Add configoption to exclude routes from tls upgrading

2018-03-17 23:30:23 +01:00 · 2018-03-17 23:30:23 +01:00 · f0ec20ddec
commit f0ec20ddec
parent 41cefeb178
3 changed files with 27 additions and 1 deletions
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -486,6 +486,10 @@ type Configuration struct {
 	SyslogHost string `json:"syslog-host"`
 	// SyslogPort port
 	SyslogPort int `json:"syslog-port",omitempty`
+
+	// NoTLSRedirectLocations is a "\n -" seperated list of locations
+	// that shall not get redirected to tls
+	NoTLSRedirectLocations string `json:"no-tls-redirect-locations"`
 }

 // NewDefault returns the default nginx configuration
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -129,6 +129,7 @@ var (
 		"buildRateLimit":           buildRateLimit,
 		"buildResolvers":           buildResolvers,
 		"buildUpstreamName":        buildUpstreamName,
+		"isLocationInLocationList": isLocationInLocationList,
 		"isLocationAllowed":        isLocationAllowed,
 		"buildLogFormatUpstream":   buildLogFormatUpstream,
 		"buildDenyVariable":        buildDenyVariable,
@ -507,6 +508,25 @@ func buildRateLimit(input interface{}) []string {
 	return limits
 }

+func isLocationInLocationList(location interface{}, rawLocationList string) bool {
+	loc, ok := location.(*ingress.Location)
+	if !ok {
+		glog.Errorf("expected an '*ingress.Location' type but %T was returned", location)
+		return false
+	}
+
+	locationList := strings.Split(rawLocationList, "\n- ")
+
+	for _, locationListItem := range locationList {
+		locationListItem = strings.TrimLeft(locationListItem, "- ")
+		if strings.HasPrefix(loc.Path, locationListItem) {
+			return true
+		}
+	}
+
+	return false
+}
+
 func isLocationAllowed(input interface{}) bool {
 	loc, ok := input.(*ingress.Location)
 	if !ok {
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -102,7 +102,7 @@ http {
    {{ if $cfg.EnableOpentracing }}
    opentracing on;
    {{ end }}
-    
+
    {{ buildOpentracing $cfg }}

    include /etc/nginx/mime.types;
@ -718,6 +718,7 @@ stream {

            {{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
            {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
+            {{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }}
            # enforce ssl on server side
            if ($redirect_to_https) {
                {{ if $location.UsePortInRedirects }}
@ -731,6 +732,7 @@ stream {
                {{ end }}
            }
            {{ end }}
+            {{ end }}

            {{ if $all.Cfg.EnableModsecurity }}
            modsecurity on;