kubernetes · aledbf · Aug 22, 2017 · Aug 22, 2017
diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
@@ -342,10 +342,8 @@ var (
 
 func buildWhitelistVariable(s string) string {
 	if _, ok := whitelistVarMap[s]; !ok {
-		str := base64.URLEncoding.EncodeToString([]byte(s))
-		whitelistVarMap[s] = strings.Replace(str, "=", "", -1)
+		whitelistVarMap[s] = buildRandomUUID()
 	}
-
 	return whitelistVarMap[s]
 }
 
@@ -362,11 +360,11 @@ func buildRateLimitZones(input interface{}) []string {
 
 	for _, server := range servers {
 		for _, loc := range server.Locations {
-
-			whitelistVar := buildWhitelistVariable(loc.RateLimit.Name)
+			lrn := fmt.Sprintf("%v_%v", server.Hostname, loc.RateLimit.Name)
+			whitelistVar := buildWhitelistVariable(lrn)
 
 			if loc.RateLimit.Connections.Limit > 0 {
-				zone := fmt.Sprintf("limit_conn_zone $%s_limit zone=%v:%vm;",
+				zone := fmt.Sprintf("limit_conn_zone $limit_%s zone=%v:%vm;",
 					whitelistVar,
 					loc.RateLimit.Connections.Name,
 					loc.RateLimit.Connections.SharedSize)
@@ -376,7 +374,7 @@ func buildRateLimitZones(input interface{}) []string {
 			}
 
 			if loc.RateLimit.RPM.Limit > 0 {
-				zone := fmt.Sprintf("limit_req_zone $%s_limit zone=%v:%vm rate=%vr/m;",
+				zone := fmt.Sprintf("limit_req_zone $limit_%s zone=%v:%vm rate=%vr/m;",
 					whitelistVar,
 					loc.RateLimit.RPM.Name,
 					loc.RateLimit.RPM.SharedSize,
@@ -387,7 +385,7 @@ func buildRateLimitZones(input interface{}) []string {
 			}
 
 			if loc.RateLimit.RPS.Limit > 0 {
-				zone := fmt.Sprintf("limit_req_zone $%s_limit zone=%v:%vm rate=%vr/s;",
+				zone := fmt.Sprintf("limit_req_zone $limit_%s zone=%v:%vm rate=%vr/s;",
 					whitelistVar,
 					loc.RateLimit.RPS.Name,
 					loc.RateLimit.RPS.SharedSize,
@@ -468,7 +466,7 @@ func buildDenyVariable(a interface{}) string {
 	l := a.(string)
 
 	if _, ok := denyPathSlugMap[l]; !ok {
-		denyPathSlugMap[l] = uuid.New()
+		denyPathSlugMap[l] = buildRandomUUID()
 	}
 
 	return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
@@ -541,3 +539,9 @@ func buildAuthSignURL(input interface{}) string {
 
 	return fmt.Sprintf("%v&rd=$request_uri", s)
 }
+
+// buildRandomUUID return a random string to be used in the template
+func buildRandomUUID() string {
+	s := uuid.New()
+	return strings.Replace(s, "-", "", -1)
+}
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -280,6 +280,8 @@ http {
 
     {{ if isLocationAllowed $location }}
     {{ if gt (len $location.Whitelist.CIDR) 0 }}
+
+    # Deny for {{ print $server.Hostname  $path }}
     geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_"  $path) }} {
         default 1;
 
@@ -288,14 +290,18 @@ http {
     }
     {{ end }}
     {{ end }}
+
     {{ if ne $location.RateLimit.Name "" }}
-    geo ${{ buildWhitelistVariable $location.RateLimit.Name }}_whitelist {
+    # Ratelimit {{ $location.RateLimit.Name }}
+    {{ $rln := (print $server.Hostname "_" $location.RateLimit.Name) }}
+    geo $whitelist_{{ buildWhitelistVariable $rln }} {
         default 0;
         {{ range $ip := $location.RateLimit.Whitelist }}
         {{ $ip }} 1;{{ end }}
     }
 
-    map ${{ buildWhitelistVariable $location.RateLimit.Name }}_whitelist ${{ buildWhitelistVariable $location.RateLimit.Name }}_limit {
+    # Ratelimit {{ $location.RateLimit.Name }}
+    map $whitelist_{{ buildWhitelistVariable $rln }} $limit_{{ buildWhitelistVariable $rln }} {
         0 {{ $cfg.LimitConnZoneVariable }};
         1 "";
     }