Skip to content

Commit

Permalink
Merge pull request #740 from aledbf/fix-allow-deny
Browse files Browse the repository at this point in the history
Refactoring whitelist source IP verification
  • Loading branch information
aledbf authored May 21, 2017
2 parents c5e3097 + 07cdee5 commit b6d11ca
Showing 1 changed file with 22 additions and 4 deletions.
26 changes: 22 additions & 4 deletions controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,24 @@ http {
}
{{ end }}

{{/* build the maps that will be use to validate the Whitelist */}}
{{ range $index, $server := .Servers }}
{{ range $location := $server.Locations }}
{{ $path := buildLocation $location }}

{{ if isLocationAllowed $location }}
{{ if gt (len $location.Whitelist.CIDR) 0 }}
geo $the_real_ip $deny_{{ $server.Hostname }}_{{ $path }} {
default 1;

{{ range $ip := $location.Whitelist.CIDR }}
{{ $ip }} 0;{{ end }}
}
{{ end }}
{{ end }}
{{ end }}
{{ end }}

{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
{{ range $zone := (buildRateLimitZones .Servers) }}
Expand Down Expand Up @@ -312,9 +330,9 @@ http {

{{ if isLocationAllowed $location }}
{{ if gt (len $location.Whitelist.CIDR) 0 }}
{{ range $ip := $location.Whitelist.CIDR }}
allow {{ $ip }};{{ end }}
deny all;
if ($deny_{{ $server.Hostname }}_{{ $path }}) {
return 403;
}
{{ end }}

port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
Expand Down Expand Up @@ -362,7 +380,7 @@ http {
{{ end }}

# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $the_real_ip;

# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
Expand Down

0 comments on commit b6d11ca

Please sign in to comment.