Code Monkey home page Code Monkey logo

Comments (3)

markacola avatar markacola commented on May 19, 2024

I'm currently being stung by this quite badly.
The server block for my wildcard is currently matching any host name not in another server block.
Additionally, the template output for https redirects uses the '$host' nginx variable instead of the $server.Hostname template variable for the redirects:
i.e.

if ($scheme = http) {
    return 301 https://$host$request_uri;
}

instead of:

if ($scheme = http) {
    return 301 https://{{ $server.Hostname }}$request_uri;
}

This means if my server gets a request for some random host it will respond with a valid 301 https redirect for that host.
i.e.

Request: GET http://example.com
Response: 301 https://example.com

Even without an ingress record for example.com.
Currently getting requests from random websites, presumably for free 301 https redirects.

from ingress-nginx.

aledbf avatar aledbf commented on May 19, 2024

@markacola this is already fix in this repo. Please check https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl#L255

from ingress-nginx.

markacola avatar markacola commented on May 19, 2024

@aledbf Sorry, i dont think I was very clear with my previous comment.
The server block of the Default Backend doesn't have default_server in the listen statement, so wild card domains (which have a higher order of precedence) will match before the Default Backend.
If the wildcard domain has an SSL config then it will include the if ($scheme = http) {... section.
This results in a server block that matches unknow hosts and includes a http -> https redirect in the / location block that uses whatever host was supplied in the request.
eg.

# Default Backend block
server {
  server_name _; #no default_server statement
  listen 80;
  
  location / {
    ...
  }
}

# Server block from ingress
server {
  server_name *.example.com;
  listen 80;
  listen 443 ssl spdy http2;
  ...

  location / {
    # enforce ssl on server side
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }
    ...
  }
}

With the above config a request with host http://unknownhost.com will be handled by the second server block, resulting in 301 with header Location: https://unknownhost.com.

from ingress-nginx.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.