Refactoring whitelist source IP verification

kubernetes · May 20, 2017 · 07cdee5 · 07cdee5
1 parent c5e3097
commit 07cdee5
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -231,6 +231,24 @@ http {
     }
     {{ end }}
 
+    {{/* build the maps that will be use to validate the Whitelist */}}
+    {{ range $index, $server := .Servers }}
+    {{ range $location := $server.Locations }}
+    {{ $path := buildLocation $location }}
+
+    {{ if isLocationAllowed $location }}
+    {{ if gt (len $location.Whitelist.CIDR) 0 }}
+    geo $the_real_ip $deny_{{ $server.Hostname }}_{{ $path }} {
+        default 1;
+
+        {{ range $ip := $location.Whitelist.CIDR }}
+        {{ $ip }} 0;{{ end }}
+    }
+    {{ end }}
+    {{ end }}
+    {{ end }}
+    {{ end }}
+
     {{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
     {{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
     {{ range $zone := (buildRateLimitZones .Servers) }}
@@ -312,9 +330,9 @@ http {
 
             {{ if isLocationAllowed $location }}
             {{ if gt (len $location.Whitelist.CIDR) 0 }}
-            {{ range $ip := $location.Whitelist.CIDR }}
-            allow {{ $ip }};{{ end }}
-            deny all;
+            if ($deny_{{ $server.Hostname }}_{{ $path }}) {
+                return 403;
+            }
             {{ end }}
 
             port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
@@ -362,7 +380,7 @@ http {
             {{ end }}
 
             # Pass Real IP
-            proxy_set_header X-Real-IP              $remote_addr;
+            proxy_set_header X-Real-IP              $the_real_ip;
 
             # Allow websocket connections
             proxy_set_header                        Upgrade           $http_upgrade;