-
Notifications
You must be signed in to change notification settings - Fork 97
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Restrict policies to non-duplicate routes
Problem: Some NGINX directives are not applied or enforced when configured in an internal location. This occurs when redirecting or rewriting a request from an external location to an internal location. Solution: Only accept a policy if the Route it targets is the only Route that matches the hostname, port, and path combination. If other Routes overlap, the policy will be rejected. This allows us to apply policy configuration to the external location instead of the internal locations. We would limit the policies we accept rather than limiting which Routes we accept. This is possible because, with the policy restriction, a policy cannot be applied to a Route that shares an external location with another Route. However, for the otel module, we still require some internal location directives to be specified, so the policy generator has been refactored to account for this. Finally, revert named locations back to internal locations. As part of this process, we've learned that named locations do not behave as expected. Co-authored-by: Kate Osborn <[email protected]>
- Loading branch information
1 parent
c96fa3f
commit 273d0ab
Showing
52 changed files
with
1,146 additions
and
570 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
internal/mode/static/nginx/config/policies/clientsettings/generator.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
package clientsettings | ||
|
||
import ( | ||
"fmt" | ||
"text/template" | ||
|
||
ngfAPI "github.com/nginxinc/nginx-gateway-fabric/apis/v1alpha1" | ||
"github.com/nginxinc/nginx-gateway-fabric/internal/framework/helpers" | ||
"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/nginx/config/http" | ||
"github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/nginx/config/policies" | ||
) | ||
|
||
var tmpl = template.Must(template.New("client settings policy").Parse(clientSettingsTemplate)) | ||
|
||
const clientSettingsTemplate = ` | ||
{{- if .Body }} | ||
{{- if .Body.MaxSize }} | ||
client_max_body_size {{ .Body.MaxSize }}; | ||
{{- end }} | ||
{{- if .Body.Timeout }} | ||
client_body_timeout {{ .Body.Timeout }}; | ||
{{- end }} | ||
{{- end }} | ||
{{- if .KeepAlive }} | ||
{{- if .KeepAlive.Requests }} | ||
keepalive_requests {{ .KeepAlive.Requests }}; | ||
{{- end }} | ||
{{- if .KeepAlive.Time }} | ||
keepalive_time {{ .KeepAlive.Time }}; | ||
{{- end }} | ||
{{- if .KeepAlive.Timeout }} | ||
{{- if and .KeepAlive.Timeout.Server .KeepAlive.Timeout.Header }} | ||
keepalive_timeout {{ .KeepAlive.Timeout.Server }} {{ .KeepAlive.Timeout.Header }}; | ||
{{- else if .KeepAlive.Timeout.Server }} | ||
keepalive_timeout {{ .KeepAlive.Timeout.Server }}; | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
` | ||
|
||
// Generator generates nginx configuration based on a clientsettings policy. | ||
type Generator struct{} | ||
|
||
// NewGenerator returns a new instance of Generator. | ||
func NewGenerator() *Generator { | ||
return &Generator{} | ||
} | ||
|
||
// GenerateForServer generates policy configuration for the server block. | ||
func (g Generator) GenerateForServer(pols []policies.Policy, _ http.Server) policies.GenerateResultFiles { | ||
return generate(pols) | ||
} | ||
|
||
// GenerateForServer generates policy configuration for a normal location block. | ||
func (g Generator) GenerateForLocation(pols []policies.Policy, _ http.Location) policies.GenerateResultFiles { | ||
return generate(pols) | ||
} | ||
|
||
// GenerateForServer generates policy configuration for a normal location block. | ||
func (g Generator) GenerateForInternalLocation(pols []policies.Policy) policies.GenerateResultFiles { | ||
return generate(pols) | ||
} | ||
|
||
func generate(pols []policies.Policy) policies.GenerateResultFiles { | ||
files := make(policies.GenerateResultFiles, 0, len(pols)) | ||
|
||
for _, pol := range pols { | ||
csp, ok := pol.(*ngfAPI.ClientSettingsPolicy) | ||
if !ok { | ||
continue | ||
} | ||
|
||
files = append(files, policies.File{ | ||
Name: fmt.Sprintf("ClientSettingsPolicy_%s_%s.conf", csp.Namespace, csp.Name), | ||
Content: helpers.MustExecuteTemplate(tmpl, csp.Spec), | ||
}) | ||
} | ||
|
||
return files | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.