Configure access to NGINX and NGINX Plus status #355
Comments
pleshakov
added
the
enhancement
|
Suggested Implementation To specify whitelisted IPs and CIDRs, we can have an additional command-line argument Example: That leads to the following generated configuration for NGINX: server {
listen 8080;
allow 10.1.1.0/16;
allow 192.168.1.1;
deny all;
location /stub_status {
stub_status;
}
}and NGINX Plus: server {
listen 8080;
root /usr/share/nginx/html;
access_log off;
location = /dashboard.html {
}
allow 10.1.1.0/16;
allow 192.168.1.1;
deny all;
location /api {
api write=off;
}
}Defaults: Error Handling: Before generating NGINX config, we must validate that the specified CIDRs are valid. If the user passes invalid CIDRs, the Ingress Controller must report that and exit with an error. For the validation functions, we should have unit tests. Out of scope: IPv6 CIDRs Manifests Updates: Documentation Update: |
|
@pleshakov I think we can close this issue now 👍 :) |
|
@r4j4h you're right. thx :) |
Is your feature request related to a problem? Please describe.
Currently, when NGINX/NGINX Plus status is exposed, connections only from
127.0.0.1are allowed. In case when NGINX Ingress Controller is deployed withhostNetwork: true, this prevents connections to the status from any external hosts.Describe the solution you'd like
Make the access list configurable, so that the user can specify which CIDRs are allowed to connect to the status.
Describe alternatives you've considered
An alternative is using custom template. In this case the user can add any allow/deny NGINX directives they want to the virtual server with the status. However, custom templates are not as convenient as command-line arguments.
Note: For any additional security (ex. TLS termination, client certificate validation, basic auth), template customization will still be required.
The text was updated successfully, but these errors were encountered: