How to whitelist certain IPs to the application?

Is there a way to add nginx.ingress.kubernetes.io/whitelist-source-range annotation via Qovery to limit the access to the application to certain IP addresses?

1 Like

Hi,

We do not propose it yet, but this is something we can consider easily. Please add/vote for it in the roadmap.

Thanks

Hi @prki , I can take a look to add this parameter configurable via our application advanced settings. We can do it for next week if it works for you.

1 Like

Yes, please! :slightly_smiling_face: We want to only accept traffic from Cloudflare IP ranges to enforce their WAF and Cloudflare Access authorization rules.

1 Like

Ok I come back to you here once it’s available

1 Like

Hi, is there any update or ETA for this?

Hi @prki - not yet sorry - I keep you posted when we have an ETA. We’ll try our best to provide it ASAP. It’s possible that next week you have something.

Hi @prki , I’ve discussed this with @Pierre_Mavro, and it seems that supporting officially IP whitelisting would take more time than expected. The reason is that Qovery uses NLBs at the moment and we’d need to replace them with ALBs. The good news is that we plan to make it configurable. The bad is that it will take time.

Potential solution

I would recommend you take a look at Cloudflare to whitelist by IP addresses in the meantime.

You can use for free their WAF and then filter by IP addresses (and even other options).

Let me know if this solution fits you.
Romaric.

It would be enough for us if you could just expose this ingress option: nginx.ingress.kubernetes.io/whitelist-source-range.

We are using Cloudflare Access which does SSO authentication for our internal apps and proxy only the authenticated traffic. However, it can currently be beaten by using your application URLs to access them directly, skipping Cloudflare. We would need to put Cloudflare network ranges to our application whitelist for this to work properly.

My bad, yes it’s totally possible with Nginx ingress. However, it won’t work for databases as it will require changes that @rophilogene said above.

So for HTTP applications, we can implement the whitelist easily :slight_smile: