Added configmap option to disable IPv6 in nginx DNS resolver (#1992)
This commit is contained in:
Luke Jolly
Manuel Alejandro de Brito Fontes
parent
ad2238ca94
commit
42076e8ed0
7 changed files with 46 additions and 17 deletions
|
|
@ -37,11 +37,12 @@ The following table shows a configuration option's name, type, and the default v
|
|||
|[client‑header‑timeout](#client-header-timeout)|int|60|
|
||||
|[client‑body‑buffer‑size](#client-body-buffer-size)|string|"8k"|
|
||||
|[client‑body‑timeout](#client-body-timeout)|int|60|
|
||||
|[disable‑access‑log](#disable-access-log)|bool|"false"|
|
||||
|[disable‑ipv6](#disable-ipv6)|bool|"false"|
|
||||
|[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|"false"|
|
||||
|[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|"true"|
|
||||
|[enable‑vts‑status](#enable-vts-status)|bool|"false"|
|
||||
|[disable‑access‑log](#disable-access-log)|bool|false|
|
||||
|[disable‑ipv6](#disable-ipv6)|bool|false|
|
||||
|[disable‑ipv6‑dns](#disable-ipv6-dns)|bool|false|
|
||||
|[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|false|
|
||||
|[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|true|
|
||||
|[enable‑vts‑status](#enable-vts-status)|bool|false|
|
||||
|[vts‑status‑zone‑size](#vts-status-zone-size)|string|"10m"|
|
||||
|[vts‑default‑filter‑key](#vts-default-filter-key)|string|"$geoip_country_code country::*"|
|
||||
|[retry‑non‑idempotent](#retry-non-idempotent)|bool|"false"|
|
||||
|
|
@ -211,6 +212,10 @@ _References:_
|
|||
|
||||
Disable listening on IPV6. By default this is disabled.
|
||||
|
||||
## disable-ipv6-dns
|
||||
|
||||
Disable IPV6 for nginx DNS reslover. By default this is disabled.
|
||||
|
||||
## enable-underscores-in-headers
|
||||
|
||||
Enables underscores in header names. By default this is disabled.
|
||||
|
|
@ -707,4 +712,4 @@ Enables or disables [buffering of responses from the proxied server](http://ngin
|
|||
|
||||
## limit-request-status-code
|
||||
|
||||
Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503
|
||||
Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -140,6 +140,9 @@ type Configuration struct {
|
|||
//http://nginx.org/en/docs/http/ngx_http_log_module.html
|
||||
DisableAccessLog bool `json:"disable-access-log,omitempty"`
|
||||
|
||||
// DisableIpv6DNS disables IPv6 for nginx resolver
|
||||
DisableIpv6DNS bool `json:"disable-ipv6-dns"`
|
||||
|
||||
// DisableIpv6 disable listening on ipv6 address
|
||||
DisableIpv6 bool `json:"disable-ipv6,omitempty"`
|
||||
|
||||
|
|
|
|||
|
|
@ -144,6 +144,7 @@ func ReadConfig(src map[string]string) config.Configuration {
|
|||
to.HideHeaders = hideHeaderslist
|
||||
to.HTTPRedirectCode = redirectCode
|
||||
to.ProxyStreamResponses = streamResponses
|
||||
to.DisableIpv6DNS = !ing_net.IsIPv6Enabled()
|
||||
|
||||
config := &mapstructure.DecoderConfig{
|
||||
Metadata: nil,
|
||||
|
|
|
|||
|
|
@ -163,11 +163,16 @@ func formatIP(input string) string {
|
|||
}
|
||||
|
||||
// buildResolvers returns the resolvers reading the /etc/resolv.conf file
|
||||
func buildResolvers(input interface{}) string {
|
||||
func buildResolvers(res interface{}, disableIpv6 interface{}) string {
|
||||
// NGINX need IPV6 addresses to be surrounded by brackets
|
||||
nss, ok := input.([]net.IP)
|
||||
nss, ok := res.([]net.IP)
|
||||
if !ok {
|
||||
glog.Errorf("expected a '[]net.IP' type but %T was returned", input)
|
||||
glog.Errorf("expected a '[]net.IP' type but %T was returned", res)
|
||||
return ""
|
||||
}
|
||||
no6, ok := disableIpv6.(bool)
|
||||
if !ok {
|
||||
glog.Errorf("expected a 'bool' type but %T was returned", disableIpv6)
|
||||
return ""
|
||||
}
|
||||
|
||||
|
|
@ -178,14 +183,21 @@ func buildResolvers(input interface{}) string {
|
|||
r := []string{"resolver"}
|
||||
for _, ns := range nss {
|
||||
if ing_net.IsIPV6(ns) {
|
||||
if no6 {
|
||||
continue
|
||||
}
|
||||
r = append(r, fmt.Sprintf("[%v]", ns))
|
||||
} else {
|
||||
r = append(r, fmt.Sprintf("%v", ns))
|
||||
}
|
||||
}
|
||||
r = append(r, "valid=30s;")
|
||||
r = append(r, "valid=30s")
|
||||
|
||||
return strings.Join(r, " ")
|
||||
if no6 {
|
||||
r = append(r, "ipv6=off")
|
||||
}
|
||||
|
||||
return strings.Join(r, " ") + ";"
|
||||
}
|
||||
|
||||
// buildLocation produces the location string, if the ingress has redirects
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ import (
|
|||
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
|
||||
"k8s.io/ingress-nginx/internal/file"
|
||||
"k8s.io/ingress-nginx/internal/ingress"
|
||||
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
|
||||
|
|
@ -352,7 +353,14 @@ func TestBuildResolvers(t *testing.T) {
|
|||
ipList := []net.IP{ipOne, ipTwo}
|
||||
|
||||
validResolver := "resolver 192.0.0.1 [2001:db8:1234::] valid=30s;"
|
||||
resolver := buildResolvers(ipList)
|
||||
resolver := buildResolvers(ipList, false)
|
||||
|
||||
if resolver != validResolver {
|
||||
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
|
||||
}
|
||||
|
||||
validResolver = "resolver 192.0.0.1 valid=30s ipv6=off;"
|
||||
resolver = buildResolvers(ipList, true)
|
||||
|
||||
if resolver != validResolver {
|
||||
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
|
||||
|
|
|
|||
|
|
@ -172,7 +172,7 @@ http {
|
|||
{{ end }}
|
||||
error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
|
||||
|
||||
{{ buildResolvers $cfg.Resolver }}
|
||||
{{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
|
||||
|
||||
{{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}}
|
||||
{{/* when making the target request. This means that you cannot simply use */}}
|
||||
|
|
|
|||
Loading…
Reference in a new issue