This script retrieves Google's public IP ranges to make a ipAllowList Middleware for Traefik in YAML or TOML format

traefik_google_ip_whitelist.sh

#!/bin/bash

#
# Script Name: traefik_google_ip_whitelist.sh
# Description: This script retrieves Google's public IP ranges, adds any unverified forwarding IPs, 
#              and generates a Traefik middleware configuration in either YAML or TOML format.
#              The generated configuration allows whitelisting Google's IP addresses in Traefik, 
#              ensuring secure access to services by restricting traffic to Google's trusted IPs.
#
# Output:
#   - traefik_google_ip_whitelist.yaml or traefik_google_ip_whitelist.toml
#
# Author: Mathías Tabó
# Date: 2024-10-02
#

##############
### Config ###
##############

# Traefik configuration format (yaml or toml)
TRAEFIK_MIDDLEWARE_FORMAT="yaml"

# Traefik dynamic configuration folder
TRAEFIK_MIDDLEWARE_FOLDER="../config/dynamic_config"

# Traefik middleware filename without extension
TRAEFIK_MIDDLEWARE_FILENAME="traefik_google_ip_whitelist"

##################
### End Config ###
##################

# Temporary file to store IPs
unordered_ips=$(mktemp)
sorted_ips=$(mktemp)

# Fetch Google IP ranges and write to temp file
function fetch_google_ips() {
    echo "[INFO] Fetching Google IP ranges..."

    # First, get the SPF record for _spf.google.com
    spf_record=$(dig @8.8.8.8 +short TXT _spf.google.com | grep -oP '(?<=include:)[^ ]+')

    # Now loop through each domain included in the SPF record
    for domain in $spf_record; do
        echo "[INFO] Fetching IPs from $domain..."
        dig @8.8.8.8 +short TXT $domain | grep -Eo 'ip[46]:[0-9a-fA-F\.:/]*' >> $unordered_ips
    done
}


# Add unverified forwarding IPs
function add_unverified_forwarding_ips() {
    echo "[INFO] Adding unverified forwarding IP ranges..."
    cat <<EOF >> $unordered_ips
ip4:108.177.16.0/24
ip4:108.177.17.0/24
ip4:142.250.220.0/24
ip4:142.250.221.0/24
ip6:2600:1901:101::0/126
ip6:2600:1901:101::4/126
ip6:2600:1901:101::8/126
ip6:2600:1901:101::c/126
ip6:2600:1901:101::10/126
ip6:2600:1901:101::14/126
EOF
}


# Sort function for proper octet/segment sorting
function sort_ips() {
    echo "[INFO] Sorting IP addresses..."
    # Sort IPv4 and IPv6 addresses separately
    {
        grep '^ip4:' $unordered_ips | cut -d':' -f2 | sort -n -t '.' -k1,1 -k2,2 -k3,3 -k4,4
        grep '^ip6:' $unordered_ips | sed 's/^ip6://' | sort -t':' -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -k7,7 -k8,8
    } > $sorted_ips
}

# Apply to Traefik configuration
function apply_to_traefik() {

    echo "[INFO] Creating Traefik $TRAEFIK_MIDDLEWARE_FORMAT configuration..."

    TRAEFIK_MIDDLEWARE_FILE=${TRAEFIK_MIDDLEWARE_FOLDER%/}"/"$TRAEFIK_MIDDLEWARE_FILENAME"."$TRAEFIK_MIDDLEWARE_FORMAT

    case $TRAEFIK_MIDDLEWARE_FORMAT in

        "yaml")

                cat << EOF > $TRAEFIK_MIDDLEWARE_FILE
http:
  middlewares:
    google-ip-allowlist:
      ipAllowList:
        sourceRange:
$(grep -E '^[0-9]' $sorted_ips | sed 's/^/          - /')
EOF
                ;;

        "toml")

                cat << EOF > $TRAEFIK_MIDDLEWARE_FILE
[http.middlewares.google-ip-allowlist.ipAllowList]
  sourceRange = [
$(grep -E '^[0-9]' $sorted_ips | sed 's/^/    "/; s/$/"/' | sed 's/$/,/' | sed '$s/,$//')
  ]
EOF
                ;;
        *)
                echo "[ERROR] Unsupported Traefik configuration format: $TRAEFIK_MIDDLEWARE_FORMAT"
                ;;

    esac

}

# Cleanup
function cleanup() {
    rm -f $unordered_ips $sorted_ips
}

# Main execution
fetch_google_ips
add_unverified_forwarding_ips
sort_ips
apply_to_traefik "$TRAEFIK_MIDDLEWARE_FORMAT"
cleanup

echo "[INFO] Done."