DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #4601 from ElvinEfendi/hsts-refactoring

Browse source 
Hsts refactoring
This commit is contained in:
Kubernetes Prow Robot 2019-09-24 19:50:00 -07:00 committed by GitHub
commit 113f8d2931
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 48 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
internal/ingress/controller/template/template.go
View file

@ -302,7 +302,23 @@ func configForLua(input interface{}) string {
is_ssl_passthrough_enabled = %t, is_ssl_passthrough_enabled = %t,
http_redirect_code = %v, http_redirect_code = %v,
listen_ports = { ssl_proxy = "%v", https = "%v" }, listen_ports = { ssl_proxy = "%v", https = "%v" },
}`, all.Cfg.UseForwardedHeaders, all.IsSSLPassthroughEnabled, all.Cfg.HTTPRedirectCode, all.ListenPorts.SSLProxy, all.ListenPorts.HTTPS)
hsts = %t,
hsts_max_age = %v,
hsts_include_subdomains = %t,
hsts_preload = %t,
}`,
all.Cfg.UseForwardedHeaders,
all.IsSSLPassthroughEnabled,
all.Cfg.HTTPRedirectCode,
all.ListenPorts.SSLProxy,
all.ListenPorts.HTTPS,
all.Cfg.HSTS,
all.Cfg.HSTSMaxAge,
all.Cfg.HSTSIncludeSubdomains,
all.Cfg.HSTSPreload,
)
} }
// locationConfigForLua formats some location specific configuration into Lua table represented as string // locationConfigForLua formats some location specific configuration into Lua table represented as string

10
rootfs/etc/nginx/lua/certificate.lua
View file

@ -48,12 +48,14 @@ local function get_pem_cert_key(raw_hostname)
return pem_cert_key return pem_cert_key
end end
function _M.configured_for_server(hostname) function _M.configured_for_current_request()
if not hostname then if ngx.ctx.configured_for_current_request ~= nil then
return false return ngx.ctx.configured_for_current_request
end end
return get_pem_cert_key(hostname) ~= nil ngx.ctx.configured_for_current_request = get_pem_cert_key(ngx.var.host) ~= nil
return ngx.ctx.configured_for_current_request
end end
function _M.call() function _M.call()

15
rootfs/etc/nginx/lua/lua_ingress.lua
View file

@ -1,6 +1,6 @@
local ngx_re_split = require("ngx.re").split local ngx_re_split = require("ngx.re").split
local certificate_configured_for_server = require("certificate").configured_for_server local certificate_configured_for_current_request = require("certificate").configured_for_current_request
local original_randomseed = math.randomseed local original_randomseed = math.randomseed
local string_format = string.format local string_format = string.format
@ -69,7 +69,7 @@ local function redirect_to_https(location_config)
return true return true
end end
return location_config.ssl_redirect and certificate_configured_for_server(ngx.var.host) return location_config.ssl_redirect and certificate_configured_for_current_request()
end end
local function redirect_host() local function redirect_host()
@ -142,6 +142,17 @@ function _M.rewrite(location_config)
ngx_redirect(uri, config.http_redirect_code) ngx_redirect(uri, config.http_redirect_code)
end end
if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_current_request then
local value = "max-age=" .. config.hsts_max_age
if config.hsts_include_subdomains then
value = value .. "; includeSubDomains"
end
if config.hsts_preload then
value = value .. "; preload"
end
ngx.header["Strict-Transport-Security"] = value
end
end end
return _M return _M

17
rootfs/etc/nginx/lua/test/certificate_test.lua
View file

@ -130,21 +130,28 @@ describe("Certificate", function()
end) end)
end) end)
describe("configured_for_server", function() describe("configured_for_current_request", function()
before_each(function() before_each(function()
local _ngx = { var = { host = "hostname" } }
setmetatable(_ngx, {__index = _G.ngx})
_G.ngx = _ngx
ngx.ctx.configured_for_current_request = nil
set_certificate("hostname", EXAMPLE_CERT, UUID) set_certificate("hostname", EXAMPLE_CERT, UUID)
end) end)
it("returns true when certificate exists for given server", function() it("returns true when certificate exists for given server", function()
assert.is_true(certificate.configured_for_server("hostname")) assert.is_true(certificate.configured_for_current_request())
end) end)
it("returns false when certificate does not exist for given server", function() it("returns false when certificate does not exist for given server", function()
assert.is_false(certificate.configured_for_server("hostname.xyz")) ngx.var.host = "hostname.xyz"
assert.is_false(certificate.configured_for_current_request())
end) end)
it("returns false when no server given", function() it("returns cached value from ngx.ctx", function()
assert.is_false(certificate.configured_for_server()) ngx.ctx.configured_for_current_request = false
assert.is_false(certificate.configured_for_current_request())
end) end)
end) end)
end) end)

6
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -1051,12 +1051,6 @@ stream {
plugins.run() plugins.run()
} }
{{ if (and $server.SSLCert $all.Cfg.HSTS) }}
if ($scheme = https) {
more_set_headers "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}";
}
{{ end }}
{{ if not $location.Logs.Access }} {{ if not $location.Logs.Access }}
access_log off; access_log off;
{{ end }} {{ end }}