Comments (15)
I wanted to comment that your issue description is very terse.
I think its acceptable to write succint terse issue descriptions in closed groups or chat forums. But here its required that the questions that are asked in the new bug report template be answered or detailed data be provided for feature requests, as output of kubectl commands, curl and so on. It helps a reader to actually get a action item.
For example your issue description requires another person to guess and speculate on environment and other aspects and do a lot of preliminary triaging, which may or may not even be correct.
Please edit the description of the feature and add your data from tests on a kind or minikube cluster and include the kubectl command outputs for all resources and states with logs and curl -v etc etc.. It will help a lot
from ingress-nginx.
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
from ingress-nginx.
/retitle nginx_status block configuration
from ingress-nginx.
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev
on Kubernetes Slack.
from ingress-nginx.
We have nginx with ssl passthrough inside an EKS cluster sitting behind an AWS Networkloadbalancer.
When we try to "curl --url https://aa.aa.aa.aa:443/nginx_status -k" (where aa.aa.aa.aa is the IP of Network load balancer)it return data :
Active connections: 32
server accepts handled requests
4008033 4008033 5318470
Reading: 0 Writing: 1 Waiting: 14
And sometimes it give :
Object Not Found (nginx_status)
We would like to diable the nginx_status page permanently through helm chart or any other way.
from ingress-nginx.
Please try to reproduce this on minikube cluster or kind cluster. I am not able to reproduce it.
from ingress-nginx.
I just reproduced on minikube.
@rikatz @tao12345666333 obviously its part of the ssl_proxy implementation. Please comment
% helm -n ingress-nginx get values ingress-nginx
USER-SUPPLIED VALUES:
USER-SUPPLIED VALUES: null
controller:
extraArgs:
default-ssl-certificate: ingress-nginx/wildcard.dev.enjoydevops.com
enable-ssl-passthrough: "true"
metrics:
enabled: true
serviceMonitor:
additionalLabels:
release: prometheusgrafana
enabled: true
service:
externalTrafficPolicy: Local
[~]
% k -n ingress-nginx get svc | grep -i Load
ingress-nginx-controller LoadBalancer 10.107.55.241 192.168.76.2 80:32746/TCP,443:31249/TCP 35h
[~]
% curl https://192.168.76.2:443/nginx_status
curl: (60) SSL: no alternative certificate subject name matches target host name '192.168.76.2'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[~]
% curl https://192.168.76.2:443/nginx_status -k
Active connections: 1
server accepts handled requests
351 351 348
Reading: 0 Writing: 1 Waiting: 0
[~]
% curl http://192.168.76.2:443/nginx_status
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx</center>
</body>
</html>
[~]
%
from ingress-nginx.
Default install does not expose this endpoint but since the ssl-passthrough is implemented as a proxy, this is becoming available on ipaddress of LB in addition to localhost https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx#ingress-nginx-nginx_status-pagestats-server
@devops-newbee have you tried any deny annotation or a server_snippet to explicitly configure deny in nginx.conf ?
from ingress-nginx.
Hello @longwuyuan : Thank you for looking into the issue. In our configuration, we are sticking to default nginx-controller deployment where --enable-snnipets argument on controller is not set. (Assuming that it is disabled). Could you share an example of how we can disable the nginx_status page via deny annotation?
from ingress-nginx.
Allow known and deny all https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#whitelist-source-range
from ingress-nginx.
Annotation so you can include path https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
from ingress-nginx.
Hello @longwuyuan,
Thank you for the suggestion. Our understanding is that whitelist apply to all locations while we need specific location to be denied (nginx_status). Is this understanding correct?
We tried to use server_snippet in configmap as per article
(https://stackoverflow.com/questions/52782415/nginx-ingress-config-map-snippets-being-ignored-by-the-nginx-conf),
We got error message that location already existed.
Error: exit status 1
XXXX/XX/XX XX:XX:59 [emerg] 32#32: duplicate location "/nginx_status" in /tmp/nginx/nginx-cfg1879454961:425
nginx: [emerg] duplicate location "/nginx_status" in /tmp/nginx/nginx-cfg1879454961:425
nginx: configuration file /tmp/nginx/nginx-cfg1879454961 test failed
from ingress-nginx.
@devops-newbee I could follow up so sorry for delay. Can you get on Kubernetes.slack.com. It will be easier to work there when compared to here.
/assign
from ingress-nginx.
Hello @longwuyuan, Thank you for responding. I am already there on Kubernetes.slack.com. You want me to post the query there? Under which channel?
Regards
Abhimanyu Rai
from ingress-nginx.
spent a day on this and i think I have a solution for this. in the ingress-nginx controller helm values.yaml file add this under config section: nginx-status-ipv4-whitelist: ""
i believe it's set to localhost by default but the nginx_status was still accessible to the outside world. it was only blocked when i added nginx-status-ipv4-whitelist: ""
to values.yaml file. Below is snippet of my values.yaml file:
# https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.4.0/charts/ingress-nginx/values.yaml
controller:
config:
# Mozilla SSL Configuration Generator
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6
ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
nginx-status-ipv4-whitelist: ""
Here are some links i used to help:
- https://github.com/kubernetes/ingress-nginx/blob/main/internal/ingress/controller/config/config.go
- https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#configuration-options
in each of these links search fornginx-status-ipv4-whitelist
from ingress-nginx.
Related Issues (20)
- Turn off returning HTTP OK for /healthz endpoint during preStop hook to allow AWS NLB unhealthy draining HOT 9
- preStop hook should account for AWS NLB deregistration delay HOT 4
- Some metrics are not exposed HOT 7
- LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version - protocol issue HOT 6
- Re-add global-rate-limit feature HOT 4
- Sticky learn and Wildfly HOT 5
- disableLeaderElection code changes missing in nginx-ingress-controller-v1.10.4 HOT 4
- Version 1.11.2 not work on RKE HOT 9
- Pod IP Address/Name is not visible into ingress-nginx access-logs HOT 15
- Not able to use LUA script HOT 8
- Adding configuration-snippet causes nginx to stop passing SSL_CLIENT_CERT header. HOT 3
- find CVE-2024-45310 at controller-v1.10.4 HOT 2
- Corner Case: upstream name duplication causing ingress pointing to wrong service HOT 7
- Corner Case: upstream name duplication causing ingress pointing to wrong service [following issue template] HOT 23
- Openresty throwing error 413: Request entity too large HOT 9
- kubectl plugin action always fails HOT 1
- Pod can't be started with sysctls custom settings HOT 15
- Nginx Controller does not update configuration while recreating service. HOT 16
- CVE-2024-6119 in controller:v1.11.2 HOT 3
- Upgrade nginx version to 1.26.2, 1.27.1 or later since 1.25.5 is having vulnerabilities. HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.