Deny location mapping in case of specific errors

controllers/nginx/pkg/template/template.go

@@ -137,6 +137,7 @@ var (
 		"buildRateLimit":              buildRateLimit,
 		"buildSSPassthroughUpstreams": buildSSPassthroughUpstreams,
 		"buildResolvers":              buildResolvers,
+		"isLocationAllowed":           isLocationAllowed,
 
 		"contains":  strings.Contains,
 		"hasPrefix": strings.HasPrefix,
@@ -352,3 +353,13 @@ func buildRateLimit(input interface{}) []string {
 
 	return limits
 }
+
+func isLocationAllowed(input interface{}) bool {
+	loc, ok := input.(*ingress.Location)
+	if !ok {
+		glog.Errorf("expected an ingress.Location type but %T was returned", input)
+		return false
+	}
+
+	return loc.Denied == nil
+}

controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl

@@ -240,6 +240,7 @@ http {
         {{ end }}
         
         location {{ $path }} {
+            {{ if isLocationAllowed $location }}
             {{ if gt (len $location.Whitelist.CIDR) 0 }}
             {{ range $ip := $location.Whitelist.CIDR }}
             allow {{ $ip }};{{ end }}
@@ -312,6 +313,10 @@ http {
 
             set $proxy_upstream_name "{{ $location.Backend }}";
             {{ buildProxyPass $backends $location }}
+            {{ else }}
+            #{{ $location.Denied }}
+            return 503;
+            {{ end }}
         }
         {{ end }}
         
@@ -326,6 +331,7 @@ http {
         # with an external software (like sysdig)
         location /nginx_status {
             allow 127.0.0.1;
+            allow ::1;
             deny all;
 
             access_log off;
@@ -365,6 +371,7 @@ http {
         # TODO: enable extraction for vts module.
         location /internal_nginx_status {
             allow 127.0.0.1;
+            allow ::1;
             deny all;
 
             access_log off;