0

I have a kubernetes deployment which requires the following configuration:

  • POST must be allowed from any origin.
  • GET, HEAD, LIST must be restricted to intranet.

I came up with:

include modules/*.conf;    
worker_processes  1;

error_log  /dev/stdout info;

events {
    worker_connections  1024;}

http {
        include       mime.types;
        default_type  application/octet-stream;
        log_format    main '$http_x_forwarded_for - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
        access_log    /dev/stdout main;
        sendfile      on;
        keepalive_timeout  65;

    server {
        listen       8080;
        server_name  localhost;
        port_in_redirect off;

        location / {
            root   html;
            index  index.html;
        }

        error_page  403 /403.html;
        error_page  404 /404.html;
        error_page  500 /500.html;
        error_page  502 /502.html;
        error_page  503 /503.html;
        error_page  504 /504.html;
    }
}

if ($request_method != POST) { 
    limit_except GET DELETE PUT{
         allow 10.0.0.0/8;
         deny all; 
    } 
}

But I'm still able to GET from an external network

vfbsilva
  • 101
  • 5

2 Answers2

0

I wouldn't use "if" due to performance and other reasons.

Something like this could be better, if you can separate your URLs in this way. The key is limit_except. There's a chance I have the parameters backwards (swap GET with POST) and the "deny all" might need to be reviewed, but this general idea should help solve the issue. I'll update the answer based on any comments.

location /post/service {
  root html;
  index  index.html;
  // OR proxy_pass http://whatever;

  // ALLOW POST
  limit_except GET {
    deny all;
  }
}

location / {
  root html;
  index  index.html;
  // OR proxy_pass http://whatever;

  // ALLOW GET
  limit_except POST {
    deny all;
  }
}
Tim
  • 30,383
  • 6
  • 47
  • 77
0

The only valid context for the limit_except directive is location, and the semantic of this directive is to restrict the use of HTTP methods that are not explicitly excepted.

You want a stanza like this:

    location / {
        root   /usr/share/nginx/html;
        index  index.html;

        limit_except POST {
             allow 10.0.0.0/8;
             deny all; 
        } 
    }
qrkourier
  • 36
  • 2