Customizing vhost config with nginx/traefik ingress controllers

9/30/2018

I have a service that serves several /locations. I would like to make a single location /how/very/special reachable by any IP while keeping every other /location accessible only to a list of trusted IPs (which is trivial to do when you can

What is the best-practice way to achieve this via traefik or ingress controllers? Is a sidecar nginx the only way to add this logic?

-- strzelecki.maciek
kubernetes
kubernetes-ingress
nginx-ingress
traefik

1 Answer

10/1/2018

You can achieve that by using Nginx ingress controller in Kubernetes as standing in documentation https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#user-content-whitelist-source-range

You can specify allowed client IP source ranges through the nginx.ingress.kubernetes.io/whitelist-source-range annotation. The value is a comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.

To configure this setting globally for all Ingress rules, the whitelist-source-range value may be set in the NGINX ConfigMap.

!!! note Adding an annotation to an Ingress rule overrides any global restriction.

So as default you should put your trusted IP CIDRS in Nginx ConfigMap and override that rule only for /how/very/special by setting CIDR to 0.0.0.0/0

-- Jakub Bujny
Source: StackOverflow