Add CLI option -nginx-status-allow-cidrs to allow easily restricting access to sensitive endpoints via CLI argument.
#387
Conversation
|
Some notes of areas I wasn't sure about:
|
pleshakov
added
the
enhancement
|
@r4j4h thanks for the PR! we're reviewing it and will get back to you soon |
There was a problem hiding this comment.
Please see my suggestions.
Additionally, could you format the go code using gofmt tool? There are formatting issues.
/nginx-health - I covered it initially but am not sure if we wanted to include it or just cover the status endpoints with this change
status health endpoint is different from NGINX status. that's why it should not be configured via nginx-status-allow-cidrs flag. I wonder what is the use case for protecting it?
|
@pleshakov Would you prefer these changes added on in subsequent commits or rebased again? |
|
@pleshakov Great feedback, I think I made all the requested changes. The diff definitely looks cleaner! Let me know if you see more. |
|
@pleshakov I did not include it in this MR, but |
|
|
||
| allow 127.0.0.1; | ||
| {{ range $value := .NginxStatusAllowCIDRs }}{{ if ne $value "" }} | ||
| allow {{$value}};{{ end }} | ||
| deny all; |
There was a problem hiding this comment.
sorry, haven't caught it during the first review. Could you move the deny all just below the range loop.
{{range ... }}
{{end}}
deny all;
| @@ -96,10 +96,10 @@ http { | |||
|
|
|||
| location = /dashboard.html { | |||
| } | |||
|
|
|||
| allow 127.0.0.1; | |||
| {{ range $value := .NginxStatusAllowCIDRs }}{{ if ne $value "" }} | |||
There was a problem hiding this comment.
could you indent {{ range ... so that it has the indentation as the allow in the next line?
|
@r4j4h thanks for the changes again. I have updated the suggestions left yesterday (removed a few). Sorry, if that confused you. |
|
@pleshakov Thanks for letting me know, luckily I did not have time to start on the fixes until now so I am glad that I did not make any of the changes you removed :) Should have these changes made shortly |
|
@pleshakov Ok, please take a look and let me know if there is anything else :) |
|
@r4j4h Thanks! Could you possible squash your commits into a single one? Once it is done, we will merge it. |
…g access to sensitive endpoints via CLI argument.
|
@pleshakov No problem, done! |
|
@r4j4h thanks! the feature will be immediately available in the edge version and will go in our 1.4.0 release. |
Add CLI option
-nginx-status-allow-cidrsto allow easily restricting access to sensitive endpoints via CLI argument.Proposed changes
This implements #355
Checklist
Before creating a PR, run through this checklist and mark each as complete.