VirtualServer protect endpoints with IP filter.

[janisii]

Hello, is it possible to return 403 for some endpoints using VirtualServer configuration? Thanks.

cafe.example.com/* -> should be available publicly.
cafe.example.com/tea/protected -> only from specific IPs.

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: cafe
spec:
  host: cafe.example.com
  tls:
    secret: cafe-secret
  upstreams:
  - name: tea
    service: tea-svc
    port: 80
  routes:
  - path: /
    action:
      pass: tea
  - path: /tea/protected
    action:
      pass: tea

[brianehlert]

I believe this is what you are looking for.
The Policy object for Access Controls.
https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#accesscontrol

[janisii]

Thanks!

[janisii]

@brianehlert Can you help with access-control if domain is behind proxy (for example, CloudFlare).

We have deployed Nginx Ingress Controller with proxy-protocol enabled.

controller:
  config:
    entries:
      proxy-protocol: "True"
      real-ip-header: "proxy_protocol"
      set-real-ip-from: "21.21.21.212"
  enableSnippets: true
  service:
    annotations:
      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
    type: LoadBalancer

As I understand, that access-control via policy test against "REMOTE_ADDR" no "HTTP_X_FORWARDED_FOR". How could we override, so Policy check against "HTTP_X_FORWARDED_FOR" for some domains?

There are no issues setting up VirtualSever with Policy from k8s.nginx.org CRDs.

Thanks!