Is there a way to add nginx.ingress.kubernetes.io/whitelist-source-range
annotation via Qovery to limit the access to the application to certain IP addresses?
Hi,
We do not propose it yet, but this is something we can consider easily. Please add/vote for it in the roadmap.
Thanks
Hi @prki , I can take a look to add this parameter configurable via our application advanced settings. We can do it for next week if it works for you.
Yes, please! We want to only accept traffic from Cloudflare IP ranges to enforce their WAF and Cloudflare Access authorization rules.
Ok I come back to you here once it’s available
Hi, is there any update or ETA for this?
Hi @prki - not yet sorry - I keep you posted when we have an ETA. We’ll try our best to provide it ASAP. It’s possible that next week you have something.
Hi @prki , I’ve discussed this with @Pierre_Mavro, and it seems that supporting officially IP whitelisting would take more time than expected. The reason is that Qovery uses NLBs at the moment and we’d need to replace them with ALBs. The good news is that we plan to make it configurable. The bad is that it will take time.
Potential solution
I would recommend you take a look at Cloudflare to whitelist by IP addresses in the meantime.
You can use for free their WAF and then filter by IP addresses (and even other options).
Let me know if this solution fits you.
Romaric.
It would be enough for us if you could just expose this ingress option: nginx.ingress.kubernetes.io/whitelist-source-range
.
We are using Cloudflare Access which does SSO authentication for our internal apps and proxy only the authenticated traffic. However, it can currently be beaten by using your application URLs to access them directly, skipping Cloudflare. We would need to put Cloudflare network ranges to our application whitelist for this to work properly.
My bad, yes it’s totally possible with Nginx ingress. However, it won’t work for databases as it will require changes that @rophilogene said above.
So for HTTP applications, we can implement the whitelist easily
Hi @prki , I will add the whitelist-source-range
option to the application advanced settings next week. I will keep you posted.
Hi, scheduled for this week
Hi @JrmyDev @prki , just to let you know that the option has been added, it’s in review, and it will be released early next week.
Hi @prki @JrmyDev the option has been released. I can give you access to the V3 to make the configuration easier. Do you want?
Here are the instructions to set up the IP whitelisting for your app via curl
Usage
To use the Qovery app advanced settings API:
- check out our API documentation.
- Create an API token.
Keep secured your API token - never share it with anyone.
Whitelist IP addresses
To whitelist only some IPs like:
1.1.1.1
42.42.42.42
11.11.11.11
You can run the following CURL command:
curl -X PUT -H 'Authorization: Token <your API token>' -H 'Content-type: application/json' \
-d '{"network.ingress.whitelist_source_range": "1.1.1.1,42.42.42.42,11.11.11.11"}'
"https://api.qovery.com/application/:appId/advancedSettings"
Then redeploy your application to apply the change.
The default value is: 0.0.0.0/0
, which means all the IPs are whitelisted.
Your Application ID (appId) is the last ID in your console.qovery.com URL. E.g. for
https://console.qovery.com/platform/organization/141c07c8-0dd9-4623-983b-3fdd61867777/projects/4ac1185f-4b7c-4f12-95b6-0690f796bbbb/environments/1109c4d2-ffbb-49d6-9826-f5a7ca3a8888/applications/3cc850c6-cc4f-46bc-ad05-c90f7b597333/summary
the Organization ID is3cc850c6-cc4f-46bc-ad05-c90f7b597333
Here is a small tutorial for Qovery V3
Yes please
We could also accessed to v2 if needed ?
Thanks
Envoyé de mon iPhone
I used to have V3 access but it doesn’t work for me anymore. Please check, I would prefer to have UI to quickly see these things.
does it work with hostname ? in my case i don’t have static ip