Add support to hide headers from upstream servers (#1928)

docs/user-guide/configmap.md

@@ -21,6 +21,7 @@ The following table shows a configuration option's name, type, and the default v
 |:---|:---|:------|
 |[add‑headers](#add-headers)|string|""|
 |[allow‑backend‑server‑header](#allow-backend-server-header)|bool|false|
+|[hide‑headers&#8209](#hide-headers)|string array|empty|
 |[access‑log‑path](#access-log-path)|string|"/var/log/nginx/access.log"|
 |[error‑log‑path](#error-log-path)|string|"/var/log/nginx/error.log"|
 |[enable‑dynamic‑tls‑records](#enable-dynamic-tls-records)|bool|true|
@@ -126,7 +127,12 @@ Sets custom headers from named configmap before sending traffic to the client. S
 
 ## allow-backend-server-header
 
-AllowBackendServerHeader enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled.
+Enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled.
+
+## hide-headers
+
+Sets additional header that will not be passed from the upstream server to the client response.
+Default: empty
 
 _References:_
 - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header

internal/ingress/controller/config/config.go

@@ -462,6 +462,11 @@ type Configuration struct {
 	// Default: false
 	// Reason for the default: https://trac.nginx.org/nginx/ticket/1300
 	ReusePort bool `json:"reuse-port"`
+
+	// HideHeaders sets additional header that will not be passed from the upstream
+	// server to the client response
+	// Default: empty
+	HideHeaders []string `json:"hide-headers"`
 }
 
 // NewDefault returns the default nginx configuration

internal/ingress/controller/template/configmap.go

@@ -38,6 +38,7 @@ const (
 	bindAddress          = "bind-address"
 	httpRedirectCode     = "http-redirect-code"
 	proxyStreamResponses = "proxy-stream-responses"
+	hideHeaders          = "hide-headers"
 )
 
 var (
@@ -56,6 +57,8 @@ func ReadConfig(src map[string]string) config.Configuration {
 	skipUrls := make([]string, 0)
 	whitelist := make([]string, 0)
 	proxylist := make([]string, 0)
+	hideHeaderslist := make([]string, 0)
+
 	bindAddressIpv4List := make([]string, 0)
 	bindAddressIpv6List := make([]string, 0)
 	redirectCode := 308
@@ -71,6 +74,10 @@ func ReadConfig(src map[string]string) config.Configuration {
 			}
 		}
 	}
+	if val, ok := conf[hideHeaders]; ok {
+		delete(conf, hideHeaders)
+		hideHeaderslist = strings.Split(val, ",")
+	}
 	if val, ok := conf[skipAccessLogUrls]; ok {
 		delete(conf, skipAccessLogUrls)
 		skipUrls = strings.Split(val, ",")
@@ -133,6 +140,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	to.ProxyRealIPCIDR = proxylist
 	to.BindAddressIpv4 = bindAddressIpv4List
 	to.BindAddressIpv6 = bindAddressIpv6List
+	to.HideHeaders = hideHeaderslist
 	to.HTTPRedirectCode = redirectCode
 	to.ProxyStreamResponses = streamResponses
 

rootfs/etc/nginx/template/nginx.tmpl

@@ -290,6 +290,9 @@ http {
     proxy_pass_header Server;
     {{ end }}
 
+    {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
+    {{ end }}
+    
     {{ if not (empty $cfg.HTTPSnippet) }}
     # Custom code snippet configured in the configuration configmap
     {{ $cfg.HTTPSnippet }}