Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

whitelist did not work #866

Closed
fragtom opened this issue Feb 13, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@fragtom
Copy link

commented Feb 13, 2018

added whitelist to voyager.appscode.com, resulted haproxy.cfg not valid..

kind: Ingress
metadata:
  annotations:
    ingress.appscode.com/replicas: "1"
    ingress.appscode.com/type: LoadBalancer
    ingress.kubernetes.io/whitelist-source-range: my.ip/32

with describe cm voyager-ingress-voyager the following rule seems ok for me, but not for haproxy

frontend http-0_0_0_0-80
  bind *:80 
  mode http
  # Add whitelisted ips
  acl network_allowed src my.ip/32
  block if restricted_page !network_allowed

error message

daemon.err: Feb 13 13:56:46 reloader: I0213 14:02:39.929513      43 mount_configmap.go:143] Processing change to ConfigMap ingress-voyager/voyager-ingress-voyager
daemon.err: Feb 13 13:56:46 reloader: I0213 14:02:39.929765      43 util.go:24] Mount Performed: 1
daemon.err: Feb 13 13:56:46 reloader: I0213 14:02:39.929786      43 util.go:40] calling boot file to execute
daemon.err: Feb 13 13:56:46 reloader: I0213 14:02:39.934735      43 util.go:43] Output:
daemon.err: Feb 13 13:56:46 reloader:  [ALERT] 043/140239 (1490) : parsing [/etc/haproxy/haproxy.cfg:34] : error detected while parsing an 'http-request block' condition : no such ACL : 'restricted_page'.
daemon.err: Feb 13 13:56:46 reloader: [ALERT] 043/140239 (1490) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
daemon.err: Feb 13 13:56:46 reloader: I0213 14:02:39.934765      43 util.go:45] failed to run cmd

any help appreciated.
container for voyager-operator

    spec:
      containers:
      - args:
        - run
        - --v=3
        - --cloud-provider=aws
        - --ingress-class=
        image: appscode/voyager:5.0.0-rc.11
@KresoDenis

This comment has been minimized.

Copy link

commented Feb 13, 2018

you can set IP whitelist on backendRule

  - host: app.com
    http:
      port: 443     
      paths:
      - path: /app
        backend:
          serviceName: app.appnamespace
          servicePort: 80
          backendRule:
          - acl network_allowed src 22.22.22.22 33.33.33.33
          - block if !network_allowed

You dont have to generate everything through voyager. Just put your own HAPROXY config stuff on backend.

@KresoDenis

This comment has been minimized.

Copy link

commented Feb 13, 2018

I updated the yml with correct structure. In case you saw my unedited first post.

@fragtom

This comment has been minimized.

Copy link
Author

commented Feb 14, 2018

The haproxy config is not written with acl network rule.. :/

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Feb 14, 2018

@fragtom , can you please try with 6.0.0-rc.0? Also, all annotations are now prefixed with ingress.appscode.com, so it should be:

ingress.appscode.com/whitelist-source-range: my.ip/32

@fragtom fragtom closed this Feb 27, 2018

@fragtom

This comment has been minimized.

Copy link
Author

commented Feb 27, 2018

thx, works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.