I'm working with a large monolithic application with some private routes. These private routes are currently managed by an plain classic nginx server.
I need to migrate this to Kubernetes, and I must deny all external access to these routes. I'm using GKE, and AFAIK, privatize routes can be done inside the nginx-ingress controller.
I'm trying with server-snippet, but it doesn't seems to work. Here's the current code:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.org/websocket-services: service-ws
nginx.org/server-snippet: |
location /private {
allow 10.100.0.0/16; #Pods IPs
allow 10.200.0.0/16; #Pods IPs
deny all;
}
generation: 3The result is that /private routes always return 200 instead of 401/403. I've also tried to create a redirection instead of allow/deny, and also get 200 instead of 301 redirections.
Do you have some ideas or tips to make this work?
Following many links, the trick was the prefix is not up-to-date in most documentation:
Here's a working sample:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/server-snippet: |-
location /management_api {
allow 1.2.3.4/16; # Pod address range
allow 1.3.4.5/16; # Pod address range
deny all;
proxy_http_version 1.1;
proxy_redirect off;
proxy_intercept_errors on;
proxy_set_header Connection "";
proxy_set_header X-CF-Visitor $http_cf_visitor;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.11.12.13;
}
Enjoy!