Deny User Agent in Kubernetes Nginx Ingress Controller

9/12/2017

I'm being hit with a vulnerability probe which uses User-Agent: Mozilla/5.0 Jorgee and I want to drop/reject any requests from that user agent.

I've been digging around the k8s examples but I can't seem to find a solution.

Is there any way I can deny requests based on User-Agent with gcr.io/google_contianers/nginx-ingress-controller:0.8.3?

-- Rohith Varanasi
kubernetes
nginx

2 Answers

9/13/2017

As best I can tell from the nginx go-template, that is not something the current implementation of their ingress controller offers. I believe that in their mental model, one would wish to do that kind of suppression in a per-Service manner, since doing it in the Ingress controller could very easily apply that rule to the whole cluster, leading to surprising outcomes for other published Services. I took a look at the haproxy controller's go-template and it seems to be true there, also.

At this point, I think you have two options:

  1. Use a custom nginx go-template file, which might not be "bad" but one will need to exercise caution when doing upgrades, since your controller will no longer come with a known-correct nginx.tmpl
  2. Try a more advanced haproxy ingress controller, which allows you to specify arbitrary haproxy snippets right in your Ingress resource, which is the best approach I have seen thus far, modulo their backendRule array seems not to be standard
-- mdaniel
Source: StackOverflow

9/13/2017

you can add custom nginx configuration snippets to Ingresses with annotations, at least for the "normal" nginx controller, not sure if that works with the GCE controller too. See e.g. here: https://github.com/kubernetes/ingress/blob/master/examples/customization/configuration-snippets/nginx/ingress.yaml#L8

-- slintes
Source: StackOverflow