Traefik k8s filter *.php requests

Traefik Traefik v1
1

Hi,

Currently, on my logs I can see that am receiving a lot of request for urls containing *.php. I don't support .php and would like to globally drop these requests. These requests have been spiking my CPU & memory usage.

I intend to redirect requests containing .php to this service which just basically drops the request or better still point it to a backend that doesn't exists. Also I intend to use traefik rate limiting for such requests

 - path: /{extension:(.*.php.*)}
            backend:
              serviceName: drop-server-service
              servicePort: 80

My questions are

  1. Is this the proper way of targeting such requests?
  2. How can I properly tell traefik to limit the request to this drop-server-service alone and not to other services?
  3. I have other ingresses on other namespaces and I would like to apply this *.php filter globally

Cuslter Info
Trafeik v1.7.12
Kubernetes
Cloud Provider: Amazon EKS

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: filter-ingress
  namespace: filter-test
  annotations:
    kubernetes.io/ingress.class: "traefik"
    traefik.ingress.kubernetes.io/priority: "200"
    traefik.frontend.rule.type: Path
    traefik.ingress.kubernetes.io/max-conn-amount: "2"
    traefik.ingress.kubernetes.io/max-conn-extractor-func: client.ip
spec:
  rules:
    - host: filter-test.api.mydomain.io
      http:
        paths:
          - path: /health_check
            backend:
              serviceName: filter-server-service
              servicePort: 80
          - path: /{extension:(.*.php.*)}
            backend:
              serviceName: drop-server-service
              servicePort: 80
          - path: /api/auth
            backend:
              serviceName: auth-service
              servicePort: 80
          - path: /api/email
            backend:
              serviceName: email-service
              servicePort: 80

Thank you

2

Hello @dewale,

I will try to answer your requests individually:

  1. Is this the proper way of targeting such requests?

Security and Access control for this sort of thing should be handled by a firewall. Traefik has some features built-in for rate limiting or restrictions, but it is implemented as a best-attempt, and is not intended to be used as a security appliance. If you are handling encrypted traffic, then Traefik may be your best option short-term.

  1. How can I properly tell traefik to limit the request to this drop-server-service alone and not to other services?

By putting this path in its own ingress, it can be configured with its own rate-limiting annotations.

  1. I have other ingresses on other namespaces and I would like to apply this *.php filter globally

You may want to build this into a file-based configuration (with a static frontend and a static backend pointing to your kubernetes service), and then add the file config to your ingress controller. Then it will apply globally, and will not be override-able via the kubernetes provider.

Another option is to use a hostless ingress, where it applies to all hosts:

3

Thank you @daniel.tomcej my traffic is encrypted. As regards to the rate limiting I tried configuring it as below but it seems to have no effect as I sent multiple requests from the same IP and didn't receive the 429 error. maybe am setting this incorrectly ?

    traefik.ingress.kubernetes.io/max-conn-amount: "2"
    traefik.ingress.kubernetes.io/max-conn-extractor-func: client.ip

Thank you

4

Note that if you are using services in front of Traefik, then the service NAT will rewrite the client IP:

So you may have to look at setting service.spec.externalTrafficPolicy on the service fronting Traefik.

Note that not doing this will have the effect that all traffic will be percieved to come from the same client IP, resulting in you hitting your max-conn much sooner than intended.

However, yes, the max-conn annotations are correct, but:
traefik.frontend.rule.type: Path is not a valid annotation.

Please see https://docs.traefik.io/configuration/backends/kubernetes/#general-annotations for the list of supported annotations.

5

Thank you I'd correct and revert