Question

nginx ingress wihtelist-source-range

Hi all

I am trying to use the whitelist function of Ingress (nginx) in connection with DigitalOcean managed Kubernetes and DO LoadBalancer.

But somehow this doesn’t seem to work. Or I don’t understand how it should work.

I have an ingress definition:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/wihtelist-source-range: "xx.xxx.x.xxx,xx.xxx.x.xxx/32"
  name: service
  namespace: ioneaccess
spec:
  ingressClassName: nginx
  rules:
    - host: service.my-company.work
      http:
        paths:
        - pathType: ImplementationSpecific
          backend:
            service:
              name: service
              port:
                number: 8181
  tls:
    - hosts:
        - service.my-company.work
      secretName: service-tls

Using the “whitelist-source-range” annotation: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range

This works as far as it goes. But not quite. Now I get a 403 Forbidden. But if I now call the service with a shared IP address, I still get a 403.

Now what I find interesting / strange is the log statement from nginx:

2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /service/v1/ping HTTP/2.0", host: "service.my-company.work"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /service/v1/ping HTTP/2.0" 403 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 28 0.000 [my-company-service-8181] [] - - - - 388681cd5eaf49c126c73c94b248025d
2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /favicon.ico HTTP/2.0", host: "service.my-company.work", referrer: "https://service.my-company.work/service/v1/ping"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /favicon.ico HTTP/2.0" 403 548 "https://service.my-company.work/service/v1/ping" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 25 0.000 [my-company-service-8181] [] - - - - c08fae8aabca60eca1ebf7babcb723

And now that I have written everything, I have probably found the solution:

I think I installed Ingress in our cluster like this:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml

And not like this (DO specific)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/do/deploy.yaml

And now the logs of Nginx show the correct IP (remote) and not a 10.* and everything works as desired.

I will leave this post as it is. Maybe it will help someone.

But maybe someone could explain what the difference is in the deployment?

Thank you + greetings Marcel


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I have the exact same issue. I installed ingress with helm:

helm -n nginx-ingress install nginx-ingress -f helm/nginx-ingress/values.yaml ingress-nginx/ingress-nginx

I’ll try this solution: https://docs.digitalocean.com/support/how-to-enable-proxy-protocol-when-load-balancer-sends-requests-to-nginx-ingress-controller/

I’ll let you know if it works.

There is a typo in your yaml file: You have https://nginx.ingress.kubernetes.io/wihtelist-source-range : “wihtelist” instead of “whitelist”.

Bobby Iliev
Site Moderator
Site Moderator badge
May 22, 2023

Hi there,

That is super helpful Marcel! Thank you so much for taking the time and sharing this with the community!

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.