Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nginx.ingress.kubernetes.io/auth-url Can't use IP whitelisting because the auth-service recieves an internal IP #2938

Closed
martonsz opened this issue Aug 14, 2018 · 5 comments · Fixed by #2977
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@martonsz
Copy link

FEATURE REQUEST

NGINX Ingress controller version: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.17.1

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.4", GitCommit:"5ca598b4ba5abb89bb773071ce452e33fb66339d", GitTreeState:"clean", BuildDate:"2018-06-06T08:13:03Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.5-gke.4", GitCommit:"6265b9797fc8680c8395abeab12c1e3bad14069a", GitTreeState:"clean", BuildDate:"2018-08-04T03:47:40Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Google kubernetes engine
  • OS (e.g. from /etc/os-release): Container-Optimized OS - 10452.101.0
  • Kernel (e.g. uname -a): Linux gke-k8s-gnp-070a1811-63kp 4.14.22+ #1 SMP Wed May 30 13:49:27 PDT 2018 x86_64 Intel(R) Xeon(R) CPU @ 2.50GHz GenuineIntel GNU/Linux
  • Install tools: Helm chart for nginx ingress v 0.25.0
  • Others:

What:
I tried to create an IP whitelist in my basic authentication service. Which is a small python Flask app. But I noticed that the service receives an internal IP address when I visit an URL I want to protect with basic auth.
I tried to to use the header X-forward-for in my authentication service. But it also contained an internal IP.

This is how I annotate my ingress objects.

nginx.ingress.kubernetes.io/auth-url: "https://basicauth.mydomain.com/"
@aledbf
Copy link
Member

aledbf commented Aug 14, 2018

@martonsz please make sure you are using --set controller.publishService.enabled=true in the installation of the chart

@aledbf aledbf closed this as completed Aug 14, 2018
@martonsz
Copy link
Author

@aledbf I added the variable but it did not help. I am still getting local IPs

The --publish-service argument is now there for the container when I reinstall the chart.

$ kubectl get deployment ingress-nginx-ingress-controller -o yaml
...
     app: nginx-ingress
        component: controller
        release: ingress
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --default-backend-service=default/ingress-nginx-ingress-default-backend
        - --publish-service=default/ingress-nginx-ingress-controller
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx
...

Here are some logs from my basic auth service showing the request headers.

This one is when visiting the address https://admin.mydomain.com/links which is annotated with nginx.ingress.kubernetes.io/auth-url: "https://basicauth.mydomain.com/". Here I receive a local IP 10.12.0.1 which is not one of my pods.

X-Request-Id: f4ecdae649b7fd875313ca902323c08e
X-Real-Ip: 10.12.0.1
X-Forwarded-For: 10.12.0.1
X-Forwarded-Host: basicauth.mydomain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Original-Uri: /
X-Scheme: https
X-Original-Url: https://admin.mydomain.com/links
X-Original-Method: GET
X-Sent-From: nginx-ingress-controller
X-Auth-Request-Redirect: /links
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Wind....

When I visit the basic auth service directly using its adress https://basicauth.mydomain.com I get my public IP.

Host: basicauth.mydomain.com
Connection: close
X-Request-Id: 3997649e47666019710010629177fdca
X-Real-Ip: 212.32.136.42
X-Forwarded-For: 212.32.136.42
X-Forwarded-Host: basicauth.mydomain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Original-Uri: /
X-Scheme: https
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Wi...

@aledbf
Copy link
Member

aledbf commented Aug 17, 2018

@martonsz
Copy link
Author

@aledbf Yes. I am using externalTrafficPolicy: Local. That is why I get my public IP when visiting the basicauth.mydomain.com directly ( as shown in the second log example).

@aledbf
Copy link
Member

aledbf commented Aug 20, 2018

@martonsz this is a bug. We should send the client IP address in the header X-Forwarded-For

@aledbf aledbf reopened this Aug 20, 2018
@aledbf aledbf added the kind/bug Categorizes issue or PR as related to a bug. label Aug 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
2 participants