DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use UsePortInRedirects only if enabled

Browse source
This commit is contained in:
Manuel Alejandro de Brito Fontes 2019-02-20 16:34:51 -03:00
parent 7534cd551a
commit 8b6e4d4697
No known key found for this signature in database
GPG key ID: 786136016A8BA02A
3 changed files with 81 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -1126,14 +1126,25 @@ stream {
{{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }} {{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }}
# enforce ssl on server side # enforce ssl on server side
if ($redirect_to_https) { if ($redirect_to_https) {
set_by_lua_block $redirect_host {
local ngx_re = require "ngx.re"
local host_port, err = ngx_re.split(ngx.var.best_http_host, ":")
if err then
ngx.log(ngx.ERR, "could not parse variable: ", err)
return ngx.var.best_http_host;
end
return host_port[1];
}
{{ if $location.UsePortInRedirects }} {{ if $location.UsePortInRedirects }}
# using custom ports require a different rewrite directive # using custom ports require a different rewrite directive
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} # https://forum.nginx.org/read.php?2,155978,155978#msg-155978
error_page 497 ={{ $all.Cfg.HTTPRedirectCode }} https://$host{{ $redirect_port }}$request_uri; error_page 497 ={{ $all.Cfg.HTTPRedirectCode }} https://$redirect_host{{ printf ":%v" $all.ListenPorts.HTTPS }}$request_uri;
return 497; return 497;
{{ else }} {{ else }}
return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host$request_uri; return {{ $all.Cfg.HTTPRedirectCode }} https://$redirect_host$request_uri;
{{ end }} {{ end }}
} }
{{ end }} {{ end }}

2
test/e2e/annotations/forcesslredirect.go
View file

@ -49,7 +49,7 @@ var _ = framework.IngressNginxDescribe("Annotations - Forcesslredirect", func()
f.WaitForNginxServer(host, f.WaitForNginxServer(host,
func(server string) bool { func(server string) bool {
return Expect(server).Should(ContainSubstring(`if ($redirect_to_https) {`)) && return Expect(server).Should(ContainSubstring(`if ($redirect_to_https) {`)) &&
Expect(server).Should(ContainSubstring(`return 308 https://$best_http_host$request_uri;`)) Expect(server).Should(ContainSubstring(`return 308 https://$redirect_host$request_uri;`))
}) })
resp, _, errs := gorequest.New(). resp, _, errs := gorequest.New().

65
test/e2e/settings/tls.go
View file

@ -21,6 +21,7 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"strings" "strings"
"time"
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
@ -29,12 +30,17 @@ import (
"k8s.io/ingress-nginx/test/e2e/framework" "k8s.io/ingress-nginx/test/e2e/framework"
) )
func noRedirectPolicyFunc(gorequest.Request, []gorequest.Request) error {
return http.ErrUseLastResponse
}
var _ = framework.IngressNginxDescribe("Settings - TLS)", func() { var _ = framework.IngressNginxDescribe("Settings - TLS)", func() {
f := framework.NewDefaultFramework("settings-tls") f := framework.NewDefaultFramework("settings-tls")
host := "settings-tls" host := "settings-tls"
BeforeEach(func() { BeforeEach(func() {
f.NewEchoDeployment() f.NewEchoDeployment()
f.UpdateNginxConfigMapData("use-forwarded-headers", "false")
}) })
AfterEach(func() { AfterEach(func() {
@ -164,4 +170,63 @@ var _ = framework.IngressNginxDescribe("Settings - TLS)", func() {
Expect(resp.StatusCode).Should(Equal(http.StatusOK)) Expect(resp.StatusCode).Should(Equal(http.StatusOK))
Expect(resp.Header.Get("Strict-Transport-Security")).Should(ContainSubstring("preload")) Expect(resp.Header.Get("Strict-Transport-Security")).Should(ContainSubstring("preload"))
}) })
It("should not use ports during the HTTP to HTTPS redirection", func() {
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.IngressController.Namespace, "http-svc", 80, nil))
tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
ing.Spec.TLS[0].Hosts,
ing.Spec.TLS[0].SecretName,
ing.Namespace)
Expect(err).NotTo(HaveOccurred())
framework.WaitForTLS(f.IngressController.HTTPSURL, tlsConfig)
f.WaitForNginxServer(host,
func(server string) bool {
return Expect(server).Should(ContainSubstring(`if ($redirect_to_https) {`)) &&
Expect(server).Should(ContainSubstring(`return 308 https://$redirect_host$request_uri;`))
})
resp, _, errs := gorequest.New().
Get(fmt.Sprintf(f.IngressController.HTTPURL)).
Retry(10, 1*time.Second, http.StatusNotFound).
RedirectPolicy(noRedirectPolicyFunc).
Set("Host", host).
End()
Expect(errs).Should(BeEmpty())
Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect))
Expect(resp.Header.Get("Location")).Should(Equal(fmt.Sprintf("https://%v/", host)))
})
It("should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection", func() {
f.UpdateNginxConfigMapData("use-forwarded-headers", "true")
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.IngressController.Namespace, "http-svc", 80, nil))
tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
ing.Spec.TLS[0].Hosts,
ing.Spec.TLS[0].SecretName,
ing.Namespace)
Expect(err).NotTo(HaveOccurred())
framework.WaitForTLS(f.IngressController.HTTPSURL, tlsConfig)
f.WaitForNginxServer(host,
func(server string) bool {
return Expect(server).Should(ContainSubstring(`if ($redirect_to_https) {`)) &&
Expect(server).Should(ContainSubstring(`return 308 https://$redirect_host$request_uri;`))
})
resp, _, errs := gorequest.New().
Get(fmt.Sprintf(f.IngressController.HTTPURL)).
Retry(10, 1*time.Second, http.StatusNotFound).
RedirectPolicy(noRedirectPolicyFunc).
Set("Host", host).
Set("X-Forwarded-Host", "example.com:80").
End()
Expect(errs).Should(BeEmpty())
Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect))
Expect(resp.Header.Get("Location")).Should(Equal("https://example.com/"))
})
}) })