You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to Voyager? Please start here.
Whitelist Source Range
You can specify the allowed client IP source ranges through the ingress.appscode.com/whitelist-source-range
annotation. The value is a space separated list of CIDRs, e.g. 192.168.20.0/24 192.168.10.3
. This rule will be applied globally for all frontends. To apply for a specific frontend, you need to manually add src acl
using frontend-rules.
Ingress Example
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: test-ingress
namespace: default
annotations:
ingress.appscode.com/whitelist-source-range: "192.168.20.0/24 192.168.10.3"
spec:
rules:
- host: voyager.appscode.test
http:
paths:
- path: /foo
backend:
service:
name: test-server
port:
number: 80
It will add following src acl
to all frontends in generated haproxy.cfg:
acl network_allowed src 192.168.20.0/24 192.168.10.3
block if restricted_page !network_allowed
Generated haproxy.cfg:
# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!
global
daemon
stats socket /tmp/haproxy
server-state-file global
server-state-base /var/state/haproxy/
# log using a syslog socket
log /dev/log local0 info
log /dev/log local0 notice
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
hard-stop-after 30s
defaults
log global
# https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
# https://github.com/voyagermesh/voyager/pull/403
option dontlognull
option http-server-close
# Timeout values
timeout client 50s
timeout client-fin 50s
timeout connect 5s
timeout server 50s
timeout tunnel 50s
# Configure error files
# default traffic mode is http
# mode is overwritten in case of tcp services
mode http
frontend http-0_0_0_0-80
bind *:80
mode http
# Add whitelisted ips
acl network_allowed src 192.168.20.0/24 192.168.10.3
block if restricted_page !network_allowed
option httplog
option forwardfor
acl is_proxy_https hdr(X-Forwarded-Proto) https
acl acl_voyager.appscode.test hdr(host) -i voyager.appscode.test
acl acl_voyager.appscode.test hdr(host) -i voyager.appscode.test:80
acl acl_voyager.appscode.test:foo path_beg /foo
use_backend test-server.default:80 if acl_voyager.appscode.test acl_voyager.appscode.test:foo
backend test-server.default:80
server pod-test-server-68ddc845cd-x7dtv 172.17.0.4:80