Deny User Agent in Kubernetes Nginx Ingress Controller
Question
I'm being hit with a vulnerability probe which uses User-Agent: Mozilla/5.0 Jorgee and I want to drop/reject any requests from that user agent.
I've been digging around the k8s examples but I can't seem to find a solution.
Is there any way I can deny requests based on User-Agent with gcr.io/google_contianers/nginx-ingress-controller:0.8.3 ?
2 answers
solution1
1 2017-09-13 05:43:14
As best I can tell from the nginx go-template , that is not something the current implementation of their ingress controller offers. I believe that in their mental model, one would wish to do that kind of suppression in a per- Service manner, since doing it in the Ingress controller could very easily apply that rule to the whole cluster, leading to surprising outcomes for other published Service s. I took a look at the haproxy controller's go-template and it seems to be true there, also.
At this point, I think you have two options:
- Use a custom nginx go-template file , which might not be "bad" but one will need to exercise caution when doing upgrades, since your controller will no longer come with a known-correct
nginx.tmpl - Try a more advanced haproxy ingress controller , which allows you to specify arbitrary haproxy snippets right in your Ingress resource, which is the best approach I have seen thus far, modulo their
backendRulearray seems not to be standard
solution2
1 2017-09-13 08:14:08
you can add custom nginx configuration snippets to Ingresses with annotations, at least for the "normal" nginx controller, not sure if that works with the GCE controller too. See eg here: https://github.com/kubernetes/ingress/blob/master/examples/customization/configuration-snippets/nginx/ingress.yaml#L8
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.