Comments (3)
I'm currently being stung by this quite badly.
The server block for my wildcard is currently matching any host name not in another server block.
Additionally, the template output for https redirects uses the '$host' nginx variable instead of the $server.Hostname template variable for the redirects:
i.e.
if ($scheme = http) {
return 301 https://$host$request_uri;
}
instead of:
if ($scheme = http) {
return 301 https://{{ $server.Hostname }}$request_uri;
}
This means if my server gets a request for some random host it will respond with a valid 301 https redirect for that host.
i.e.
Request: GET http://example.com
Response: 301 https://example.com
Even without an ingress record for example.com
.
Currently getting requests from random websites, presumably for free 301 https redirects.
from ingress-nginx.
@markacola this is already fix in this repo. Please check https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl#L255
from ingress-nginx.
@aledbf Sorry, i dont think I was very clear with my previous comment.
The server block of the Default Backend doesn't have default_server
in the listen
statement, so wild card domains (which have a higher order of precedence) will match before the Default Backend.
If the wildcard domain has an SSL config then it will include the if ($scheme = http) {...
section.
This results in a server block that matches unknow hosts and includes a http -> https redirect in the /
location block that uses whatever host was supplied in the request.
eg.
# Default Backend block
server {
server_name _; #no default_server statement
listen 80;
location / {
...
}
}
# Server block from ingress
server {
server_name *.example.com;
listen 80;
listen 443 ssl spdy http2;
...
location / {
# enforce ssl on server side
if ($scheme = http) {
return 301 https://$host$request_uri;
}
...
}
}
With the above config a request with host http://unknownhost.com
will be handled by the second server block, resulting in 301 with header Location: https://unknownhost.com
.
from ingress-nginx.
Related Issues (20)
- ACME challenge fails with `nginx.ingress.kubernetes.io/permanent-redirect` HOT 12
- Annotation whitelist-source-range not using client real IP HOT 8
- geoip2 enabling causes crash of controller v1.10 HOT 17
- Custom error_page redirects not working HOT 1
- The ingress-nginx controller crashes due to `unknown directive "alias"` when using global snippets. HOT 4
- Custom error_page redirects not working HOT 3
- Not able to install ingress-nginx helm chart in private AKS clusters HOT 6
- Ingress Test Fails to Route Traffic to a Deployment in Browser HOT 3
- Removing NET_BIND_SERVICE cap from ingres-nginx as part of nonroot, ingress pod in crashlooopbackoff HOT 3
- 499 reflect on service HOT 14
- Same Path, multiple ports HOT 3
- Nginx ingress being proxied by cloudflare results in sporadic 520 using http2 to origin HOT 4
- Add plugin hook for adding new load balancing algorithms HOT 1
- DNS errors cause global-rate-limit-memcached-connect-timeout to not be respected. HOT 11
- Nginx Ingress: Helm chart not able to find the opentracing variable declared HOT 2
- Custom-Headers annotation not working with 1.10.1 (changes are visible in git tag for 1.10.1) HOT 9
- use affinity for nginx & backend pods by useage of commonLabels HOT 2
- Better support for Helm installs HOT 3
- Ingress returning 503s when using Topology Aware Routing and the controller has no endpoints in the zone HOT 4
- Stop using testrunner image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.