Managing a whitelist for _/nginx_status

Signed-off-by: Sylvain Rabot <s.rabot@lectra.com>

internal/ingress/controller/config/config.go

@@ -246,6 +246,10 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size
 	MapHashBucketSize int `json:"map-hash-bucket-size,omitempty"`
 
+	// NginxStatusWhitelist has the list of cidr that are allowed to access
+	// the /nginx_status endpoint of the "_" server
+	NginxStatusWhitelist string `json:"nginxStatusWhitelist,omitempty"`
+
 	// If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address
 	// of your external load balancer
 	ProxyRealIPCIDR []string `json:"proxy-real-ip-cidr,omitempty"`
@@ -521,6 +525,7 @@ func NewDefault() Configuration {
 		LogFormatUpstream:          logFormatUpstream,
 		MaxWorkerConnections:       16384,
 		MapHashBucketSize:          64,
+		NginxStatusWhitelist:       "127.0.0.1",
 		ProxyRealIPCIDR:            defIPCIDR,
 		ServerNameHashMaxSize:      1024,
 		ProxyHeadersHashMaxSize:    512,
@@ -612,6 +617,7 @@ type TemplateConfig struct {
 	CustomErrors            bool
 	Cfg                     Configuration
 	IsIPV6Enabled           bool
+	NginxStatusWhitelist    string
 	IsSSLPassthroughEnabled bool
 	RedirectServers         map[string]string
 	ListenPorts             *ListenPorts

internal/ingress/controller/nginx.go

@@ -615,6 +615,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
 		CustomErrors:            len(cfg.CustomHTTPErrors) > 0,
 		Cfg:                     cfg,
 		IsIPV6Enabled:           n.isIPV6Enabled && !cfg.DisableIpv6,
+		NginxStatusWhitelist:    cfg.NginxStatusWhitelist,
 		RedirectServers:         redirectServers,
 		IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough,
 		ListenPorts:             n.cfg.ListenPorts,

internal/ingress/controller/template/configmap.go

@@ -134,6 +134,12 @@ func ReadConfig(src map[string]string) config.Configuration {
 		}
 	}
 
+	nginxStatusWhitelist := "127.0.0.1"
+	if val, ok := conf[nginxStatusWhitelist]; ok {
+		delete(conf, nginxStatusWhitelist)
+		nginxStatusWhitelist = val
+	}
+
 	to := config.NewDefault()
 	to.CustomHTTPErrors = filterErrors(errors)
 	to.SkipAccessLogURLs = skipUrls
@@ -145,6 +151,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	to.HTTPRedirectCode = redirectCode
 	to.ProxyStreamResponses = streamResponses
 	to.DisableIpv6DNS = !ing_net.IsIPv6Enabled()
+	to.NginxStatusWhitelist = nginxStatusWhitelist
 
 	config := &mapstructure.DecoderConfig{
 		Metadata:         nil,

rootfs/etc/nginx/template/nginx.tmpl

@@ -98,7 +98,7 @@ http {
     {{ if $cfg.EnableOpentracing }}
     opentracing on;
     {{ end }}
-    
+
     {{ buildOpentracing $cfg }}
 
     include /etc/nginx/mime.types;
@@ -916,7 +916,7 @@ stream {
         # this is required to avoid error if nginx is being monitored
         # with an external software (like sysdig)
         location /nginx_status {
-            allow 127.0.0.1;
+            allow {{ $all.NginxStatusWhitelist }};
             {{ if $all.IsIPV6Enabled }}allow ::1;{{ end }}
             deny all;
 

test/data/config.json

@@ -26,6 +26,7 @@
 		"keepAlive": 75,
 		"mapHashBucketSize": 64,
 		"maxWorkerConnections": 16384,
+		"nginxStatusWhitelist": "127.0.0.1",
 		"proxyRealIpCidr": "0.0.0.0/0",
 		"retryNonIdempotent": false,
 		"serverNameHashBucketSize": 64,
@@ -113,7 +114,7 @@
 				"pemSha": ""
 			},
 			"vtsDefaultFilterKey": "$uri $server_name"
-			
+
 		}, {
 			"path": "/",
 			"isDefBackend": true,