DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactoring whitelist source IP verification

Browse source
This commit is contained in:
Manuel de Brito Fontes 2017-05-20 19:32:03 -04:00
parent c5e30973e5
commit 07cdee5ca8
1 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
View file

@ -231,6 +231,24 @@ http {
}
{{ end }}
{{/* build the maps that will be use to validate the Whitelist */}}
{{ range $index, $server := .Servers }}
{{ range $location := $server.Locations }}
{{ $path := buildLocation $location }}
{{ if isLocationAllowed $location }}
{{ if gt (len $location.Whitelist.CIDR) 0 }}
geo $the_real_ip $deny_{{ $server.Hostname }}_{{ $path }} {
default 1;
{{ range $ip := $location.Whitelist.CIDR }}
{{ $ip }} 0;{{ end }}
}
{{ end }}
{{ end }}
{{ end }}
{{ end }}
{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
{{ range $zone := (buildRateLimitZones .Servers) }}
@ -312,9 +330,9 @@ http {
{{ if isLocationAllowed $location }}
{{ if gt (len $location.Whitelist.CIDR) 0 }}
{{ range $ip := $location.Whitelist.CIDR }}
allow {{ $ip }};{{ end }}
deny all;
if ($deny_{{ $server.Hostname }}_{{ $path }}) {
return 403;
}
{{ end }}
port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
@ -362,7 +380,7 @@ http {
{{ end }}
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $the_real_ip;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;