Web Server

View tutorial

Apache HTTP Server

Web Server

View tutorial

Caddy

Web Server

View tutorial
View all 9 guides

Want to see what's in the database?

Download once, query as many times as you need. €99/year for all 22 databases, unlimited servers, and a full year of monthly updates. No usage limits, no per-query fees, no data leaving your servers.

View Pricing Contact Us
30-day money-back guarantee
All databases included
Monthly updates