From 79f011bd5e2f027a55614c2a4edc8b5d463dc8f5 Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Thu, 18 Jan 2018 16:37:22 -0200
Subject: [PATCH] Add support to hide headers from upstream servers (#1928)

---
 cmd/nginx/main.go                             | 51 +------------------
 docs/user-guide/configmap.md                  |  8 ++-
 internal/ingress/controller/config/config.go  |  5 ++
 .../ingress/controller/template/configmap.go  |  8 +++
 rootfs/etc/nginx/template/nginx.tmpl          |  3 ++
 5 files changed, 24 insertions(+), 51 deletions(-)

diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index d7edf8118..c31bb4cea 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -20,7 +20,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"math/rand"
-	"net"
 	"net/http"
 	"net/http/pprof"
 	"os"
@@ -29,7 +28,6 @@ import (
 	"syscall"
 	"time"
 
-	proxyproto "github.com/armon/go-proxyproto"
 	"github.com/golang/glog"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
@@ -121,7 +119,7 @@ func main() {
 
 	// create the default SSL certificate (dummy)
 	defCert, defKey := ssl.GetFakeSSLCert()
-	c, err := ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{})
+	c, err := ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{}, fs)
 	if err != nil {
 		glog.Fatalf("Error generating self signed certificate: %v", err)
 	}
@@ -133,10 +131,6 @@ func main() {
 
 	ngx := controller.NewNGINXController(conf, fs)
 
-	if conf.EnableSSLPassthrough {
-		setupSSLProxy(conf.ListenPorts.HTTPS, conf.ListenPorts.SSLProxy, ngx)
-	}
-
 	go handleSigterm(ngx, func(code int) {
 		os.Exit(code)
 	})
@@ -168,49 +162,6 @@ func handleSigterm(ngx *controller.NGINXController, exit exiter) {
 	exit(exitCode)
 }
 
-func setupSSLProxy(sslPort, proxyPort int, n *controller.NGINXController) {
-	glog.Info("starting TLS proxy for SSL passthrough")
-	n.Proxy = &controller.TCPProxy{
-		Default: &controller.TCPServer{
-			Hostname:      "localhost",
-			IP:            "127.0.0.1",
-			Port:          proxyPort,
-			ProxyProtocol: true,
-		},
-	}
-
-	listener, err := net.Listen("tcp", fmt.Sprintf(":%v", sslPort))
-	if err != nil {
-		glog.Fatalf("%v", err)
-	}
-
-	proxyList := &proxyproto.Listener{Listener: listener}
-
-	// start goroutine that accepts tcp connections in port 443
-	go func() {
-		for {
-			var conn net.Conn
-			var err error
-
-			if n.IsProxyProtocolEnabled {
-				// we need to wrap the listener in order to decode
-				// proxy protocol before handling the connection
-				conn, err = proxyList.Accept()
-			} else {
-				conn, err = listener.Accept()
-			}
-
-			if err != nil {
-				glog.Warningf("unexpected error accepting tcp connection: %v", err)
-				continue
-			}
-
-			glog.V(3).Infof("remote address %s to local %s", conn.RemoteAddr(), conn.LocalAddr())
-			go n.Proxy.Handle(conn)
-		}
-	}()
-}
-
 // createApiserverClient creates new Kubernetes Apiserver client. When kubeconfig or apiserverHost param is empty
 // the function assumes that it is running inside a Kubernetes cluster and attempts to
 // discover the Apiserver. Otherwise, it connects to the Apiserver specified.
diff --git a/docs/user-guide/configmap.md b/docs/user-guide/configmap.md
index 911357096..c90f7315b 100644
--- a/docs/user-guide/configmap.md
+++ b/docs/user-guide/configmap.md
@@ -21,6 +21,7 @@ The following table shows a configuration option's name, type, and the default v
 |:---|:---|:------|
 |[add&#8209;headers](#add-headers)|string|""|
 |[allow&#8209;backend&#8209;server&#8209;header](#allow-backend-server-header)|bool|false|
+|[hide&#8209;headers&#8209](#hide-headers)|string array|empty|
 |[access&#8209;log&#8209;path](#access-log-path)|string|"/var/log/nginx/access.log"|
 |[error&#8209;log&#8209;path](#error-log-path)|string|"/var/log/nginx/error.log"|
 |[enable&#8209;dynamic&#8209;tls&#8209;records](#enable-dynamic-tls-records)|bool|true|
@@ -126,7 +127,12 @@ Sets custom headers from named configmap before sending traffic to the client. S
 
 ## allow-backend-server-header
 
-AllowBackendServerHeader enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled.
+Enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled.
+
+## hide-headers
+
+Sets additional header that will not be passed from the upstream server to the client response.
+Default: empty
 
 _References:_
 - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index 116aca760..e35ce77e7 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -462,6 +462,11 @@ type Configuration struct {
 	// Default: false
 	// Reason for the default: https://trac.nginx.org/nginx/ticket/1300
 	ReusePort bool `json:"reuse-port"`
+
+	// HideHeaders sets additional header that will not be passed from the upstream
+	// server to the client response
+	// Default: empty
+	HideHeaders []string `json:"hide-headers"`
 }
 
 // NewDefault returns the default nginx configuration
diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go
index 5a65364e1..68a88a3b1 100644
--- a/internal/ingress/controller/template/configmap.go
+++ b/internal/ingress/controller/template/configmap.go
@@ -38,6 +38,7 @@ const (
 	bindAddress          = "bind-address"
 	httpRedirectCode     = "http-redirect-code"
 	proxyStreamResponses = "proxy-stream-responses"
+	hideHeaders          = "hide-headers"
 )
 
 var (
@@ -56,6 +57,8 @@ func ReadConfig(src map[string]string) config.Configuration {
 	skipUrls := make([]string, 0)
 	whitelist := make([]string, 0)
 	proxylist := make([]string, 0)
+	hideHeaderslist := make([]string, 0)
+
 	bindAddressIpv4List := make([]string, 0)
 	bindAddressIpv6List := make([]string, 0)
 	redirectCode := 308
@@ -71,6 +74,10 @@ func ReadConfig(src map[string]string) config.Configuration {
 			}
 		}
 	}
+	if val, ok := conf[hideHeaders]; ok {
+		delete(conf, hideHeaders)
+		hideHeaderslist = strings.Split(val, ",")
+	}
 	if val, ok := conf[skipAccessLogUrls]; ok {
 		delete(conf, skipAccessLogUrls)
 		skipUrls = strings.Split(val, ",")
@@ -133,6 +140,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	to.ProxyRealIPCIDR = proxylist
 	to.BindAddressIpv4 = bindAddressIpv4List
 	to.BindAddressIpv6 = bindAddressIpv6List
+	to.HideHeaders = hideHeaderslist
 	to.HTTPRedirectCode = redirectCode
 	to.ProxyStreamResponses = streamResponses
 
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index d33dfee15..c9f1323dc 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -290,6 +290,9 @@ http {
     proxy_pass_header Server;
     {{ end }}
 
+    {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
+    {{ end }}
+    
     {{ if not (empty $cfg.HTTPSnippet) }}
     # Custom code snippet configured in the configuration configmap
     {{ $cfg.HTTPSnippet }}