DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
6367 commits 4 branches 217 tags 166 MiB
Commit graph

377 commits

Author SHA1 Message Date
Jeff Hui
7767230e6a fix undefined variable $auth_cookie error when location is denied 
(add) isLocationAllowed check before setting the cookie
 2020-06-08 13:59:52 -04:00
agile6v
fc1c043437 Add http-access-log-path and stream-access-log-path options in configMap 2020-06-05 01:27:26 +08:00
Kubernetes Prow Robot
ee02d897d5
Merge pull request #5534 from agile6v/master 
Add annotation ssl-prefer-server-ciphers.
 2020-05-29 08:35:16 -07:00
adiov
d03266d505
Add MaxMind GeoIP2 Anonymous IP support 2020-05-21 06:50:57 +03:00
Andrey Voronkov
bced1ed8b8 Ability to separately disable access log in http and stream contexts 
Two new configuration options:
`disable-http-access-log`
`disable-stream-access-log`

Should resolve issue with enormous amount of `TCP 200` useless entries in logs

Signed-off-by: Andrey Voronkov <voronkovaa@gmail.com>
 2020-05-13 21:23:37 +03:00
agile6v
41d82005ec Add annotation ssl-prefer-server-ciphers. 2020-05-11 16:31:08 +08:00
Manuel Alejandro de Brito Fontes
d18fa90cfd Add e2e test for OCSP and new configmap setting 2020-04-17 12:53:47 -04:00
Elvin Efendi
1dab12fb81 Lua OCSP stapling 2020-04-16 21:29:16 -04:00
Manuel Alejandro de Brito Fontes
c0db19b0ec Enable configuration of plugins using configmap 2020-04-13 11:38:42 -04:00
Artem Miroshnychenko
eefb32c667 fix: remove unnecessary if statement when redirect annotation is defined 2020-04-08 19:02:15 +03:00
Manuel Alejandro de Brito Fontes
6037883c4a
Forward X-Request-ID to auth service (#5301) 2020-03-29 19:58:36 -03:00
Manuel Alejandro de Brito Fontes
07b70f68bd
Redirect for app-root should preserve current scheme (#5266) 2020-03-19 15:49:18 -03:00
Maxim Pogozhiy
78576a9bbc Add Maxmind Editions support 2020-03-19 19:36:10 +07:00
Jorge Niedbalski
1d1b857cb7 Add a forwarded protocol map for included x-forwarded-proto. 
This change adds a new map for including the passed x-forwarded-proto
header in case is provided as an extra header.

Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
 2020-03-10 18:26:28 -03:00
Laszlo Janosi
2de30bf451 Add proxy-ssl-name to location level 2020-02-25 13:52:34 +01:00
schaefec
141ea59b7f Allows overriding the server name used to verify the certificate of the proxied HTTPS server 2020-02-25 13:32:14 +01:00
Manuel Alejandro de Brito Fontes
351307280e Clean template 2020-02-21 16:14:49 -03:00
Karl Stoney
5c64c52a60 Ensured that opentracing on auth request is only enabled for people that have opentracing 2020-02-20 14:12:54 +00:00
Karl Stoney
08471b527b Fixes https://github.com/kubernetes/ingress-nginx/issues/5120 2020-02-20 14:03:09 +00:00
Daniel Arifin
d48d5a61ae Add gzip-min-length as a configurable 2020-02-14 13:29:51 +07:00
Manuel Alejandro de Brito Fontes
71e35c9100
Make sure set-cookie is retained from external auth endpoint (#5067) 2020-02-14 01:41:11 -03:00
Manuel Alejandro de Brito Fontes
b3146354d4 Refactor mirror feature 2020-02-05 10:39:55 -03:00
Manuel Alejandro de Brito Fontes
b9e944a8a6
Move mod-security logic from template to go code (#5009) 2020-02-04 14:04:11 -03:00
Manuel Alejandro de Brito Fontes
5d05e19cc3
Fix enable opentracing per location (#4983) 2020-01-29 12:20:05 -03:00
Kubernetes Prow Robot
2f8cbeb8fa
Merge pull request #4956 from djboris9/proxy-protocol-port 
Fix proxy protocol support for X-Forwarded-Port
 2020-01-26 12:27:02 -08:00
Manuel Alejandro de Brito Fontes
7ff49b25d6
Move opentracing configuration for location to go (#4965) 2020-01-25 21:39:20 -03:00
Boris Djurdjevic
665f924e9e Add proxy protocol support for X-Forwarded-Port 
Fixes https://github.com/kubernetes/ingress-nginx/issues/4951
 2020-01-24 13:50:35 +01:00
Manuel Alejandro de Brito Fontes
fbdd924a45 Update nginx image 2020-01-04 13:23:16 -03:00
Manuel Alejandro de Brito Fontes
a0523c3c8a
Use a named location for authSignURL (#4859) 2019-12-24 22:50:25 -03:00
Elvin Efendi
54918c0ff2 fix duplicate hsts bug 2019-12-12 13:49:13 -05:00
MMeent
75e8d37d71
Fix issue in logic of modsec template 
according to go templates: `(and ((not false) false))` == `true`

the only way to remove the owasp rules from every location is to disable modsec on that location, or to enable owasp globally, both not-so-great choices.

