Added configmap option to disable IPv6 in nginx DNS resolver (#1992)
This commit is contained in:
Luke Jolly
Manuel Alejandro de Brito Fontes
parent
ad2238ca94
commit
42076e8ed0
7 changed files with 46 additions and 17 deletions
|
|
@ -37,11 +37,12 @@ The following table shows a configuration option's name, type, and the default v
|
||||||
|[client‑header‑timeout](#client-header-timeout)|int|60|
|
|[client‑header‑timeout](#client-header-timeout)|int|60|
|
||||||
|[client‑body‑buffer‑size](#client-body-buffer-size)|string|"8k"|
|
|[client‑body‑buffer‑size](#client-body-buffer-size)|string|"8k"|
|
||||||
|[client‑body‑timeout](#client-body-timeout)|int|60|
|
|[client‑body‑timeout](#client-body-timeout)|int|60|
|
||||||
|[disable‑access‑log](#disable-access-log)|bool|"false"|
|
|[disable‑access‑log](#disable-access-log)|bool|false|
|
||||||
|[disable‑ipv6](#disable-ipv6)|bool|"false"|
|
|[disable‑ipv6](#disable-ipv6)|bool|false|
|
||||||
|[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|"false"|
|
|[disable‑ipv6‑dns](#disable-ipv6-dns)|bool|false|
|
||||||
|[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|"true"|
|
|[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|false|
|
||||||
|[enable‑vts‑status](#enable-vts-status)|bool|"false"|
|
|[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|true|
|
||||||
|
|[enable‑vts‑status](#enable-vts-status)|bool|false|
|
||||||
|[vts‑status‑zone‑size](#vts-status-zone-size)|string|"10m"|
|
|[vts‑status‑zone‑size](#vts-status-zone-size)|string|"10m"|
|
||||||
|[vts‑default‑filter‑key](#vts-default-filter-key)|string|"$geoip_country_code country::*"|
|
|[vts‑default‑filter‑key](#vts-default-filter-key)|string|"$geoip_country_code country::*"|
|
||||||
|[retry‑non‑idempotent](#retry-non-idempotent)|bool|"false"|
|
|[retry‑non‑idempotent](#retry-non-idempotent)|bool|"false"|
|
||||||
|
|
@ -211,6 +212,10 @@ _References:_
|
||||||
|
|
||||||
Disable listening on IPV6. By default this is disabled.
|
Disable listening on IPV6. By default this is disabled.
|
||||||
|
|
||||||
|
## disable-ipv6-dns
|
||||||
|
|
||||||
|
Disable IPV6 for nginx DNS reslover. By default this is disabled.
|
||||||
|
|
||||||
## enable-underscores-in-headers
|
## enable-underscores-in-headers
|
||||||
|
|
||||||
Enables underscores in header names. By default this is disabled.
|
Enables underscores in header names. By default this is disabled.
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
|
|
@ -140,6 +140,9 @@ type Configuration struct {
|
||||||
//http://nginx.org/en/docs/http/ngx_http_log_module.html
|
//http://nginx.org/en/docs/http/ngx_http_log_module.html
|
||||||
DisableAccessLog bool `json:"disable-access-log,omitempty"`
|
DisableAccessLog bool `json:"disable-access-log,omitempty"`
|
||||||
|
|
||||||
|
// DisableIpv6DNS disables IPv6 for nginx resolver
|
||||||
|
DisableIpv6DNS bool `json:"disable-ipv6-dns"`
|
||||||
|
|
||||||
// DisableIpv6 disable listening on ipv6 address
|
// DisableIpv6 disable listening on ipv6 address
|
||||||
DisableIpv6 bool `json:"disable-ipv6,omitempty"`
|
DisableIpv6 bool `json:"disable-ipv6,omitempty"`
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -144,6 +144,7 @@ func ReadConfig(src map[string]string) config.Configuration {
|
||||||
to.HideHeaders = hideHeaderslist
|
to.HideHeaders = hideHeaderslist
|
||||||
to.HTTPRedirectCode = redirectCode
|
to.HTTPRedirectCode = redirectCode
|
||||||
to.ProxyStreamResponses = streamResponses
|
to.ProxyStreamResponses = streamResponses
|
||||||
|
to.DisableIpv6DNS = !ing_net.IsIPv6Enabled()
|
||||||
|
|
||||||
config := &mapstructure.DecoderConfig{
|
config := &mapstructure.DecoderConfig{
|
||||||
Metadata: nil,
|
Metadata: nil,
|
||||||
|
|
|
||||||
|
|
@ -163,11 +163,16 @@ func formatIP(input string) string {
|
||||||
}
|
}
|
||||||
|
|
||||||
