* Disabled default modsecurity_rules_file if modsecurity-snippet is specifed
The default modsecurity_rules_file overwrites the ModSecurity-snippet if it is specified with custom config settings like "SecRuleEngine On". This will not let Modsecurity be in blocking mode even if "SecRuleEngine On" is specified in the ModSecurity-snippet configuration
* Remove unnecessary comments
Only have the default Modsecurity conf settings in case Modsecurity configuration snippet is not present and remove unnecessary comments
* Fixed modsecurity default file only if Modsecurity snippet present
Fixed if condition Modsecurity snippet present have modsecurity default config file
* Added e2e test to disabling modsecurity conf
Added e2e in case modsecurity-snippet enabled to disable settings in default modsecurity.conf
* Validate writing to a different location
Validate also modsecurity to write to a different location instead of the default directory
* Fixed the formatting
* Fixed if empty ModsecuritySnippet
* Fixed ModsecuritySnippet condition
* Fixed the condition also in ingress controller template
* Removed the default config condition in ingress controller template
* Fixed the default config condition in ingress controller template
* Fixed pull-ingress-nginx-test
* Revert "Fixed the default config condition in ingress controller template"
This reverts commit 9d38eca40f.
* Revert template_test
* Adjusted the formating %v
* Add Initial support for multiple cors origins in nginx
- bump cluster version for `make dev-env`
- add buildOriginRegex function in nginx.tmpl
- add e2e 4 e2e tests for cors.go
- refers to feature request #5496
* add tests + use search to identify '*' origin
* add tests + use search to identify '*' origin
Signed-off-by: Christopher Larivière <lariviere.c@gmail.com>
* fix "should enable cors test" looking at improper values
* Modify tests and add some logic for origin validation
- add origin validation in cors ingress annotations
- add extra tests to validate regex
- properly escape regex using "QuoteMeta"
- fix some copy/paste errors
* add TrimSpace and length validation before adding a new origin
* modify documentation for cors and remove dangling comment
* add support for optional port mapping on origin
* support single-level wildcard subdomains + tests
* Remove automatic `*` fonctionality from incorrect origins
- use []string instead of basic string to avoid reparsing in template.go
- fix typo in docs
- modify template to properly enable only if the whole block is enabled
- modify cors parsing
- test properly by validating that the value returned is the proper
origin
- update unit tests and annotation tests
* Re-add `*` when no cors origins are supplied + fix tests
- fix e2e tests to allow for `*`
- re-add `*` to cors parsing if trimmed cors-allow-origin is empty
(supplied but empty) and if it wasn't supplied at all.
* remove unecessary logic for building cors origin + remove comments
- add some edge cases in e2e tests
- rework logic for building cors origin
there was no need for logic in template.go for buildCorsOriginRegex
if there is a `*` it ill be short-circuited by first if.
if it's a wildcard domain or any domain (without a wildcard), it MUST
match the main/cors.go regex format.
if there's a star in a wildcard domain, it must be replaced with
`[A-Za-z0-9]+`
* add missing check in e2e tests
* add e2e test for auth-response-headers annotation
* add e2e test for grpc with auth-response-headers
* fix forwarding of auth header to GRPC backends
* add test case for proxySetHeader(nil)
Currently, the opentracing propagation instructions are set only if opentracing is configured globally.
This fix set the propagation instructions if opentracing is disabled globally, but enabled per ingress
Two new configuration options:
`disable-http-access-log`
`disable-stream-access-log`
Should resolve issue with enormous amount of `TCP 200` useless entries in logs
Signed-off-by: Andrey Voronkov <voronkovaa@gmail.com>
This change adds a new map for including the passed x-forwarded-proto
header in case is provided as an extra header.
Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
according to go templates: `(and ((not false) false))` == `true`
the only way to remove the owasp rules from every location is to disable modsec on that location, or to enable owasp globally, both not-so-great choices.
This commit fixes the logic issue by fixing the and-clause in the if-statement. As a result this reduces global resource usages when modsecurity is configured globally, but not on every location.
By default you might want opentracing off, but on for a particular
ingress.
Similarly, you might want opentracing globally on, but disabled for
a specific endpoint. To achieve this, `opentracing_propagate_context`
cannot be set when combined with `opentracing off`
A new annotation, `enable-opentracing` allows more fine grained control
of opentracing for specific ingresses.
format in nginx.tmpl otherwise individual variables are just glued together
without separating spaces so that you would get these in access logs:
[10/Oct/2019:05:03:30 +0000]TCP200000.003
[10/Oct/2019:05:03:30 +0000]TCP200000.000
[10/Oct/2019:05:05:04 +0000]TCP200000.000
which supposed to be someting like these:
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.003
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.000
[10/Oct/2019:05:05:04 +0000] TCP 200 0 0 0.000
