basic auth / ip filter only for path that contain special character in Ingress NGINX

manpreet Best Answer 3 years ago

I want my Ingress (NGINX) to filter by source IP address and show a basic auth before proxying to a service. While this is straightforward, the complicated part is, that I want it to do this only, if the URL contains a special character in the path.

Lets say I want to secure all paths that start with a "+" before proxying them to the correct service. On the other hand I still want that paths that do not start with a "+" will be routed (without basic auth) to the same service. It should also not change the URL that the service will see.

Examples would be:

/serviceA/what/ever -> http://192.168.0.2/what/ever
/serviceA/what/+ever -> BASIC_AUTH -> http://192.168.0.2/what/+ever
/serviceB/what/ever -> http://192.168.0.3/what/ever
/serviceB/+what/ever -> BASIC_AUTH -> http://192.168.0.3/+what/ever

Is it possible to achieve this either in Ingress or at least in a NGINX config? The regex for the URL path is also quite simple in NGINX but is it possible without duplicating all path entries and also without adding a second proxy nginx in front?

The ideal solution would be in Ingress yml config but I'm more familar with NGINX, so here is an example what I want to achieve in NGINX-Syntax:

Location ~ /+ { auth_basic ...; auth_basic_user_file ...; < route it somehow to the similar location as it would have no +, but don't cut out the + > } Location /serviceA { proxy_pass ...; } ... more Locations ...

Or in Ingress something similar with path-entries.

manpreet 3 years ago

First of all, your:

location ~ /+ {
    auth_basic ...;
    auth_basic_user_file ...;
    < route it somehow to the similar location as it would have no +, but don't cut out the + >
}

Would only match servicex/+something , not the servicex/something/+nice

The regex you are searching is something like:

location ~ ^/(.*)\+(.*) for the "+" to be anywhere

location ~ ^(.*)\/\+(.*) for the "+" to be only after a "/"

For the part:

< route it somehow to the similar location as it would have no +, but don't cut out the + >

Like this you'll send the uri exactly like it came:

proxy_pass http://192.168.0.2$request_uri; 

And like this you'd take out the "+"

proxy_pass http://192.168.0.2$1/$2; 

Where $1 is the (.*) before the /+ and $2 is everything after, and we add the lacking / in the middle.