// buildResolvers returns the resolvers reading the /etc/resolv.conf file
|
// buildResolvers returns the resolvers reading the /etc/resolv.conf file
|
||||||
func buildResolvers(input interface{}) string {
|
func buildResolvers(res interface{}, disableIpv6 interface{}) string {
|
||||||
// NGINX need IPV6 addresses to be surrounded by brackets
|
// NGINX need IPV6 addresses to be surrounded by brackets
|
||||||
nss, ok := input.([]net.IP)
|
nss, ok := res.([]net.IP)
|
||||||
if !ok {
|
if !ok {
|
||||||
glog.Errorf("expected a '[]net.IP' type but %T was returned", input)
|
glog.Errorf("expected a '[]net.IP' type but %T was returned", res)
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
no6, ok := disableIpv6.(bool)
|
||||||
|
if !ok {
|
||||||
|
glog.Errorf("expected a 'bool' type but %T was returned", disableIpv6)
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -178,14 +183,21 @@ func buildResolvers(input interface{}) string {
|
||||||
r := []string{"resolver"}
|
r := []string{"resolver"}
|
||||||
for _, ns := range nss {
|
for _, ns := range nss {
|
||||||
if ing_net.IsIPV6(ns) {
|
if ing_net.IsIPV6(ns) {
|
||||||
|
if no6 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
r = append(r, fmt.Sprintf("[%v]", ns))
|
r = append(r, fmt.Sprintf("[%v]", ns))
|
||||||
} else {
|
} else {
|
||||||
r = append(r, fmt.Sprintf("%v", ns))
|
r = append(r, fmt.Sprintf("%v", ns))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
r = append(r, "valid=30s;")
|
r = append(r, "valid=30s")
|
||||||
|
|
||||||
return strings.Join(r, " ")
|
if no6 {
|
||||||
|
r = append(r, "ipv6=off")
|
||||||
|
}
|
||||||
|
|
||||||
|
return strings.Join(r, " ") + ";"
|
||||||
}
|
}
|
||||||
|
|
||||||
// buildLocation produces the location string, if the ingress has redirects
|
// buildLocation produces the location string, if the ingress has redirects
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,7 @@ import (
|
||||||
|
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"k8s.io/ingress-nginx/internal/file"
|
"k8s.io/ingress-nginx/internal/file"
|
||||||
"k8s.io/ingress-nginx/internal/ingress"
|
"k8s.io/ingress-nginx/internal/ingress"
|
||||||
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
|
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
|
||||||
|
|
@ -352,7 +353,14 @@ func TestBuildResolvers(t *testing.T) {
|
||||||
ipList := []net.IP{ipOne, ipTwo}
|
ipList := []net.IP{ipOne, ipTwo}
|
||||||
|
|
||||||
validResolver := "resolver 192.0.0.1 [2001:db8:1234::] valid=30s;"
|
validResolver := "resolver 192.0.0.1 [2001:db8:1234::] valid=30s;"
|
||||||
resolver := buildResolvers(ipList)
|
resolver := buildResolvers(ipList, false)
|
||||||
|
|
||||||
|
if resolver != validResolver {
|
||||||
|
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
|
||||||
|
}
|
||||||
|
|
||||||
|
validResolver = "resolver 192.0.0.1 valid=30s ipv6=off;"
|
||||||
|
resolver = buildResolvers(ipList, true)
|
||||||
|
|
||||||
if resolver != validResolver {
|
if resolver != validResolver {
|
||||||
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
|
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
|
||||||
|
|
|
||||||
|
|
@ -172,7 +172,7 @@ http {
|
||||||
{{ end }}
|
{{ end }}
|
||||||
error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
|
error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
|
||||||
|
|
||||||
{{ buildResolvers $cfg.Resolver }}
|
{{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
|
||||||
|
|
||||||
{{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}}
|
{{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}}
|
||||||
{{/* when making the target request. This means that you cannot simply use */}}
|
{{/* when making the target request. This means that you cannot simply use */}}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue