nginx_status block configuration about ingress-nginx HOT 15 OPEN

I wanted to comment that your issue description is very terse.

I think its acceptable to write succint terse issue descriptions in closed groups or chat forums. But here its required that the questions that are asked in the new bug report template be answered or detailed data be provided for feature requests, as output of kubectl commands, curl and so on. It helps a reader to actually get a action item.

For example your issue description requires another person to guess and speculate on environment and other aspects and do a lot of preliminary triaging, which may or may not even be correct.

Please edit the description of the feature and add your data from tests on a kind or minikube cluster and include the kubectl command outputs for all resources and states with logs and curl -v etc etc.. It will help a lot

from ingress-nginx.

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

from ingress-nginx.

/retitle nginx_status block configuration

from ingress-nginx.

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

from ingress-nginx.

We have nginx with ssl passthrough inside an EKS cluster sitting behind an AWS Networkloadbalancer.
When we try to "curl --url https://aa.aa.aa.aa:443/nginx_status -k" (where aa.aa.aa.aa is the IP of Network load balancer)it return data :
Active connections: 32
server accepts handled requests
4008033 4008033 5318470
Reading: 0 Writing: 1 Waiting: 14

And sometimes it give :
Object Not Found (nginx_status)

We would like to diable the nginx_status page permanently through helm chart or any other way.

from ingress-nginx.

Please try to reproduce this on minikube cluster or kind cluster. I am not able to reproduce it.

from ingress-nginx.

I just reproduced on minikube.

@rikatz @tao12345666333 obviously its part of the ssl_proxy implementation. Please comment

% helm -n ingress-nginx get values ingress-nginx                                                  
USER-SUPPLIED VALUES:
USER-SUPPLIED VALUES: null
controller:
  extraArgs:
    default-ssl-certificate: ingress-nginx/wildcard.dev.enjoydevops.com
    enable-ssl-passthrough: "true"
  metrics:
    enabled: true
    serviceMonitor:
      additionalLabels:
        release: prometheusgrafana
      enabled: true
  service:
    externalTrafficPolicy: Local
[~] 
% k -n ingress-nginx get svc | grep -i Load
ingress-nginx-controller             LoadBalancer   10.107.55.241    192.168.76.2   80:32746/TCP,443:31249/TCP   35h
[~] 
% curl https://192.168.76.2:443/nginx_status
curl: (60) SSL: no alternative certificate subject name matches target host name '192.168.76.2'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[~] 
% curl https://192.168.76.2:443/nginx_status -k
Active connections: 1 
server accepts handled requests
 351 351 348 
Reading: 0 Writing: 1 Waiting: 0 
[~] 
% curl http://192.168.76.2:443/nginx_status   
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx</center>
</body>
</html>
[~] 
% 

from ingress-nginx.

Default install does not expose this endpoint but since the ssl-passthrough is implemented as a proxy, this is becoming available on ipaddress of LB in addition to localhost https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx#ingress-nginx-nginx_status-pagestats-server

@devops-newbee have you tried any deny annotation or a server_snippet to explicitly configure deny in nginx.conf ?

from ingress-nginx.

Hello @longwuyuan : Thank you for looking into the issue. In our configuration, we are sticking to default nginx-controller deployment where --enable-snnipets argument on controller is not set. (Assuming that it is disabled). Could you share an example of how we can disable the nginx_status page via deny annotation?

from ingress-nginx.

Allow known and deny all https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#whitelist-source-range

from ingress-nginx.

Annotation so you can include path https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range

from ingress-nginx.

Hello @longwuyuan,
Thank you for the suggestion. Our understanding is that whitelist apply to all locations while we need specific location to be denied (nginx_status). Is this understanding correct?
We tried to use server_snippet in configmap as per article
(https://stackoverflow.com/questions/52782415/nginx-ingress-config-map-snippets-being-ignored-by-the-nginx-conf),
We got error message that location already existed.

Error: exit status 1
XXXX/XX/XX XX:XX:59 [emerg] 32#32: duplicate location "/nginx_status" in /tmp/nginx/nginx-cfg1879454961:425
nginx: [emerg] duplicate location "/nginx_status" in /tmp/nginx/nginx-cfg1879454961:425
nginx: configuration file /tmp/nginx/nginx-cfg1879454961 test failed

from ingress-nginx.

@devops-newbee I could follow up so sorry for delay. Can you get on Kubernetes.slack.com. It will be easier to work there when compared to here.

/assign

from ingress-nginx.

Hello @longwuyuan, Thank you for responding. I am already there on Kubernetes.slack.com. You want me to post the query there? Under which channel?

Regards
Abhimanyu Rai

from ingress-nginx.

spent a day on this and i think I have a solution for this. in the ingress-nginx controller helm values.yaml file add this under config section: nginx-status-ipv4-whitelist: "" i believe it's set to localhost by default but the nginx_status was still accessible to the outside world. it was only blocked when i added nginx-status-ipv4-whitelist: "" to values.yaml file. Below is snippet of my values.yaml file:

# https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.4.0/charts/ingress-nginx/values.yaml
controller:
  config:
    # Mozilla SSL Configuration Generator
    # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6
    ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    nginx-status-ipv4-whitelist: ""

Here are some links i used to help:

• https://github.com/kubernetes/ingress-nginx/blob/main/internal/ingress/controller/config/config.go
• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#configuration-options
  in each of these links search for nginx-status-ipv4-whitelist

from ingress-nginx.