DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Validate x-forwarded-proto and connection scheme before redirecting to https (#1844)

Browse source
This commit is contained in:
Manuel Alejandro de Brito Fontes 2017-12-21 12:44:08 -03:00 committed by GitHub
parent 18a4e63b31
commit fead9087ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -189,6 +189,12 @@ http {
'' $scheme; '' $scheme;
} }
# validate $pass_access_scheme and $scheme are http to force a redirect
map "$scheme:$pass_access_scheme" $redirect_to_https {
default 0;
"http:http" 1;
}
map $http_x_forwarded_port $pass_server_port { map $http_x_forwarded_port $pass_server_port {
default $http_x_forwarded_port; default $http_x_forwarded_port;
'' $server_port; '' $server_port;
@ -685,7 +691,7 @@ stream {
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
# enforce ssl on server side # enforce ssl on server side
if ($pass_access_scheme = http) { if ($redirect_to_https) {
{{ if ne $all.ListenPorts.HTTPS 443 }} {{ if ne $all.ListenPorts.HTTPS 443 }}
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri; return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri;