Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure access to NGINX and NGINX Plus status #355

Closed
pleshakov opened this issue Sep 4, 2018 · 3 comments
Closed

Configure access to NGINX and NGINX Plus status #355

pleshakov opened this issue Sep 4, 2018 · 3 comments
Labels
enhancement Pull requests for new features/feature enhancements proposal An issue that proposes a feature request

Comments

@pleshakov
Copy link
Contributor

Is your feature request related to a problem? Please describe.

Currently, when NGINX/NGINX Plus status is exposed, connections only from 127.0.0.1 are allowed. In case when NGINX Ingress Controller is deployed with hostNetwork: true, this prevents connections to the status from any external hosts.

Describe the solution you'd like

Make the access list configurable, so that the user can specify which CIDRs are allowed to connect to the status.

Describe alternatives you've considered

An alternative is using custom template. In this case the user can add any allow/deny NGINX directives they want to the virtual server with the status. However, custom templates are not as convenient as command-line arguments.

Note: For any additional security (ex. TLS termination, client certificate validation, basic auth), template customization will still be required.
@pleshakov pleshakov added the enhancement Pull requests for new features/feature enhancements label Sep 4, 2018
@pleshakov
Copy link
Contributor Author

Suggested Implementation

To specify whitelisted IPs and CIDRs, we can have an additional command-line argument nginx-status-allow-cidrs, which takes a comma-separated list of allowed CIDRs. In the generated NGINX config, we can configure the allow and deny directives according with the supplied CIDRs.

Example: -nginx-status-allow-cidrs="10.1.1.0/16,192.168.1.1"

That leads to the following generated configuration for NGINX:

server {
        listen 8080;
 
        allow 10.1.1.0/16;
        allow 192.168.1.1;
        deny all;
 
        location /stub_status {
            stub_status;
        }
    }

and NGINX Plus:

server {
        listen 8080;
 
        root /usr/share/nginx/html;
 
        access_log off;
 
        location  = /dashboard.html {
        }
 
        allow 10.1.1.0/16;
        allow 192.168.1.1;
        deny all;
 
        location /api {
            api write=off;
        }
    }

Defaults: 127.0.0.1

Error Handling: Before generating NGINX config, we must validate that the specified CIDRs are valid. If the user passes invalid CIDRs, the Ingress Controller must report that and exit with an error. For the validation functions, we should have unit tests.

Out of scope: IPv6 CIDRs

Manifests Updates:
Updating installation manifests is not required as the default (127.0.0.1) is the same default that we have now.

Documentation Update:
We need to update https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/cli-arguments.md

@pleshakov pleshakov mentioned this issue Sep 4, 2018
Merged
6 tasks
@pleshakov pleshakov added proposal An issue that proposes a feature request configuration labels Sep 5, 2018
@r4j4h r4j4h mentioned this issue Oct 2, 2018
Merged
6 tasks
@r4j4h
Copy link
Contributor

r4j4h commented Oct 11, 2018
edited
Loading

@pleshakov I think we can close this issue now 👍 :)

@pleshakov
Copy link
Contributor Author

@r4j4h you're right. thx :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Pull requests for new features/feature enhancements proposal An issue that proposes a feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@r4j4h @pleshakov