Add ssl_reject_handshake to defaul server (#7977)

* Add ssl_reject_handshake to defaul server * Added SSLRejectHandshake to NewDefault * Added documentation
2021-11-29 22:03:23 +05:30 · 2021-11-29 22:03:23 +05:30 · a03895d91e
commit a03895d91e
parent ea1099abc9
3 changed files with 19 additions and 0 deletions
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@ -208,6 +208,7 @@ The following table shows a configuration option's name, type, and the default v
 |[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50|
 |[global-rate-limit-status-code](#global-rate-limit)|int|429|
 |[service-upstream](#service-upstream)|bool|"false"|
+|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"|

 ## add-headers

@ -1263,3 +1264,11 @@ that ingress-nginx includes. Refer to the link to learn more about `lua-resty-gl

 Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule.
 _**default:**_ "false"
+
+## ssl-reject-handshake
+
+Set to reject SSL handshake to an unknown virtualhost. This paramter helps to mitigate the fingerprinting using default certificate of ingress.
+_**default:**_ "false"
+
+_References:_
+[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake)
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -388,6 +388,11 @@ type Configuration struct {
 	// https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
 	SSLBufferSize string `json:"ssl-buffer-size,omitempty"`

+	// https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake
+	// If enabled, SSL handshakes to an invalid virtualhost will be rejected
+	// Default: false
+	SSLRejectHandshake bool `json:"ssl-reject-handshake"`
+
 	// Enables or disables the use of the PROXY protocol to receive client connection
 	// (real IP address) information passed through proxy servers and load balancers
 	// such as HAproxy and Amazon Elastic Load Balancer (ELB).
@ -838,6 +843,7 @@ func NewDefault() Configuration {
 		SSLECDHCurve:                     "auto",
 		SSLProtocols:                     sslProtocols,
 		SSLEarlyData:                     sslEarlyData,
+		SSLRejectHandshake:               false,
 		SSLSessionCache:                  true,
 		SSLSessionCacheSize:              sslSessionCacheSize,
 		SSLSessionTickets:                false,
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -906,6 +906,10 @@ stream {

        set $proxy_upstream_name "-";

+        {{ if eq $server.Hostname "_" }}
+        ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }};
+        {{ end }}
+
        ssl_certificate_by_lua_block {
            certificate.call()
        }