add configuration to disable listening on ipv6

2017-03-03 21:58:33 +01:00 · 2017-03-03 21:58:33 +01:00 · 63b5f2f1c5
commit 63b5f2f1c5
parent f1062e07bc
3 changed files with 13 additions and 6 deletions
--- a/controllers/nginx/configuration.md
+++ b/controllers/nginx/configuration.md
@ -242,6 +242,9 @@ Example usage: `custom-http-errors: 404,415`
 **disable-access-log:** Disables the Access Log from the entire Ingress Controller. This is 'false' by default.


+**disable-ipv6:** Disable listening on IPV6. This is 'false' by default.
+
+
 **enable-dynamic-tls-records:** Enables dynamically sized TLS records to improve time-to-first-byte. Enabled by default. See [CloudFlare's blog](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency) for more information.


--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@ -97,6 +97,9 @@ type Configuration struct {
 	//http://nginx.org/en/docs/http/ngx_http_log_module.html
 	DisableAccessLog bool `json:"disable-access-log,omitempty"`

+	// DisableIpv6 disable listening on ipv6 address
+	DisableIpv6 bool `json:"disable-ipv6,omitempty"`
+
 	// EnableStickySessions enabled sticky sessions using cookies
 	// https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
 	// By default this is disabled
@ -249,6 +252,7 @@ func NewDefault() Configuration {
 	cfg := Configuration{
 		ClientHeaderBufferSize:  "1k",
 		DisableAccessLog:        false,
+		DisableIpv6:		 false,
 		EnableDynamicTLSRecords: true,
 		ErrorLogLevel:           errorLevel,
 		HSTS:                    true,
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -208,10 +208,10 @@ http {
    {{ range $index, $server := .Servers }}
    server {
        server_name {{ $server.Hostname }};
-        listen [::]:80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server ipv6only=off reuseport backlog={{ $backlogSize }}{{end}};
+        listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}};
        {{/* Listen on 442 because port 443 is used in the stream section */}}
        {{/* This listen on port 442 cannot contains proxy_protocol directive because port 443 is in charge of decoding the protocol */}}
-        {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}[::]:443 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server ipv6only=off reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
+        {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}{{ if not $cfg.DisableIpv6 }}[::]:{{ end }}443 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
        {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
        # PEM sha: {{ $server.SSLPemChecksum }}
        ssl_certificate                         {{ $server.SSLCertificate }};
@ -366,7 +366,7 @@ http {
        # with an external software (like sysdig)
        location /nginx_status {
            allow 127.0.0.1;
-            allow ::1;
+            {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }}
            deny all;

            access_log off;
@ -384,7 +384,7 @@ http {
        # Use the port 18080 (random value just to avoid known ports) as default port for nginx.
        # Changing this value requires a change in:
        # https://github.com/kubernetes/contrib/blob/master/ingress/controllers/nginx/nginx/command.go#L104
-        listen [::]:18080 ipv6only=off default_server reuseport backlog={{ .BacklogSize }};
+        listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}18080 {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} default_server reuseport backlog={{ .BacklogSize }};

        location {{ $healthzURI }} {
            access_log off;
@ -406,7 +406,7 @@ http {
        # TODO: enable extraction for vts module.
        location /internal_nginx_status {
            allow 127.0.0.1;
-            allow ::1;
+            {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }}
            deny all;

            access_log off;
@ -466,7 +466,7 @@ stream {
    {{ buildSSLPassthroughUpstreams $backends .PassthroughBackends }}

    server {
-        listen                  [::]:443 ipv6only=off{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};
+        listen                  {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}443 {{ if not $cfg.DisableIpv6 }}ipv6only=off{{ end }}{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};
        proxy_pass              $stream_upstream;
        ssl_preread             on;
    }