This commit fixes the logic issue by fixing the and-clause in the if-statement. As a result this reduces global resource usages when modsecurity is configured globally, but not on every location.
 2019-11-28 14:56:41 +01:00
Kubernetes Prow Robot
a85d5ed93a
Merge pull request #4779 from aledbf/update-image 
Remove lua-resty-waf feature
 2019-11-27 11:45:05 -08:00
Kubernetes Prow Robot
b286c2a336
Merge pull request #4732 from willthames/enable-opentracing-annotation 
Allow enabling/disabling opentracing for ingresses
 2019-11-26 17:31:21 -08:00
Will Thames
0ae463a5f3 Provide annotation to control opentracing 
By default you might want opentracing off, but on for a particular
ingress.

Similarly, you might want opentracing globally on, but disabled for
a specific endpoint. To achieve this, `opentracing_propagate_context`
cannot be set when combined with `opentracing off`

A new annotation, `enable-opentracing` allows more fine grained control
of opentracing for specific ingresses.
 2019-11-27 11:07:26 +10:00
Manuel Alejandro de Brito Fontes
61d902db14 Remove Lua resty waf feature 2019-11-26 10:37:43 -03:00
Kubernetes Prow Robot
62518b60b4
Merge pull request #4689 from janosi/upstream_ssl 
Server-only authentication of backends and per-location SSL config
 2019-11-18 19:49:43 -08:00
Rustam Zagirov
d9cfad1894 add configuration for http2_max_concurrent_streams 2019-10-31 15:13:38 +03:00
Laszlo Janosi
cc84bd4ab6 Server level proxy_ssl parameters are applied again, following the comments received. 
Also writing tls.crt and tls.key to disk is according to the original code.
 2019-10-26 20:20:18 +02:00
Laszlo Janosi
37fe9c9876 Enabling per-location proxy-ssl parameters, so locations of the same server but with own unique Ingress definitions can have different SSL configs 2019-10-17 10:15:53 +02:00
Kubernetes Prow Robot
69880ac9ad
Merge pull request #4650 from DaveAurionix/master 
Expose GeoIP2 Organization as variable $geoip2_org
 2019-10-12 15:34:36 -07:00
Sergei Turchanov
0476715022 Need to quote expansion of $cfg.LogFormatStream in log_stream access log 
format in nginx.tmpl otherwise individual variables are just glued together
without separating spaces so that you would get these in access logs:

[10/Oct/2019:05:03:30 +0000]TCP200000.003
[10/Oct/2019:05:03:30 +0000]TCP200000.000
[10/Oct/2019:05:05:04 +0000]TCP200000.000

which supposed to be someting like these:
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.003
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.000
[10/Oct/2019:05:05:04 +0000] TCP 200 0 0 0.000
 2019-10-10 17:27:15 +10:00
Dave Thompson
8e926b21d1 Expose GeoIP2 Organization as variable $geoip2_org 2019-10-09 09:47:48 +01:00
MRoci
72c4ffa8b5
add modsecurity-snippet key 2019-09-28 09:54:07 +02:00
Elvin Efendi
c5a8357f1d handle hsts header injection in lua 2019-09-24 21:17:22 -04:00
Elvin Efendi
c93d384fb1 delete redundant config 2019-09-24 18:51:35 -04:00
Elvin Efendi
8c64b12a96 refactor force ssl redirect logic 2019-09-24 14:57:52 -04:00
A Gardner
786a3b6862 Add support for configmap of headers to be sent to external auth service 2019-09-24 10:53:23 -04:00
Manuel Alejandro de Brito Fontes
4b4176c830
Fix log format after #4557 2019-09-18 12:52:09 -03:00
Manuel Alejandro de Brito Fontes
9af574a234
Remove the_real_ip variable 2019-09-12 20:01:33 -03:00
Manuel Alejandro de Brito Fontes
ce3e3d51c3
WIP Remove nginx unix sockets (#4531) 
* Remove nginx unix sockets
* Use an emptyDir volume for /tmp in PSP e2e tests
 2019-09-08 18:14:54 -03:00
Ricardo Katz
9c51676f17 Add support to CRL (#3164) 
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>

