DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

do not create empty access_by_lua_block

Browse source
This commit is contained in:
Elvin Efendi 2019-04-13 16:11:46 -04:00
parent ac043771ff
commit 2f3cf1a6c0
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -990,8 +990,12 @@ stream {
plugins.run() plugins.run()
} }
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# that means currently `satisfy any` and lua-resty-waf together will potentiall render any
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
access_by_lua_block { access_by_lua_block {
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
local lua_resty_waf = require("resty.waf") local lua_resty_waf = require("resty.waf")
local waf = lua_resty_waf:new() local waf = lua_resty_waf:new()
@ -1032,10 +1036,8 @@ stream {
{{ end }} {{ end }}
waf:exec() waf:exec()
{{ end }}
plugins.run()
} }
{{ end }}
header_filter_by_lua_block { header_filter_by_lua_block {
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }} {{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}