From 2a71a2437ce8e87efef7bacf00cfeb309cba90f4 Mon Sep 17 00:00:00 2001 From: ZJfans <1062004994@qq.com> Date: Sun, 25 Aug 2024 01:25:31 +0800 Subject: [PATCH 1/2] fix: limit_except returns 503 instead of the correct 403 (#11742) --- rootfs/etc/nginx/lua/balancer.lua | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rootfs/etc/nginx/lua/balancer.lua b/rootfs/etc/nginx/lua/balancer.lua index 00104c89d7..11032c2efd 100644 --- a/rootfs/etc/nginx/lua/balancer.lua +++ b/rootfs/etc/nginx/lua/balancer.lua @@ -277,6 +277,11 @@ local function get_balancer() local backend_name = ngx.var.proxy_upstream_name + if backend_name == '-' then + ngx.status = ngx.HTTP_FORBIDDEN + return ngx.exit(ngx.status) + end + local balancer = balancers[backend_name] if not balancer then return nil From 35657b302db1ca56e8b13084129e968c2630fa1b Mon Sep 17 00:00:00 2001 From: ZJfans <1062004994@qq.com> Date: Wed, 28 Aug 2024 20:52:49 +0800 Subject: [PATCH 2/2] Add tests for limit_except --- test/e2e/annotations/limitexcept.go | 83 +++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 test/e2e/annotations/limitexcept.go diff --git a/test/e2e/annotations/limitexcept.go b/test/e2e/annotations/limitexcept.go new file mode 100644 index 0000000000..47ca30404a --- /dev/null +++ b/test/e2e/annotations/limitexcept.go @@ -0,0 +1,83 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeAnnotation("limit-except", func() { + f := framework.NewDefaultFramework("limitexcept") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("should return 403 when the request is not allowed", func() { + host := "foo.com" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/server-snippet": ` + location = / { + return 403; + }`, + "nginx.ingress.kubernetes.io/configuration-snippet": ` + limit_except GET { + deny all; + }`, + } + + ing := framework.NewSingleIngress(host, "/foo", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, `location = / { return 403; }`) && + strings.Contains(server, `limit_except GET { deny all; }`) + }) + + ginkgo.By("sending request to foo.com") + f.HTTPTestClient(). + POST("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusForbidden) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusForbidden) + + f.HTTPTestClient(). + POST("/foo"). + WithHeader("Host", host). + Expect(). + Status(http.StatusForbidden) + + f.HTTPTestClient(). + GET("/foo"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) +})