limit_except returns 503 #11742

juris · 2024-08-06T14:54:55Z

What happened:
Using limit_except GET { deny all; } together with location = / { return 403; } results in 503, instead of 403.

This one is OK

curl -i -XGET https://example.com
HTTP/2 403
content-type: text/html
content-length: 146
vary: Accept-Encoding

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

This one is OK

curl -i -XGET https://example.com/health
HTTP/2 200
content-type: text/plain; charset=utf-8
content-length: 19

This one should have returned 403 instead of 503

curl -i -XPOST https://example.com/health
HTTP/2 503
content-type: text/html
content-length: 190

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx</center>
</body>
</html>

What you expected to happen:
I want to block all requests to "/" and allow only GET requests for every other route. Ingress should return 403, but it returns 503.

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.11.1
  Build:         7c44f992012555ff7f4e47c08d7c542ca9b4b1f7
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

Kubernetes version (use kubectl version):

Client Version: v1.29.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.6-eks-db838b0

How to reproduce this issue:
Use the following annotations:

      nginx.ingress.kubernetes.io/server-snippet: |
        location = / {
            return 403;
        }
      nginx.ingress.kubernetes.io/configuration-snippet:
        limit_except GET { deny all; }

The text was updated successfully, but these errors were encountered:

k8s-ci-robot · 2024-08-06T14:55:03Z

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

longwuyuan · 2024-08-07T13:08:03Z

I am getting 404 without any snippets ;

% k describe po test0-846c7c69c6-r4426| grep -i image:
    Image:          nginx:alpine
[~] 

% k describe svc test0 
Name:              test0
Namespace:         default
Labels:            app=test0
Annotations:       <none>
Selector:          app=test0
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.101.94.63
IPs:               10.101.94.63
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.244.0.50:80
Session Affinity:  None
Events:            <none>
[~] 
%

% k describe ing test0 
Name:             test0
Labels:           <none>
Namespace:        default
Address:          192.168.49.2
Ingress Class:    nginx
Default backend:  <default>
Rules:
  Host                Path  Backends
  ----                ----  --------
  test0.mydomain.com  
                      /   test0:80 (10.244.0.50:80)
Annotations:          <none>
Events:
  Type    Reason  Age                    From                      Message
  ----    ------  ----                   ----                      -------
  Normal  Sync    2m19s (x2 over 3m15s)  nginx-ingress-controller  Scheduled for sync

%

% curl -i --resolve test0.mydomain.com:80:`minikube ip` -XPOST test0.mydomain.com/health
HTTP/1.1 404 Not Found
Date: Wed, 07 Aug 2024 13:07:48 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.27.0</center>
</body>
</html>
[~] 
%

longwuyuan · 2024-08-07T13:08:24Z

/remove-kind bug
/kind support

…11742)

github-actions · 2024-09-07T01:57:56Z

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

juris added the kind/bug Categorizes issue or PR as related to a bug. label Aug 6, 2024

k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Aug 6, 2024

k8s-ci-robot added the needs-priority label Aug 6, 2024

k8s-ci-robot added kind/support Categorizes issue or PR as a support question. and removed kind/bug Categorizes issue or PR as related to a bug. labels Aug 7, 2024

ZJfans added a commit to ZJfans/ingress-nginx that referenced this issue Aug 24, 2024

fix: limit_except returns 503 instead of the correct 403 (kubernetes#…

2a71a24

…11742)

ZJfans linked a pull request Aug 24, 2024 that will close this issue

Lua: Fix limit_except returning 503. #11860

Open

10 tasks

github-actions bot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Sep 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

limit_except returns 503 #11742

limit_except returns 503 #11742

juris commented Aug 6, 2024 •

edited

Loading

k8s-ci-robot commented Aug 6, 2024

longwuyuan commented Aug 7, 2024

longwuyuan commented Aug 7, 2024

github-actions bot commented Sep 7, 2024

limit_except returns 503 #11742

limit_except returns 503 #11742

Comments

juris commented Aug 6, 2024 • edited Loading

k8s-ci-robot commented Aug 6, 2024

longwuyuan commented Aug 7, 2024

longwuyuan commented Aug 7, 2024

github-actions bot commented Sep 7, 2024

juris commented Aug 6, 2024 •

edited

Loading