Skip to content

add an explicit deny list (for paths, domains, methods, or all 3?) #91

New issue
New issue
Open
Bug
Open
add an explicit deny list (for paths, domains, methods, or all 3?)#91
Bug
@jatcod3r

Description

@jatcod3r
jatcod3r
opened on Nov 24, 2025

OS: Ubuntu 24.04.3 LTS
Platform: Kubernetes
Boundary Version: v0.2.0

I ran into an issue with trying to deny access to certain sub-paths of a domain. To my knowledge, sub-paths are implicitly allowed for everything, and it seems like wildcard symbols may not be respected too?

For reference, this is the config I was testing:

# ~/.config/coder_boundary/config.yaml
allowlist:
- domain=github.com path=/coder-contrib/*

I tried curling my repository just to test access:

$ boundary-run --log-level debug --log-dir=/tmp/boundary_logs -- curl -sLI https://github.com/coder-contrib/memory-card-ai-demo.git

But I can see in logs that it gets denied:

time=2025-11-24T21:57:33.928Z level=DEBUG msg="✅ TLS handshake successful"
time=2025-11-24T21:57:33.928Z level=DEBUG msg="🔒 HTTPS Request" method=HEAD url=/coder-contrib/memory-card-ai-demo.git
time=2025-11-24T21:57:33.928Z level=DEBUG msg="   Host" host=github.com
time=2025-11-24T21:57:33.928Z level=DEBUG msg="   User-Agent" user-agent=curl/8.5.0
time=2025-11-24T21:57:33.928Z level=DEBUG msg="rule does not match" reason="no path pattern matches" rule="domain=github.com path=/coder-contrib/*/*" method=HEAD url=https://github.com/
time=2025-11-24T21:57:33.928Z level=WARN msg=DENY method=HEAD url=/coder-contrib/memory-card-ai-demo.git host=github.com

I updated it to use a full path too, but still no dice:

allowlist:
- domain=github.com path=/coder-contrib/memory-card-ai-demo.git

Corresponding log:

time=2025-11-24T22:07:17.696Z level=DEBUG msg="✅ TLS handshake successful"
time=2025-11-24T22:07:17.696Z level=DEBUG msg="🔒 HTTPS Request" method=HEAD url=/coder-contrib/memory-card-ai-demo.git
time=2025-11-24T22:07:17.696Z level=DEBUG msg="   Host" host=github.com
time=2025-11-24T22:07:17.696Z level=DEBUG msg="   User-Agent" user-agent=curl/8.5.0
time=2025-11-24T22:07:17.696Z level=DEBUG msg="rule does not match" reason="no path pattern matches" rule="domain=github.com path=/coder-contrib/memory-card-ai-demo.git" method=HEAD url=https://github.com
time=2025-11-24T22:07:17.696Z level=WARN msg=DENY method=HEAD url=/coder-contrib/memory-card-ai-demo.git host=github.com

It's only until I updated the YAML to include the path as "/" or remove it entirely, it starts working. I was hoping to deny explicitly instead, but to my knowledge, there's no way to deny anything else other than build out the subpath.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions