search

kubernetes / ingress-nginx

Ingress-NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.31k stars 8.22k forks source link

limit_except returns 503 #11742

Open juris opened 1 month ago

juris commented 1 month ago

What happened: Using limit_except GET { deny all; } together with location = / { return 403; } results in 503, instead of 403.

This one is OK

curl -i -XGET https://example.com
HTTP/2 403
content-type: text/html
content-length: 146
vary: Accept-Encoding

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

This one is OK

curl -i -XGET https://example.com/health
HTTP/2 200
content-type: text/plain; charset=utf-8
content-length: 19

This one should have returned 403 instead of 503

curl -i -XPOST https://example.com/health
HTTP/2 503
content-type: text/html
content-length: 190

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx</center>
</body>
</html>

What you expected to happen: I want to block all requests to "/" and allow only GET requests for every other route. Ingress should return 403, but it returns 503.

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.11.1
  Build:         7c44f992012555ff7f4e47c08d7c542ca9b4b1f7
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

Kubernetes version (use kubectl version):

Client Version: v1.29.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.6-eks-db838b0

How to reproduce this issue: Use the following annotations:

      nginx.ingress.kubernetes.io/server-snippet: |
        location = / {
            return 403;
        }
      nginx.ingress.kubernetes.io/configuration-snippet:
        limit_except GET { deny all; }
k8s-ci-robot commented 1 month ago

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
longwuyuan commented 1 month ago

I am getting 404 without any snippets ;

% k describe po test0-846c7c69c6-r4426| grep -i image:
    Image:          nginx:alpine
[~] 

% k describe svc test0 
Name:              test0
Namespace:         default
Labels:            app=test0
Annotations:       <none>
Selector:          app=test0
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.101.94.63
IPs:               10.101.94.63
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.244.0.50:80
Session Affinity:  None
Events:            <none>
[~] 
%

% k describe ing test0 
Name:             test0
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
Rules:
  Host                Path  Backends
  ----                ----  --------
  test0.mydomain.com  
                      /   test0:80 (10.244.0.50:80)
Annotations:          <none>
Events:
  Type    Reason  Age                    From                      Message
  ----    ------  ----                   ----                      -------
  Normal  Sync    2m19s (x2 over 3m15s)  nginx-ingress-controller  Scheduled for sync

%

% curl -i --resolve test0.mydomain.com:80:`minikube ip` -XPOST test0.mydomain.com/health
HTTP/1.1 404 Not Found
Date: Wed, 07 Aug 2024 13:07:48 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.27.0</center>
</body>
</html>
[~] 
%
longwuyuan commented 1 month ago

/remove-kind bug /kind support

github-actions[bot] commented 3 weeks ago

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.