ingress-nginx: Whitelist not working

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): yes

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): whitelist

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

NGINX Ingress controller version: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.10.2

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T11:52:23Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.3-rancher3", GitCommit:"772c4c54e1f4ae7fc6f63a8e1ecd9fe616268e16", GitTreeState:"clean", BuildDate:"2017-11-27T19:51:43Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

Cloud provider or hardware configuration:

We are running Rancher v1.6.12 locally with 3 virtual machine nodes.

OS (e.g. from /etc/os-release):

Here is the configuration of the nodes:

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Kernel (e.g. uname -a): 3.10.0-693.5.2.el7.x86_64 - Install tools:
Others:

What happened: I added a whitelist on our Ingress resource using the following YAML file:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: testing
  namespace: testing
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1/8"
spec:
  rules:
  - host: testing.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx
          servicePort: 80

I tried curl on the page and I was still able to access it.

some.ip.here - - [16/Feb/2018:01:37:45 +0000] "GET / HTTP/1.1" 200 58 "-" "curl/7.53.1" "my.ip.is.here" What you expected to happen: I should not be able to access it since I’m on a different IP.

How to reproduce it (as minimally and precisely as possible): curl http://test.com

Anything else we need to know:

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 2
Comments: 26 (6 by maintainers)

Most upvoted comments

@fripoli Unless you are starting the controller with the flag –annotations-prefix=ingress.kubernetes.io, please change the whitelist annotation to: nginx.ingress.kubernetes.io/whitelist-source-range

+83

ghost on Mar 14, 2018

@grebois : what ip do you see in ingress logs (public, or private) ? if private, this is probably IP of LB node. If you installed it with helm, try to upgrade ingress with helm upgrade --name stable/nginx-ingress --set controller.service.externalTrafficPolicy=Local

+24

borqosky on Oct 12, 2018

I’m using quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.14.0

I’m always getting a 403 when I add nginx.ingress.kubernetes.io/whitelist-source-range : “x.x.x.x” where x.x.x.x is the Ip I get from https://whatismyipaddress.com.

+13

YvonneArnoldus on Jun 5, 2018

I’d confirm this, in my case was my mistake. I didn’t add the nginx prefix.

idirouhab on Jun 12, 2018

@aledbf Looks like if --ssl-passthrough is enabled, the nginx controller uses proxy protocol for HTTPS. use-proxy-protocol must be enabled for nginx to unwrap the IP for use in the whitelist. When proxy protocol is enabled, it is enabled for 80 and 443. With --ssl-passthrough enabled, the whitelist does not work unless use-proxy-protocol: "true" is set. The problem for us, is that our load balancer does not support proxy protocol, so port 80 requests fail with curl: (52) Empty reply from server. @mvineza, can you confirm if --ssl-passthrough is enabled?

Access log: 127.0.0.1 - [127.0.0.1] - - [16/Feb/2018:00:16:32 +0000] "GET / HTTP/1.1" 403 169 "-" "curl/7.58.0" 91 0.000

FYI… if --ssl-passthrough is enabled, the nginx controller handles sending HTTPS traffic to nginx over 442, whereas HTTP traffic is handled by nginx directly.

azweb76 on Feb 16, 2018