basic auth / ip filter only for path that contain special character in Ingress NGINX

General Tech Bugs & Fixes 2 years ago

0 2 0 0 0 tuteeHUB earn credit +10 pts

5 Star Rating 1 Rating

Posted on 16 Aug 2022, this text provides information on Bugs & Fixes related to General Tech. Please note that while accuracy is prioritized, the data presented might not be entirely correct or up-to-date. This information is offered for general knowledge and informational purposes only, and should not be considered as a substitute for professional advice.

Take Quiz To Earn Credits!

Turn Your Knowledge into Earnings.

tuteehub_quiz

Answers (2)

Post Answer
profilepic.png
manpreet Tuteehub forum best answer Best Answer 2 years ago

 

I want my Ingress (NGINX) to filter by source IP address and show a basic auth before proxying to a service. While this is straightforward, the complicated part is, that I want it to do this only, if the URL contains a special character in the path.

Lets say I want to secure all paths that start with a "+" before proxying them to the correct service. On the other hand I still want that paths that do not start with a "+" will be routed (without basic auth) to the same service. It should also not change the URL that the service will see.

Examples would be:

/serviceA/what/ever -> http://192.168.0.2/what/ever
/serviceA/what/+ever -> BASIC_AUTH -> http://192.168.0.2/what/+ever
/serviceB/what/ever -> http://192.168.0.3/what/ever
/serviceB/+what/ever -> BASIC_AUTH -> http://192.168.0.3/+what/ever

Is it possible to achieve this either in Ingress or at least in a NGINX config? The regex for the URL path is also quite simple in NGINX but is it possible without duplicating all path entries and also without adding a second proxy nginx in front?

The ideal solution would be in Ingress yml config but I'm more familar with NGINX, so here is an example what I want to achieve in NGINX-Syntax:

Location ~ /+ { auth_basic ...; auth_basic_user_file ...; < route it somehow to the similar location as it would have no +, but don't cut out the + > } Location /serviceA { proxy_pass ...; } ... more Locations ...

Or in Ingress something similar with path-entries.

 
profilepic.png
manpreet 2 years ago

First of all, your:

location ~ /+ {
    auth_basic ...;
    auth_basic_user_file ...;
    < route it somehow to the similar location as it would have no +, but don't cut out the + >
}

Would only match servicex/+something , not the servicex/something/+nice

The regex you are searching is something like:

location ~ ^/(.*)\+(.*) for the "+" to be anywhere

location ~ ^(.*)\/\+(.*) for the "+" to be only after a "/"

For the part:

< route it somehow to the similar location as it would have no +, but don't cut out the + >

Like this you'll send the uri exactly like it came:

proxy_pass http://192.168.0.2$request_uri; 

And like this you'd take out the "+"

proxy_pass http://192.168.0.2$1/$2; 

Where $1 is the (.*) before the /+ and $2 is everything after, and we add the lacking / in the middle.


0 views   0 shares

No matter what stage you're at in your education or career, TuteeHub will help you reach the next level that you're aiming for. Simply,Choose a subject/topic and get started in self-paced practice sessions to improve your knowledge and scores.