Add configoption to exclude routes from tls upgrading (#2203)

* Add configoption to exclude routes from tls upgrading * Add tests for IsLocationInLocationList * Seperate elements in NoTLSRedirectLocations by comma * Set NoTLSRedirectLocations to "/.well-known/acme-challenge/" by default * Remove trailing slash from "/.well-known/acme-challenge" default
2018-03-18 21:44:59 +01:00 · 2018-03-18 21:44:59 +01:00 · 94deb3a01a
commit 94deb3a01a
parent 977cfcb4c7
5 changed files with 60 additions and 1 deletions
--- a/docs/user-guide/configmap.md
+++ b/docs/user-guide/configmap.md
@ -133,6 +133,7 @@ The following table shows a configuration option's name, type, and the default v
 |[http-redirect-code](#http-redirect-code)|int|308|
 |[proxy-buffering](#proxy-buffering)|string|"off"|
 |[limit-req-status-code](#limit-req-status-code)|int|503|
 |[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"|
 ## add-headers
@ -731,3 +732,8 @@ Enables or disables [buffering of responses from the proxied server](http://ngin
 ## limit-req-status-code
 Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503
 ## no-tls-redirect-locations
 A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
 Default: "/.well-known/acme-challenge"
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -490,6 +490,10 @@ type Configuration struct {
 	SyslogHost string `json:"syslog-host"`
 	// SyslogPort port
 	SyslogPort int `json:"syslog-port",omitempty`
 	// NoTLSRedirectLocations is a comma-separated list of locations
 	// that should not get redirected to TLS
 	NoTLSRedirectLocations string `json:"no-tls-redirect-locations"`
 }
 // NewDefault returns the default nginx configuration
@ -587,6 +591,7 @@ func NewDefault() Configuration {
 		JaegerSamplerParam:           "1",
 		LimitReqStatusCode:           503,
 		SyslogPort:                   514,
 		NoTLSRedirectLocations:       "/.well-known/acme-challenge",
 	}
 	if glog.V(5) {
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -129,6 +129,7 @@ var (
 		"buildRateLimit":           buildRateLimit,
 		"buildResolvers":           buildResolvers,
 		"buildUpstreamName":        buildUpstreamName,
 		"isLocationInLocationList": isLocationInLocationList,
 		"isLocationAllowed":        isLocationAllowed,
 		"buildLogFormatUpstream":   buildLogFormatUpstream,
 		"buildDenyVariable":        buildDenyVariable,
@ -513,6 +514,28 @@ func buildRateLimit(input interface{}) []string {
 	return limits
 }
 func isLocationInLocationList(location interface{}, rawLocationList string) bool {
 	loc, ok := location.(*ingress.Location)
 	if !ok {
 		glog.Errorf("expected an '*ingress.Location' type but %T was returned", location)
 		return false
 	}
 	locationList := strings.Split(rawLocationList, ",")
 	for _, locationListItem := range locationList {
 		locationListItem = strings.Trim(locationListItem, " ")
 		if locationListItem == "" {
 			continue
 		}
 		if strings.HasPrefix(loc.Path, locationListItem) {
 			return true
 		}
 	}
 	return false
 }
 func isLocationAllowed(input interface{}) bool {
 	loc, ok := input.(*ingress.Location)
 	if !ok {
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@ -645,3 +645,26 @@ func TestBuildAuthSignURL(t *testing.T) {
 		}
 	}
 }
 func TestIsLocationInLocationList(t *testing.T) {
 	testCases := []struct {
 		location        *ingress.Location
 		rawLocationList string
 		expected        bool
 	}{
 		{&ingress.Location{Path: "/match"}, "/match", true},
 		{&ingress.Location{Path: "/match"}, ",/match", true},
 		{&ingress.Location{Path: "/match"}, "/dontmatch", false},
 		{&ingress.Location{Path: "/match"}, ",/dontmatch", false},
 		{&ingress.Location{Path: "/match"}, "/dontmatch,/match", true},
 		{&ingress.Location{Path: "/match"}, "/dontmatch,/dontmatcheither", false},
 	}
 	for _, testCase := range testCases {
 		result := isLocationInLocationList(testCase.location, testCase.rawLocationList)
 		if result != testCase.expected {
 			t.Errorf(" expected %v but return %v, path: '%s', rawLocation: '%s'", testCase.expected, result, testCase.location.Path, testCase.rawLocationList)
 		}
 	}
 }
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -779,6 +779,7 @@ stream {
            {{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
            {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
            {{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }}
            # enforce ssl on server side
            if ($redirect_to_https) {
                {{ if $location.UsePortInRedirects }}
@ -792,6 +793,7 @@ stream {
                {{ end }}
            }
            {{ end }}
            {{ end }}
            {{ if $all.Cfg.EnableModsecurity }}
            modsecurity on;