Redirect 403 traffic to a holding page
When you restrict access to your application using IP whitelisting (nginx.ingress.kubernetes.io/whitelist-source-range), users outside the allowed IP ranges receive a default 403 Forbidden response. You can redirect these users to a custom holding page instead.
The solution
Add this server snippet to your Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "1.2.3.4/32,5.6.7.8/32"
nginx.ingress.kubernetes.io/server-snippet: |
error_page 403 = @holding;
location @holding {
return 302 https://laa-holding-page-production.apps.live.cloud-platform.service.justice.gov.uk$request_uri;
}
spec:
# ... rest of your ingress config
Why this works
The standard temporal-redirect annotation doesn't work because:
- IP whitelist checking happens in NGINX's access phase
- Redirects happen in the rewrite phase (which comes later)
- When access is denied, NGINX returns 403 immediately and never reaches the rewrite phase
The server-snippet approach uses NGINX's error_page directive to catch 403 errors and redirect them.
Multiple Ingresses
If you have multiple Ingress resources sharing the same hostname, add the server-snippet to all of them. NGINX-Ingress picks one as the "master" but you can't predict which one.
Testing
# Test from allowed IP (expect 200 OK)
curl -I https://your-app.apps.live.cloud-platform.service.justice.gov.uk
# Test from blocked IP (expect 302 redirect)
# Disconnect VPN or use different network
curl -I https://your-app.apps.live.cloud-platform.service.justice.gov.uk
Reference
Was this page useful?