From 87aa96b4680ecc9c3b3c89c647791271184929d9 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Thu, 17 Sep 2020 08:19:32 -0300 Subject: [PATCH] Change server-tokens default value to false --- docs/deploy/hardening-guide.md | 2 +- docs/user-guide/nginx-configuration/configmap.md | 4 ++-- internal/ingress/controller/config/config.go | 2 +- test/e2e/settings/pod_security_policy.go | 2 +- test/e2e/settings/pod_security_policy_volumes.go | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/deploy/hardening-guide.md b/docs/deploy/hardening-guide.md index a7a98b809..d09b31cff 100644 --- a/docs/deploy/hardening-guide.md +++ b/docs/deploy/hardening-guide.md @@ -58,7 +58,7 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho | 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)| RISK TO BE ACCEPTED| Not configured, however the nginx default is 60s| Not configurable| | ||| | | __2.5 Information Disclosure__||| | -| 2.5.1 Ensure server_tokens directive is set to `off` (Scored) | OK | server_tokens is configured to off by defaukt| | +| 2.5.1 Ensure server_tokens directive is set to `off` (Scored) | OK | server_tokens is configured to off by default| | | 2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored) | ACTION NEEDED| 404 shows no version at all, 503 and 403 show "nginx", which is hardcoded [see this line in nginx source code](https://github.com/nginx/nginx/blob/master/src/http/ngx_http_special_response.c#L36) | configure custom error pages at least for 403, 404 and 503 and 500| | 2.5.3 Ensure hidden file serving is disabled (Not Scored) | ACTION NEEDED | config not set | configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please | | 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)| ACTION NEEDED| hide not configured| configure hide-headers with array of "X-Powered-By" and "Server": [according to this documentation](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#hide-headers) | diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 7af7fea62..7e0378bb6 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -79,7 +79,7 @@ The following table shows a configuration option's name, type, and the default v |[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64| |[plugins](#plugins)|[]string| | |[reuse-port](#reuse-port)|bool|"true"| -|[server-tokens](#server-tokens)|bool|"true"| +|[server-tokens](#server-tokens)|bool|"false"| |[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"| |[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"| |[ssl-dh-param](#ssl-dh-param)|string|""| @@ -498,7 +498,7 @@ Activates plugins installed in `/etc/nginx/lua/plugins`. Refer to [ingress-nginx ## server-tokens -Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is enabled +Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is disabled ## ssl-ciphers diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index d2dc71ea2..fd856be07 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -753,7 +753,7 @@ func NewDefault() Configuration { ProxyHeadersHashBucketSize: 64, ProxyStreamResponses: 1, ReusePort: true, - ShowServerTokens: true, + ShowServerTokens: false, SSLBufferSize: sslBufferSize, SSLCiphers: sslCiphers, SSLECDHCurve: "auto", diff --git a/test/e2e/settings/pod_security_policy.go b/test/e2e/settings/pod_security_policy.go index c35ce53c8..64d99406b 100644 --- a/test/e2e/settings/pod_security_policy.go +++ b/test/e2e/settings/pod_security_policy.go @@ -79,7 +79,7 @@ var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies", func( f.WaitForNginxConfiguration( func(cfg string) bool { - return strings.Contains(cfg, "server_tokens on") + return strings.Contains(cfg, "server_tokens off") }) f.HTTPTestClient(). diff --git a/test/e2e/settings/pod_security_policy_volumes.go b/test/e2e/settings/pod_security_policy_volumes.go index ca6783f86..1c98f5705 100644 --- a/test/e2e/settings/pod_security_policy_volumes.go +++ b/test/e2e/settings/pod_security_policy_volumes.go @@ -102,7 +102,7 @@ var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies with vo f.WaitForNginxConfiguration( func(cfg string) bool { - return strings.Contains(cfg, "server_tokens on") + return strings.Contains(cfg, "server_tokens off") }) f.HTTPTestClient().