I'm trying to change an existing external HTTPS LBS configuration to apply advanced custom-header based routing rules on GCloud, but get the following error when updating the url-map
HTTPError 400: Invalid value for field 'resource.defaultService': ... Advanced routing rules are not supported for scheme EXTERNAL
The current setup is a Kubernetes workload (deployment) exposed as a service and has path-based ingress rules. FYI- Path-based LBS works.
Sample url-map
kind: compute#urlMap
name: k8s-um-development-lbs-test
defaultService: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-1
hostRules:
- hosts:
- '*'
pathMatcher: user-agent-matcher
pathMatchers:
- name: user-agent-matcher
routeRules:
- matchRules:
- prefixMatch: /
headerMatches:
- headerName: User-Agent
regexMatch: "*Pattern-1*"
priority: 0
service: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-1
- matchRules:
- prefixMatch: /
headerMatches:
- headerName: User-Agent
regexMatch: "*Pattern-2*"
priority: 1
service: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-2
defaultService: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-1
selfLink: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/urlMaps/k8s-um-development-lbs-test
I want to confirm that is only possible to use it with HTTP(s) Load Balancer, So, if you wanted to rewrite or modify the URL, please review how to here.
Just to have more references, here is another reference, but please consider that this is only for Internal Load Balancer (Also HTTP(s)).
And as a last thing, I add information about that currently is not possible to custom the headers for external HTTP(s) Load Balancers, please put a comment here, in order to be informed about any update about it.
Regards and Happy New Year.
Related
We decided to move from the subdomain structure to one root domain with path prefixes, but we got many old URLs on the internet. So is there any way to add a redirect from the old URL to the new one?
For example,
We got subdomain test.example.com switched to example.com/test, I can access correctly site with the string in docker-swarm YAML file
traefik.frontend.rule: Host:example.com;PathPrefixStrip:/test
but when I'm trying to add to Traefik config redirects like:
[http.middlewares]
[http.middlewares.test-redirectregex.redirectRegex]
regex = "^https://(*).example.com/)"
replacement = "^https://example.com/${1}"
Traefik says that it doesn't know where to forward this request
If I'm trying to add:
traefik.frontend.rule: Host:test.example.com,example.com;PathPrefixStrip:/test
Traefik adds a prefix to both hosts. Is there any way to resolve this without adding a second reverse proxy?
Assuming that you are using Traefik 2.1, you can use the below middleware for Traefik
[http.middlewares]
[http.middlewares.blog-redirect.redirectRegex]
regex = "^(https?://)(.*).example.com/(.*)$"
replacement = "${1}example.com/${2}/${3}"
permanent = true
The important step to activate the above middleware is to add the below label on the corresponding router and service. For instance, if you a a blog service and you defined a blog router for it, then you need to add the below table to the services
traefik.http.routers.blog.middlewares=blog-redirect
In addition, your route rule should look like the below rule to be able to handle both domains (or you define multiple routes per service)
- traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/test`) || Host(`api.example.com``)
in this post, you can find more info about traffic and redirection
I am working on a kubernetes cluster and problem faced is:
From UI/browser, I can see it is sending a request header called "request_id" please refer to image:
But while checking on backend it is unavailable. While searching through internet, I could see that people are talking about adding following entry to Ingress object:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header request_id "$req_id";
But it is generating a new value for this and not passing value submitted by browser.
Any ideas, what might be missing here?
If you want to pass a custom header to your backend, you need to use this kind of annotation:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Request-Id: $request_id
In your configuration you are using the variable $req_id, but you need to pass the variable sent by UI/browser.
Basically, ingress-nginx-controller drops any request headers that contains "_" in them. You can find various threads which discuss this issue like,
Why HTTP servers forbid underscores in HTTP header names
So, I just enabled ingress controller to pass such request headers. This can be done by adding following entry to configmap "nginx-configuration"
data:
enable-underscores-in-headers: "true"
IMO, this is a much clean solution as there could be many applications that might use "_" in request headers.
I have a cluster in Azure AKS with 1 node.
On that cluster I have two back-end services.
Each back-end service is a web app.
I have a domain mydomain.com.
Each app will need to be configured with its own path rule in the ingress object.
Web app 1s (let's call this one the homepage app) target URL needs to be either of the following:
US version of the site: mydomain.com
Swedish version of the site: mydomain.com/se/sv-sv/hem
Any other location/language version of the site: mydomain.com/xx/yy-xx/abcdefgh
Web app 2s (let's call this one the whitepony app) target URL needs to be either of the following:
US version of the site: mydomain.com/us/en-us/whitepony
Swedish version of the site: mydomain.com/se/sv-sv/whitepony
Any other location/language version of the site: mydomain.com/xx/yy-xx/whitepony
(The whitepony apps target path segment is called whitepony regardless of location/language)
Now to my question.
How can I configure these rules in an ingress API object?
Can I use prefixes in the path rules?
Or do I need to use regular expressions?
And what about the special case of the US version of the homepage app, where I'm not using any prefixes/extra URL segments?
Can I use conditions in the ingress object?
Or how would you configure the ingress resource object to meet all the above requirements?
Note that I know and have successfully configured multiple back-end services using path rules in an ingress object.
But without prefixes or extra URL segments.
I won't give you fully working example on how to specify rules in ingress resource to meet your requirements, I would rather like to share with you some hints:
Yes, you will need regular expressions to achieve it, and here is the example of doing it directly with NGINX directives based on example of wordpress multi-language site.
You don't need to define these re-write rules with annotations, you can use for that pure NGINX config style, by supplying appropriate inline NGINX config file inside ConfigMap, here is the example on how to achieve this.
I hope this will help you
I enabled modsecurity: "true" and enable-owasp-modsecurity-crs: "true" via the configmap of the nginx ingresss controller according to this link . In the annotation of the ingress I set SecRuleEngine On.
When I use nikto to do some scans and try to trigger the owasp rules I only see 400 responses in the ingress logging. I would expect 403 responses. Anyone any idea on what I am doing wrong or what to check?
Followed the instructions on:
https://karlstoney.com/2018/02/23/nginx-ingress-modsecurity-and-secchatops/
The only thing I had to change was "SecAuditLog /var/log/modsec/audit.log". Changed it to SecAuditLog /var/log/modsec_audit.log
Just realized that geoip was present by default within the nginx-ingress in the context of kubernetes; that is, looked around, being new into nginx geoip, I don't have much clue about how to benefit from this
Firstly, is there any declarative setup to effectively have it working ? A configmap setup, or so ?
Secondly, how such info is passed from the nginx-ingress to an app ? Is the info present in the headers ? is there any extra setup to apply ?
thanks a lot for any experienced input; best
Find usefull documentation about how to configure Geoip2 for nginx ingress kubernetes deployment.
Example Nginx Configuration ConfigMap
You will find the expected ConfigMap name at the nginx controller container entrypoint or environment variables. Furthermore you can override this name, the way to do so will depend on your nginx installation/deployment method.
ConfiMap Nginx supported configurations
You will find there a listed all the supported configs/properties plus a sort description about them and how to use them.
For this specific question, the property to configure Geoip2 is "use-geoip2" (link below)
Enable GeoIP2
remark: you will need a license and add a flag at nginx entry command providing it
The nginx_http_geoip_module module creates variables with values depending on the client IP address, using the precompiled MaxMind databases.
This module is not built by default, it should be enabled with the --with-http_geoip_module configuration parameter.
The module analyze headers, next connect to defined database, fetch the localization information and offers a variables regarding to them like
country or city of connection origin. Some examples:
$geoip_country_code - two-letter country code
$geoip_city - city name
$geoip_postal_code - postal code