Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass vouch for IP range with k8s ingress #508

Closed
flipsed opened this issue Nov 30, 2022 · 2 comments
Closed

Bypass vouch for IP range with k8s ingress #508

flipsed opened this issue Nov 30, 2022 · 2 comments
Labels
question

Comments

@flipsed
Copy link

flipsed commented Nov 30, 2022

Describe the problem
I have vouch configured on a k8s ingress and I would like to add a bypass rule based on an IP range. This is a similar question to #378 but specific to k8s ingress. I'm using okta as an IdP.

Expected behavior
When using the annotations below I would expect the following behaviour from the k8s ingress: if a request comes from one of the whitelisted IP, it would bypass authentication due to the satisfy any constraint. If it is not in the whitelist, I would expect a redirection to vouch. Unfortunately, with this config, the internal whitelisted IPs are also getting redirected to vouch.

    nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User
    nginx.ingress.kubernetes.io/auth-signin: https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err
    nginx.ingress.kubernetes.io/auth-snippet: |
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
    nginx.ingress.kubernetes.io/auth-url: https://example.com/validate
    nginx.ingress.kubernetes.io/configuration-snippet: |
      satisfy any;
      allow <internal IP CIDR>;
      allow <internal IP CIDR>;
      allow <internal IP CIDR>;
      deny all;

Desktop (please complete the following information):

  • OS: macOS monterey
  • Browser firefox
  • Version [e.g. 22]

Additional context
I've also tested using these annotations for the IP range bypass but the behaviour is the same:

nginx.ingress.kubernetes.io/satisfy: "any"
nginx.ingress.kubernetes.io/whitelist-source-range: <internal IP CIDR>, <internal IP CIDR>
@bnfinet
Copy link
Member

bnfinet commented Nov 30, 2022
edited
Loading

@flipsed I'm not currently a k8s user so I may not be the best resources to help here.

Could you please add a bit more context? The README describes the preffered method of submitting an issue, please do those. But also I'm curious about where your k8s is hosted and anything else about that operating environment.

This is an interesting discussion which may be relevant...
kubernetes/ingress-nginx#7354

@flipsed
Copy link
Author

flipsed commented Dec 1, 2022

This turned out to be a networking issue rather than a vouch-proxy or k8s ingress annotation problem. I had disabled proxying in cloudflare and I was making a request directly to the ELB that was in front of my ingress but the nginx logs were still showing the origin as being one of cloudflare's IP.

For anyone facing the same issue, my solution was to re-enable cloudflare proxying and use the nginx real-ip module http://nginx.org/en/docs/http/ngx_http_realip_module.html

@flipsed flipsed closed this as completed Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnfinet @flipsed