feat: allow access to forbidden location to specified user agents

Monska85 · Monska85 · commit 71b2dd03c797 · 2024-06-18T13:23:07.000+02:00
diff --git a/README.md b/README.md
@@ -104,6 +104,7 @@ The entrypoint file contains a list of environment variables that will be replac
 - `NGINX_CLIENT_MAX_BODY_SIZE`: the maximum allowed size for the client request body (default: `200M`)
 - `NGINX_CORS_ENABLED`: enable cors for `/` path and the caller origin header represented by `$http_origin` nginx variable (<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin>) (default: `0`)
 - `NGINX_CORS_DOMAINS`: a list of CORS enabled domains to activate cors just for the specified ones (no default provided)
+- `NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS`: a regexp, used as `startswith`, to match the valid user agents that can call the forbidden locations and obtain a simple `return 200` (default `(kube-probe)`)
 
 ## Rootless feature
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -73,9 +73,18 @@ if [ -n "${NGINX_BASIC_AUTH_USER}" ] && [ -n "${NGINX_BASIC_AUTH_PASS}" ]; then
 fi
 
 # Activate the forbidden locations when the environment is not local
+NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS=${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS:-"(kube-probe)"}
+export NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS
 if [ "${ENV:-}" != "loc" ]; then
   print "Activating the forbidden locations"
   cp /templates/fragments/005-forbidden-locations.conf /etc/nginx/conf.d/fragments/005-forbidden-locations.conf
+
+  if [ -n "${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS}" ]; then
+    # shellcheck disable=SC2016 # The envsubst command needs to be executed without variable expansion
+    envsubst '${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS}' < /templates/fragments/005-forbidden-locations-user-agents-fragment.conf.tpl > /templates/fragments/005-forbidden-locations-user-agents-fragment.conf
+    sed -e '/#forbidden-locations-allowed-user-agents/r /templates/fragments/005-forbidden-locations-user-agents-fragment.conf' -i /etc/nginx/conf.d/fragments/005-forbidden-locations.conf
+  fi
+  sed -i '/#forbidden-locations-allowed-user-agents/d' /etc/nginx/conf.d/fragments/005-forbidden-locations.conf
 fi
 
 # Activate HSTS header (default: off)
diff --git a/templates/fragments/005-forbidden-locations-user-agents-fragment.conf.tpl b/templates/fragments/005-forbidden-locations-user-agents-fragment.conf.tpl
@@ -0,0 +1,3 @@
+  if ($http_user_agent ~ ^${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS}) {
+    return 200;
+  }
diff --git a/templates/fragments/005-forbidden-locations.conf b/templates/fragments/005-forbidden-locations.conf
@@ -1,7 +1,9 @@
 location = /core/install.php {
+  #forbidden-locations-allowed-user-agents
   return 404;
 }
 
 location = /update.php {
+  #forbidden-locations-allowed-user-agents
   return 404;
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ if ($http_user_agent ~ ^${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS}) {`
	`2`	`+ return 200;`
	`3`	`+ }`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,9 @@`
`1`	`1`	`location = /core/install.php {`
	`2`	`+ #forbidden-locations-allowed-user-agents`
`2`	`3`	`return 404;`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`location = /update.php {`
	`7`	`+ #forbidden-locations-allowed-user-agents`
`6`	`8`	`return 404;`
`7`	`9`	`}`