Add ssl_reject_handshake to defaul server (#7977)
* Add ssl_reject_handshake to defaul server * Added SSLRejectHandshake to NewDefault * Added documentation
This commit is contained in:
Ansil H
GitHub
parent
ea1099abc9
commit
a03895d91e
3 changed files with 19 additions and 0 deletions
|
|
@ -208,6 +208,7 @@ The following table shows a configuration option's name, type, and the default v
|
||||||
|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50|
|
|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50|
|
||||||
|[global-rate-limit-status-code](#global-rate-limit)|int|429|
|
|[global-rate-limit-status-code](#global-rate-limit)|int|429|
|
||||||
|[service-upstream](#service-upstream)|bool|"false"|
|
|[service-upstream](#service-upstream)|bool|"false"|
|
||||||
|
|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"|
|
||||||
|
|
||||||
## add-headers
|
## add-headers
|
||||||
|
|
||||||
|
|
@ -1263,3 +1264,11 @@ that ingress-nginx includes. Refer to the link to learn more about `lua-resty-gl
|
||||||
|
|
||||||
Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule.
|
Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule.
|
||||||
_**default:**_ "false"
|
_**default:**_ "false"
|
||||||
|
|
||||||
|
## ssl-reject-handshake
|
||||||
|
|
||||||
|
Set to reject SSL handshake to an unknown virtualhost. This paramter helps to mitigate the fingerprinting using default certificate of ingress.
|
||||||
|
_**default:**_ "false"
|
||||||
|
|
||||||
|
_References:_
|
||||||
|
[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake)
|
||||||
|
|
|
||||||
|
|
@ -388,6 +388,11 @@ type Configuration struct {
|
||||||
// https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
|
// https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
|
||||||
SSLBufferSize string `json:"ssl-buffer-size,omitempty"`
|
SSLBufferSize string `json:"ssl-buffer-size,omitempty"`
|
||||||
|
|
||||||
|
// https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake
|
||||||
|
// If enabled, SSL handshakes to an invalid virtualhost will be rejected
|
||||||
|
// Default: false
|
||||||
|
SSLRejectHandshake bool `json:"ssl-reject-handshake"`
|
||||||
|
|
||||||
// Enables or disables the use of the PROXY protocol to receive client connection
|
// Enables or disables the use of the PROXY protocol to receive client connection
|
||||||
// (real IP address) information passed through proxy servers and load balancers
|
// (real IP address) information passed through proxy servers and load balancers
|
||||||
// such as HAproxy and Amazon Elastic Load Balancer (ELB).
|
// such as HAproxy and Amazon Elastic Load Balancer (ELB).
|
||||||
|
|
@ -838,6 +843,7 @@ func NewDefault() Configuration {
|
||||||
SSLECDHCurve: "auto",
|
SSLECDHCurve: "auto",
|
||||||
SSLProtocols: sslProtocols,
|
SSLProtocols: sslProtocols,
|
||||||
SSLEarlyData: sslEarlyData,
|
SSLEarlyData: sslEarlyData,
|
||||||
|
SSLRejectHandshake: false,
|
||||||
SSLSessionCache: true,
|
SSLSessionCache: true,
|
||||||
SSLSessionCacheSize: sslSessionCacheSize,
|
SSLSessionCacheSize: sslSessionCacheSize,
|
||||||
SSLSessionTickets: false,
|
SSLSessionTickets: false,
|
||||||
|
|
|
||||||
|
|
@ -906,6 +906,10 @@ stream {
|
||||||
|
|
||||||
set $proxy_upstream_name "-";
|
set $proxy_upstream_name "-";
|
||||||
|
|
||||||
|
{{ if eq $server.Hostname "_" }}
|
||||||
|
ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }};
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
ssl_certificate_by_lua_block {
|
ssl_certificate_by_lua_block {
|
||||||
certificate.call()
|
certificate.call()
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue