Secure ingresses

To secure unwanted access (for example, on /magnolia/.admincentral or similar) and to avoid crawlers accessing unpublished content, it’s usually a good idea to work with IP Whitelisting on Ingress-Nginx and Robots-Tags (such as X-Robots-Tag:noindex, nofollow).

Instructions

  1. First ensure you are connected to your Magnolia PaaS Kuberenetes Cluster using the correct kubeconfig.

  2. Create an HTPASSWD file.

    # Create HTPASSWD File
    $ htpasswd -c auth myadmin
    New password:
    Re-type new password:
    Adding password for user myadmin
  3. Convert to a Kubernetes secret.

    $ kubectl create -n dev secret generic basic-auth --from-file=auth
    secret/basic-auth created
  4. Annotate on the ingress and add whitelisting.

    $ kubectl edit -n prod ingress myingress
  5. Create the annotation template to update the ingress.

    $  k annotate -n dev ingress --overwrite=true dev-magnolia-helm \
    nginx.ingress.kubernetes.io/auth-realm="PLEASE LOGIN:" \
    nginx.ingress.kubernetes.io/auth-secret=basic-auth \
    nginx.ingress.kubernetes.io/auth-type=basic \
    nginx.ingress.kubernetes.io/configuration-snippet='more_set_headers "X-Robots-Tag: noindex, nofollow";' \  (1)
    nginx.ingress.kubernetes.io/whitelist-source-range="37.120.189.19/32,2a03:4000:6:b665::46/128" \           (2)
    1 Set the robot tags for crawler information.
    2 Set the IP whitelisting for IPv4/v6 IPs and Subnets.
    Test before deployment. You can leave this out during a dry run (Subnets—​dry-run=client).
  6. Run a remote --dry-run=client if fine and apply it.

    $ k get ingress -n dev dev-magnolia-helm -o yaml
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        field.cattle.io/publicEndpoints: '[{"addresses":["20.71.0.152"],"port":443,"protocol":"HTTPS","serviceName":"dev:dev-magnolia-helm-public-svc","ingressName":"dev:dev-magnolia-helm","hostname":"dev.azurepaas.magnolia-platform.com","path":"/","allNodes":false},{"addresses":["20.71.0.152"],"port":443,"protocol":"HTTPS","serviceName":"dev:dev-magnolia-helm-author-svc","ingressName":"dev:dev-magnolia-helm","hostname":"dev.azurepaas.magnolia-platform.com","path":"/author","allNodes":false}]'
        kubernetes.io/ingress.class: nginx
        meta.helm.sh/release-name: dev
        meta.helm.sh/release-namespace: dev
        nginx.ingress.kubernetes.io/auth-realm: 'PLEASE LOGIN:'
        nginx.ingress.kubernetes.io/auth-secret: basic-auth
        nginx.ingress.kubernetes.io/auth-type: basic
        nginx.ingress.kubernetes.io/configuration-snippet: 'more_set_headers "X-Robots-Tag:
          noindex, nofollow";'
        nginx.ingress.kubernetes.io/proxy-body-size: 512m
        nginx.ingress.kubernetes.io/whitelist-source-range: 37.120.189.19/32,2a03:4000:6:b665::46/128
    ...

Test Basic Auth and Whitelisting

  1. Run the following command:

    $ curl ifconfig.me
    87.123.205.103%
    
    $ curl https://dev.azurepaas.magnolia-platform.com
    <html>
    <head><title>403 Forbidden</title></head>
    <body>
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx</center>
    </body>
    </html>

Require authentication from permitted IP range

  1. Run the following command:

    $ curl ifconfig.me
    37.120.189.19%
    
    $ curl https://dev.azurepaas.magnolia-platform.com
    <html>
    <head><title>401 Authorization Required</title></head>
    <body>
    <center><h1>401 Authorization Required</h1></center>
    <hr><center>nginx</center>
    </body>
    </html>
  2. Authenticate via Basic Auth using your stored credentials:

    $ curl https://dev.azurepaas.magnolia-platform.com -u myadmin:myadmin

    Verbose output

    $ curl -v https://dev.azurepaas.magnolia-platform.com -H 'Host: dev.azurepaas.magnolia-platform.com' -u myadmin:myadmin
    *   Trying 20.71.0.152:443...
    * Connected to dev.azurepaas.magnolia-platform.com (20.71.0.152) port 443 (#0)
    * ALPN: offers h2
    * ALPN: offers http/1.1
    *  CAfile: /etc/ssl/cert.pem
    *  CApath: none
    * (304) (OUT), TLS handshake, Client hello (1):
    * (304) (IN), TLS handshake, Server hello (2):
    * (304) (IN), TLS handshake, Unknown (8):
    * (304) (IN), TLS handshake, Certificate (11):
    * (304) (IN), TLS handshake, CERT verify (15):
    * (304) (IN), TLS handshake, Finished (20):
    * (304) (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
    * ALPN: server accepted h2
    * Server certificate:
    *  subject: CN=dev.azurepaas.magnolia-platform.com
    *  start date: Oct 26 12:57:00 2022 GMT
    *  expire date: Jan 24 12:56:59 2023 GMT
    *  subjectAltName: host "dev.azurepaas.magnolia-platform.com" matched cert's "dev.azurepaas.magnolia-platform.com"
    *  issuer: C=US; O=Let's Encrypt; CN=R3
    *  SSL certificate verify ok.
    * Using HTTP2, server supports multiplexing
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Server auth using Basic with user 'myadmin'
    * h2h3 [:method: GET]
    * h2h3 [:path: /]
    * h2h3 [:scheme: https]
    * h2h3 [:authority: dev.azurepaas.magnolia-platform.com]
    * h2h3 [authorization: Basic bXlhZG1pbjpteWFkbWlu]
    * h2h3 [user-agent: curl/7.84.0]
    * h2h3 [accept: */*]
    * Using Stream ID: 1 (easy handle 0x156811400)
    > GET / HTTP/2
    > Host: dev.azurepaas.magnolia-platform.com
    > authorization: Basic bXlhZG1pbjpteWFkbWlu                             # Basic Auth active!
    > user-agent: curl/7.84.0
    > accept: */*
    >
    * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
    < HTTP/2 302
    < date: Thu, 01 Dec 2022 08:47:20 GMT
    < content-length: 0
    < set-cookie: JSESSIONID=E70616BACA0156F20E6A54A445181E59; Path=/; Secure; HttpOnly
    < set-cookie: csrf=55JCyz9SNh5mdE7Ke7k1cgkBX9e6huRpCUyj47GPjzM
    < x-magnolia-registration: Registered
    < location: /travel.html;jsessionid=E70616BACA0156F20E6A54A445181E59
    < strict-transport-security: max-age=15724800; includeSubDomains
    < x-robots-tag: noindex, nofollow (1)
    <
    * Connection #0 to host dev.azurepaas.magnolia-platform.com left intact
    1 x-robots-tags are set and delivered.

    Verify the Output for x-robots-tag: noindex, nofollow.

Feedback