Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx.ingress.kubernetes.io/server-snippet applys config but not doing anything #4736

Closed
RedOrion opened this issue Sep 5, 2023 · 3 comments
Closed

nginx.ingress.kubernetes.io/server-snippet applys config but not doing anything #4736

RedOrion opened this issue Sep 5, 2023 · 3 comments

Comments

@RedOrion
Copy link

RedOrion commented Sep 5, 2023
edited
Loading

Environmental Info:
RKE2 Version:

rke2 version v1.25.12+rke2r1 (a0aa49e)
go version go1.20.6 X:boringcrypto

Node(s) CPU architecture, OS, and Version:

Linux knodes1.dev 3.10.0-1160.95.1.el7.x86_64 kubernetes/ingress-nginx#1 SMP Mon Jul 24 13:59:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:

2 servers, 1 agent

Describe the bug:

When restricting specific pages using the ingress controller, pages still load, no signs of issues in logs.

Steps To Reproduce:

Default rke2 install, using the standard ingress controller with metallb as the load balancer in layer 2 mode

  • Configure ingress controller as follows:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-dev-ingress
  namespace: test.dev
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
      location /ipaddr {
        deny all;
      }
spec:
  tls:
    - hosts:
        - test.dev
      secretName: test-dev
  rules:
    - host: test.dev
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test.dev
                port:
                  number: 443
          - path: /ipaddr
            pathType: Prefix
            backend:
              service:
                name: test.dev
                port:
                  number: 443

Expected behavior:

Page with a deny all and no allows should never be allowed to load. Adding an allow 192.168.0.0/24 and then attempting access from that subnet allows (good), other subnets still work as well (incorrect).

Actual behavior:
deny all should deny all
@brandond
Copy link
Member

brandond commented Sep 5, 2023

For security reasons (CVE-2021-25742), snippet annotations must be enabled in the chart values.

https://github.com/rancher/rke2-charts/blob/main/charts/rke2-ingress-nginx/rke2-ingress-nginx/4.6.100/values.yaml#L66-L70

@brandond brandond closed this as completed Sep 5, 2023
@RedOrion
Copy link
Author

RedOrion commented Sep 5, 2023

Confirmed. That is added in the config as allow-snippet-annotations: "true"

The config portion is in /etc/nginx/nginx.conf when viewing the file in the controller just not acting on it. Only reason I'm investigating this route is that I couldn't get the client ip to pass through to the web server

@brandond
Copy link
Member

brandond commented Sep 5, 2023

Just a guess, but are you actually hitting /ipaddr or are you being redirected to /ipaddr/ ?

Regardless, I don't think this repo is the correct place for questions about ingress-nginx.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandond @RedOrion