Closed K-izme closed 1 month ago
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
/remove-kind bug /kind support
I have tested recently and the download option for the db works. So there is no problem with the controller I know. https://github.com/kubernetes/ingress-nginx/issues/11320
The reason for your config of a mounted volume not working could be one of many factors. Unless you can write a detailed step by step procedure and not a simple overview of the reproduce process, I think it will be difficult to understand the root-cause
/retitle maxmind database mount not working
The automatic download option is keeping the db file here ;
/etc/nginx $ find / -name "GeoLite2*" 2>/dev/null
/etc/ingress-controller/geoip/GeoLite2-ASN.mmdb
/etc/ingress-controller/geoip/GeoLite2-City.mmdb
/etc/nginx $
so you may want to check the docs too https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-geoip2
/remove-kind bug
/kind support
I have tested recently and the download option for the db works. So there is no problem with the controller I know. https://github.com/kubernetes/ingress-nginx/issues/11320
The reason for your config of a mounted volume not working could be one of many factors. Unless you can write a detailed step by step procedure and not a simple overview of the reproduce process, I think it will be difficult to understand the root-cause
I found out that my backend of ingress-nginx reload twice due to some change when i rollout restart deployment. That's why i have this problem. The problem about reload cause the db not work here issue
What happened:
I used ModSecurity with GeoLite2-City.mmdb in ingress-nginx to restrict access from some country. In mod security debug log, it show a message: "Database is not open. Use: SecGeoLookupDb directive." And in ingress-nginx log, there is a line: The GeoIP2 feature is enabled but the databases are missing. Disabling I used Maxmind Database. It's all fine when I tested on my local machine but when I bring it on my server to test it again, it won't work any more. There's not much difference between my test on local machine and on my server. Then I tried to use the geoip module with GeoLiteCity.dat but still got this issue. I'm sure that it's exist in the right folder.
What you expected to happen:
The database is open and mod security can read it. I think this problem was mentioned in [https://github.com/owasp-modsecurity/ModSecurity/issues/2041](This issue) and #6450 . I tried to rollout restart deployment but there's no use.
NGINX Ingress controller version :
Helm chart 4.7.5, ingress-nginx-controller version 1.8.5
Kubernetes version:
v1.24.6
Environment:
Cloud provider or hardware configuration: AWS
OS (e.g. from /etc/os-release): Ubuntu
Kernel (e.g.
uname -a
): LinuxBasic cluster related info:
How was the ingress-nginx-controller installed:
Others:
allow-snippet-annotations: "true" enable-modsecurity: "true" use-geoip: "false" use-geoip2: "true" modsecurity-snippet: |- Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf SecRuleEngine DetectionOnly SecRequestBodyAccess On Include /etc/nginx/modsecurity/modsecurity.conf SecAuditLog /var/log/modsec_audit.log SecDebugLog /var/log/modsec_debug.log SecDebugLogLevel 4 SecGeoLookupDb /etc/nginx/geoipmmdb/GeoLite2-City.mmdb SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" "chain,id:12345,drop,status:422,ctl:ruleEngine=On" SecRule GEO:COUNTRY_CODE "!@pm SG VN"
How to reproduce this issue: Create a pv and pvc and mount that to ingress-nginx-controller /etc/nginx/geoipmmdb, download Maxmind Lite City database. Apply the annotation and then restart the deployment of ingress-nginx.