From a392f299560dd2ce774fceecf9818c3cb39d04ac Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Tue, 22 Aug 2017 09:33:56 -0300 Subject: [PATCH] Replace base64 encoding with random uuid --- controllers/nginx/pkg/template/template.go | 22 +++++++++++-------- .../rootfs/etc/nginx/template/nginx.tmpl | 10 +++++++-- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go index e484ffe1d2..9347911218 100644 --- a/controllers/nginx/pkg/template/template.go +++ b/controllers/nginx/pkg/template/template.go @@ -342,10 +342,8 @@ var ( func buildWhitelistVariable(s string) string { if _, ok := whitelistVarMap[s]; !ok { - str := base64.URLEncoding.EncodeToString([]byte(s)) - whitelistVarMap[s] = strings.Replace(str, "=", "", -1) + whitelistVarMap[s] = buildRandomUUID() } - return whitelistVarMap[s] } @@ -362,11 +360,11 @@ func buildRateLimitZones(input interface{}) []string { for _, server := range servers { for _, loc := range server.Locations { - - whitelistVar := buildWhitelistVariable(loc.RateLimit.Name) + lrn := fmt.Sprintf("%v_%v", server.Hostname, loc.RateLimit.Name) + whitelistVar := buildWhitelistVariable(lrn) if loc.RateLimit.Connections.Limit > 0 { - zone := fmt.Sprintf("limit_conn_zone $%s_limit zone=%v:%vm;", + zone := fmt.Sprintf("limit_conn_zone $limit_%s zone=%v:%vm;", whitelistVar, loc.RateLimit.Connections.Name, loc.RateLimit.Connections.SharedSize) @@ -376,7 +374,7 @@ func buildRateLimitZones(input interface{}) []string { } if loc.RateLimit.RPM.Limit > 0 { - zone := fmt.Sprintf("limit_req_zone $%s_limit zone=%v:%vm rate=%vr/m;", + zone := fmt.Sprintf("limit_req_zone $limit_%s zone=%v:%vm rate=%vr/m;", whitelistVar, loc.RateLimit.RPM.Name, loc.RateLimit.RPM.SharedSize, @@ -387,7 +385,7 @@ func buildRateLimitZones(input interface{}) []string { } if loc.RateLimit.RPS.Limit > 0 { - zone := fmt.Sprintf("limit_req_zone $%s_limit zone=%v:%vm rate=%vr/s;", + zone := fmt.Sprintf("limit_req_zone $limit_%s zone=%v:%vm rate=%vr/s;", whitelistVar, loc.RateLimit.RPS.Name, loc.RateLimit.RPS.SharedSize, @@ -468,7 +466,7 @@ func buildDenyVariable(a interface{}) string { l := a.(string) if _, ok := denyPathSlugMap[l]; !ok { - denyPathSlugMap[l] = uuid.New() + denyPathSlugMap[l] = buildRandomUUID() } return fmt.Sprintf("$deny_%v", denyPathSlugMap[l]) @@ -541,3 +539,9 @@ func buildAuthSignURL(input interface{}) string { return fmt.Sprintf("%v&rd=$request_uri", s) } + +// buildRandomUUID return a random string to be used in the template +func buildRandomUUID() string { + s := uuid.New() + return strings.Replace(s, "-", "", -1) +} diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index dbff90747c..9dca204fca 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -280,6 +280,8 @@ http { {{ if isLocationAllowed $location }} {{ if gt (len $location.Whitelist.CIDR) 0 }} + + # Deny for {{ print $server.Hostname $path }} geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_" $path) }} { default 1; @@ -288,14 +290,18 @@ http { } {{ end }} {{ end }} + {{ if ne $location.RateLimit.Name "" }} - geo ${{ buildWhitelistVariable $location.RateLimit.Name }}_whitelist { + # Ratelimit {{ $location.RateLimit.Name }} + {{ $rln := (print $server.Hostname "_" $location.RateLimit.Name) }} + geo $whitelist_{{ buildWhitelistVariable $rln }} { default 0; {{ range $ip := $location.RateLimit.Whitelist }} {{ $ip }} 1;{{ end }} } - map ${{ buildWhitelistVariable $location.RateLimit.Name }}_whitelist ${{ buildWhitelistVariable $location.RateLimit.Name }}_limit { + # Ratelimit {{ $location.RateLimit.Name }} + map $whitelist_{{ buildWhitelistVariable $rln }} $limit_{{ buildWhitelistVariable $rln }} { 0 {{ $cfg.LimitConnZoneVariable }}; 1 ""; }