Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

ELLIO Traefik Middleware Plugin

The ELLIO Traefik Middleware Plugin adds IP-based access control to services behind Traefik. It fetches your External Dynamic List (EDL) from the ELLIO platform and blocks or allows requests at the proxy, protecting your services against malicious scanners and mass exploitation attempts.

What a blocked request looks like

What the plugin gives you:

  • Blocks malicious IPs automatically - the EDL updates without manual intervention
  • One place for IP policy - manage rules for all your services from the ELLIO platform
  • Blocklist or allowlist mode - block known bad IPs, or allow only trusted IPs
  • Keeps working during outages - falls back to the cached list if the platform is unreachable

GitHub repository: ELLIO-Traefik-Middleware-Plugin

  • Traefik v3.0 or later
  • Bootstrap token from your EDL configured for “Traefik Middleware”

Add the ELLIO plugin to your Traefik static configuration:

traefik.yml
experimental:
plugins:
ellio:
moduleName: github.com/ELLIO-Technology/ELLIO-Traefik-Middleware-Plugin
version: v1.0.2

Create a middleware instance in your dynamic configuration:

dynamic-config.yml
http:
middlewares:
ellio-edl:
plugin:
ellio:
bootstrapToken: "YOUR_ELLIO_BOOTSTRAP_TOKEN"
logLevel: "info"
ipStrategy: "direct"

Apply the middleware to your services:

http:
routers:
my-service:
rule: Host(`api.example.com`)
middlewares:
- ellio-edl
service: my-backend

Choose the setup guide that matches your infrastructure:

Parameter Type Required Default Description
bootstrapToken string Yes - EDL bootstrap token from the ELLIO platform
logLevel string No "info" Logging verbosity: trace, debug, info, warn, error
machineId string No random UUID Machine identifier. Override it when multiple Traefik instances share the same EDL.
ipStrategy string No "direct" IP extraction strategy
trustedHeader string No - Custom header name (for the “custom” strategy)
trustedProxies []string No - Trusted proxy IP ranges
  • direct - use the direct connection IP address (default)
  • xff - extract from the X-Forwarded-For header (reverse proxies)
  • real-ip - extract from the X-Real-IP header
  • custom - extract from a custom header specified in trustedHeader

Using the bootstrap token, the plugin fetches your EDL configuration and adjusts the access control mode:

  • Blocklist mode: All IPs in the EDL are blocked and receive 403 errors; other IPs are allowed.
  • Allowlist mode: Only IPs in the EDL are allowed; all other IPs are blocked. Be careful when protecting services that require additional IPs like local IP ranges (for example, if protecting a Pangolin installation, you also need to allow site IP ranges).

EDL configuration (blocklist/allowlist mode) is refreshed approximately every 5 minutes. The EDL IP lists themselves are downloaded based on your EDL update frequency settings in the platform (from every 5 minutes to every 24 hours).

Blocked events are sent to the ELLIO platform for monitoring. If you have access to CTI, you can look up blocked IPs and search by User Agent and ASN.

For blocklist mode (most common):

  1. Add a test IP to your IP ruleset in the ELLIO platform
  2. Wait for EDL regeneration (based on your update frequency)
  3. Test from the blocked IP - should receive 403 Forbidden
  4. Test from other IPs - should access normally

For allowlist mode:

  1. Add your current IP to the allowlist in the ELLIO platform
  2. Wait for EDL regeneration
  3. Test from the allowed IP - should work normally
  4. Test from a non-allowed IP - should be blocked

When the plugin is working, blocked requests appear in the ELLIO platform:

Blocked requests in the ELLIO platform dashboard