access forbidden by rule, on ingress nginx log

Question

which ingress rule is blocking the request coming in. app : based on drupal. any suggestions would help.

ingress log :

2022/08/11 10:00:59 [error] 20516#20516: *159406145 access forbidden by rule, client: 2a02:9b0:3d:54a2:40bf:a951:e203:79a5, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
{"time": "2022-08-11T10:00:59+00:00", "remote_addr": "-", "x_forward_for": "2a02:9b0:3d:54a2:40bf:a951:e203:79a5, 172.70.156.137, 2a02:9b0:3d:54a2:40bf:a951:e203:79a5", "request_id": "d8d07bd09c84b802af91a60adbf46a73", "remote_user": "-", "bytes_sent": 583, "request_time": 0.000, "status": 403, "vhost": "example.com", "request_proto": "HTTP/1.1", "path": "/", "request_query": "-", "request_length": 647, "duration": 0.000,"method": "GET", "http_referrer": "-", "http_user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6 Mobile/15E148 Safari/604.1", "auth_apikey": "-", "auth_authorization": "-", "auth_X-Api-caps": "-", "auth_uid": "-"}

ingress.yaml

apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      meta.helm.sh/release-name: example-production
      meta.helm.sh/release-namespace: example
      nginx.ingress.kubernetes.io/configuration-snippet: |
        more_clear_headers "Server";
        more_set_headers "X-Content-Type-Options: nosniff";
        more_set_headers "X-XSS-Protection: 1";
        more_set_headers "X-Request-Id: $request_id";
        more_set_headers "X-Router-Id: example-portal-anonymous";
        more_set_headers "Strict-Transport-Security: max-age=15768000";
        more_set_headers "Content-Security-Policy: frame-ancestors 'self'";
      nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For, Authorization
      nginx.ingress.kubernetes.io/cors-allow-methods: GET, POST, PUT, PATCH, DELETE,
        OPTIONS
      nginx.ingress.kubernetes.io/cors-allow-origin: example.com
      nginx.ingress.kubernetes.io/enable-cors: "true"
      nginx.ingress.kubernetes.io/enable-modsecurity: "true"
      nginx.ingress.kubernetes.io/enable-owasp-core-rules: "false"
      nginx.ingress.kubernetes.io/limit-rpm: "0"
      nginx.ingress.kubernetes.io/modsecurity-transaction-id: $request_id
      nginx.ingress.kubernetes.io/proxy-buffer-size: 20k
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
    creationTimestamp: "2022-08-10T11:19:21Z"
    generation: 1
    labels:
      app.kubernetes.io/managed-by: example
    name: portal-anonymous
    namespace: example
    resourceVersion: "523173759"
    selfLink: /apis/extensions/v1beta1/namespaces/example/ingresses/portal-anonymous
    uid: 9cdb29b2-a463-4851-b4c4-b5a58be28580
  spec:
    rules:
    - host: example.com
      http:
        paths:
        - backend:
            serviceName: portal
            servicePort: 80
          path: /
          pathType: Prefix
  status:
    loadBalancer: {}
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Answer 1

I suspect the problem is actually revealed in your config:

nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0

You are allowing all IPv4 IPs with this range, but in your log, you have this:

"x_forward_for": "2a02:9b0:3d:54a2:40bf:a951:e203:79a5, 172.70.156.137, 2a02:9b0:3d:54a2:40bf:a951:e203:79a5"

So this means you're using IPv6 as well, so you might want to add ::/0 to the whitelist-source-range to allow all IPv6 as well as all IPv4 ranges. OR just omit the annotation entirely if you want to allow anything in.