IP whitelisting with Cert Manager

[JanCizmar]

Hello!

I have a tricky issue here. I am trying to enable IP whitelisting for my staging instances, but the issue is that, the IP whitelisting is also applied to the /.well-known/acme-challenge/... path, which has to be publicly accessible. I've spent some time on that I could not find any solution to this.

This is the relevant ingress annotation

        nginx.org/location-snippets: |
          proxy_next_upstream error timeout http_502 http_503;
          allow x.x.x.x;
          deny all;

And it generates this config file:

# configuration for previews/preview-onboarding

upstream previews-...-cm-acme-http-solver-hhtdt-8089 {
	zone previews-...-cm-acme-http-solver-hhtdt-8089 256k;
	random two least_conn;

	server 10.224.0.24:8089 max_fails=1 fail_timeout=10s max_conns=0;

}
upstream previews-...-80 {
	zone previews-...-80 256k;
	random two least_conn;

	server 10.224.0.86:8080 max_fails=1 fail_timeout=10s max_conns=0;
	server 10.224.0.17:8080 max_fails=1 fail_timeout=10s max_conns=0;
	server 10.224.2.111:8080 max_fails=1 fail_timeout=10s max_conns=0;

}


server {



	listen 80;
	listen [::]:80;

	listen 443 ssl;
	listen [::]:443 ssl;


	ssl_certificate /etc/nginx/secrets/previews-preview-tls;
	ssl_certificate_key /etc/nginx/secrets/previews-preview-tls;

	server_tokens on;

	server_name ...preview.....io;

	set $resource_type "ingress";
	set $resource_name "preview-onboarding";
	set $resource_namespace "previews";


	if ($scheme = http) {
		return 301 https://$host:443$request_uri;
	}



	location /.well-known/acme-challenge/... {
		set $service "cm-acme-http-solver-hhtdt";


		proxy_http_version 1.1;


		proxy_next_upstream error timeout http_502 http_503;
		allow x.x.x.x;
		deny all;

                ....

		proxy_pass http://previews-...-80;


	}
	location / {
		set $service "preview-...";


		proxy_http_version 1.1;

		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;

		proxy_next_upstream error timeout http_502 http_503;
		allow x.x.x.x;
		deny all;

                ...


		proxy_pass http://previews-preview-...-80;


	}


}

Any ideas, how to deny specified ips for "/" but allow them for " /.well-known/acme-challenge/..."? Thanks!

EDIT:

I am using acme.cert-manager.io/http01-edit-in-place: "true" annotation as well.

[vepatel]

Hey @JanCizmar, thanks for opening the discussion, would you mind sharing you ingress yaml please?
you can probably try adding a server-snippet with the allowed path and since nginx only matches one location, it might work.

nginx.org/server-snippets: |
      location /.well-known/acme-challenge/... {
		set $service "cm-acme-http-solver-hhtdt";
		proxy_http_version 1.1;
		proxy_next_upstream error timeout http_502 http_503;
		proxy_pass http://previews-...-80;
	}

If this doesn't works then custom templates might come in handy https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/shared-examples/custom-templates

[JanCizmar]

Hey! That's not possible. Sorry I wasn't clear enough. The "..." in the location path /.well-known/acme-challenge/... is actually full path, so if I do the proposed, it won't work since the generated configuration is more specific. I've actually already solved this by using DNS01 Challenge Provider in the cert manager. Another possible solution would be probably using Mergeable Ingresses without acme.cert-manager.io/http01-edit-in-place: "true" but I was not successful configuring it.