ingress-nginx
ingress-nginx copied to clipboard
kubernetes
Deprecate and remove geo_ip2 feature
GeoIP feature is used to control access to the environment per location/region. While this is a useful feature, we understand that this control should not be made on ingress-nginx.
Additionally, it is not an open feature that can be consumed by anyone and instead needs a license and a third party module.
So the proposal is to remove and deprecate this feature
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
Are the whitelist annotation https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range and the denylist annotation https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#denylist-source-range related .
Some issues in github seemed to hint at users using geoip2 to ascertain SRC ip (or I could be confused so just commenting)
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Our company uses this feature to enrich each request with location headers so that all services don't need to do geo lookups themselves.
location-snippet: |
proxy_set_header x-fw-region-code $geoip2_region_code;
proxy_set_header x-fw-region $geoip2_region_name;
proxy_set_header x-fw-country-code $geoip2_city_country_code;
proxy_set_header x-fw-country-name $geoip2_city_country_name;
Unfortunately, snippets also is difficult to support and maintain for security stability. So snippets are scheduled for deprecation.
On Fri, 18 Oct, 2024, 11:15 xdays, @.***> wrote:
Our company uses this feature to enrich each request with location headers so that all services don't need to do geo lookups themselves.
location-snippet: | proxy_set_header x-fw-region-code $geoip2_region_code; proxy_set_header x-fw-region $geoip2_region_name; proxy_set_header x-fw-country-code $geoip2_city_country_code; proxy_set_header x-fw-country-name $geoip2_city_country_name;— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/11669#issuecomment-2421452217, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWROGWRI3H4VH6IYD4DZ4COBJAVCNFSM6AAAAABLHBSNGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRRGQ2TEMRRG4 . You are receiving this because you commented.Message ID: @.***>
I want to rethink snippets on a different way.
While I think no user should be able to set it, I understand admins may want to set on all servers some config so maybe allowing just admin snippets that willbe "included" as files is still under future consideration
Out of curiosity, do you have en estimated date / version for depreciation of this feature ?
Unfortunately, snippets also is difficult to support and maintain for security stability. So snippets are scheduled for deprecation. … On Fri, 18 Oct, 2024, 11:15 xdays, @.> wrote: Our company uses this feature to enrich each request with location headers so that all services don't need to do geo lookups themselves. location-snippet: | proxy_set_header x-fw-region-code $geoip2_region_code; proxy_set_header x-fw-region $geoip2_region_name; proxy_set_header x-fw-country-code $geoip2_city_country_code; proxy_set_header x-fw-country-name $geoip2_city_country_name; — Reply to this email directly, view it on GitHub <#11669 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWROGWRI3H4VH6IYD4DZ4COBJAVCNFSM6AAAAABLHBSNGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRRGQ2TEMRRG4 . You are receiving this because you commented.Message ID: @.>
do you have any replacement for snippet feature, such as set proxy header feature?
There are some annotations. Please check the docs.
On Wed, 6 Nov, 2024, 13:18 Trần Hoàng Việt, @.***> wrote:
Unfortunately, snippets also is difficult to support and maintain for security stability. So snippets are scheduled for deprecation. … <#m_-7587038093629549864_> On Fri, 18 Oct, 2024, 11:15 xdays, @.> wrote: Our company uses this feature to enrich each request with location headers so that all services don't need to do geo lookups themselves. location-snippet: | proxy_set_header x-fw-region-code $geoip2_region_code; proxy_set_header x-fw-region $geoip2_region_name; proxy_set_header x-fw-country-code $geoip2_city_country_code; proxy_set_header x-fw-country-name $geoip2_city_country_name; — Reply to this email directly, view it on GitHub <#11669 (comment) https://github.com/kubernetes/ingress-nginx/issues/11669#issuecomment-2421452217>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWROGWRI3H4VH6IYD4DZ4COBJAVCNFSM6AAAAABLHBSNGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRRGQ2TEMRRG4 https://github.com/notifications/unsubscribe-auth/ABGZVWROGWRI3H4VH6IYD4DZ4COBJAVCNFSM6AAAAABLHBSNGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRRGQ2TEMRRG4 . You are receiving this because you commented.Message ID: @.>
do you have any replacement for snippet feature, such as set proxy header feature?
— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/11669#issuecomment-2458919636, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWUFQBW6UTEXVN5IXKLZ7HCWLAVCNFSM6AAAAABLHBSNGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJYHEYTSNRTGY . You are receiving this because you commented.Message ID: @.***>
@rikatz: Closing this issue.
In response to this:
/close Geoip2 was kept for now Snippets discussion needs a differeet issue
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.