Get IP via "ip strategy"

[james-callahan]

For the traefik builtin ip allow list plugin, they have a field "strategy" that picks e.g. which element in an X-Forwaded-For to look at. The same mechanism/api is used for rate limiting: https://doc.traefik.io/traefik/middlewares/http/ratelimit/#sourcecriterionipstrategy

We should use that same mechanism: https://github.com/traefik/traefik/blob/7fc56454ea9a2baa004db509a5a644bc199297c6/pkg/middlewares/ipallowlist/ip_allowlist.go#L76
https://github.com/traefik/traefik/blob/master/pkg/ip/strategy.go#L22

The current behaviour of this module seems to be that if any X-Forwarded-For member contains an IP in a banned country, then block the request.
This means that if I'm e.g. trying to block customers in country A, but my CDN has nodes in country A, then I might accidentally block customers that are meant to have access.
Or vice versa: if I allow list customers in country A, but a person in country B (that is meant to be blocked) manages to go via a CDN node in country A, then they aren't blocked as desired.

[sgofferj]

Another thing is to detect CDNs at all. I'm using Cloudflare and the plugin does not seem to realize that because I see a lot of access from banned countries coming through. I'm running Matomo for analysis and Matomo uses Cloudflare's "CF-Connecting-IP" to get the original visitor's IP.