Add support to CRL

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
 2019-09-03 16:47:28 -04:00
Manuel Alejandro de Brito Fontes
c2935ca35c
Refactor health checks and wait until NGINX process ends 2019-09-01 15:31:27 -04:00
Manuel Alejandro de Brito Fontes
c7d2444cf4
Fix nginx variable service_port (nginx) (#4500) 2019-08-31 11:24:01 -04:00
Elvin Efendi
06f03a2af6 point users to kubectl ingress-nginx plugin 2019-08-27 07:42:42 -04:00
Manuel Alejandro de Brito Fontes
8def5ef7ca
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 10:58:44 -04:00
Kubernetes Prow Robot
f0e71cf688
Merge pull request #4463 from zerda/fix-add-headers 
Always set headers with add-headers option
 2019-08-25 09:16:21 -07:00
SilverFox
a44b5cf3f3 Always set headers with add-headers option 
It should work regardless of the response code or add_header directive in location.
 2019-08-18 14:28:43 +08:00
Gabor Lekeny
4624b5bc77 Change PemSHA to CASHA 2019-08-16 06:31:15 +02:00
Gabor Lekeny
65b9e2c574 Merge branch 'master' of https://github.com/kubernetes/ingress-nginx into proxyssl 2019-08-16 06:21:53 +02:00
Maxime Ginters
d8bd8c5619 Add nginx proxy_max_temp_file_size configuration option 2019-08-15 13:47:42 -04:00
Kubernetes Prow Robot
0b375989f3
Merge pull request #4412 from Shopify/ssl-early-data 
Add nginx ssl_early_data option support
 2019-08-15 10:08:35 -07:00
Elvin Efendi
6a293c7e11 set /configuration client body size dynamically 2019-08-14 22:10:56 -04:00
Kubernetes Prow Robot
0d690fba1a
Merge pull request #4356 from aledbf/only-dynamic-mode 
Only support SSL dynamic mode
 2019-08-14 17:08:35 -07:00
Kubernetes Prow Robot
adef152db8
Merge pull request #4379 from diazjf/mirror 
Allow Requests to be Mirrored to different backends
 2019-08-13 17:52:24 -07:00
Elvin Efendi
d46b4148fa Lua /etc/resolv.conf parser and some refactoring 2019-08-13 18:34:54 -04:00
Manuel Alejandro de Brito Fontes
80bd481abb
Only support SSL dynamic mode 2019-08-13 17:33:34 -04:00
Manuel Alejandro de Brito Fontes
2ed75b3362
Move listen logic to go 2019-08-13 14:52:25 -04:00
Mathieu Naouache
4d97240d88
Add timezone value into $geoip2_time_zone variable 2019-08-11 14:26:48 +02:00
Pierrick Charron
f459515d0d Add quote function in template 
Co-authored-by: Charle Demers <charle.demers@gmail.com>
 2019-08-09 15:47:29 -04:00
Kubernetes Prow Robot
8c472190d1
Merge pull request #4086 from jeroen92/issue-4038 
Resolve #4038, move X-Forwarded-Port variable to the location context
 2019-08-09 08:07:25 -07:00
Manuel Alejandro de Brito Fontes
4a9b02bc03
Remove dynamic TLS records 2019-08-08 15:52:56 -04:00
tals
a2e667c082 lua shared dict from cm 
lua shared dict teml test and update func sign

lua shared dict cm test

lua shared dict integration test

lua shared dict add cm parsing

lua shared dict change test header
 2019-08-08 12:44:11 +03:00
Maxime Ginters
7219130da4 Add nginx ssl_early_data option support 2019-08-07 16:04:09 -04:00
Jeroen Schutrup
8dd912114e
Move X-Forwarded-Port variable to the location context 
Resolves issue #4038 where the X-Forwarded-Port header would be set to the value of the https listening port if all of the following settings were satisfied:
- The ingress controller was started with a non-default HTTPS port set with the `--https-port` argument
- An ingress is created having:
  - the `nginx.ingress.kubernetes.io/auth-url` annotation set
  - TLS enabled

This commit solves this issue by moving the setting of the `pass_server_port` variable from the server, one level down to the location context.
 2019-08-06 17:00:58 +02:00
Fernando Diaz
386486e969 Allow Requests to be Mirrored to different backends 
Add a feature which allows traffic to be mirrored to
additional backends. This is useful for testing how
requests will behave on different "test" backends.

See https://nginx.org/en/docs/http/ngx_http_mirror_module.html
 2019-08-01 11:53:58 -05:00
Charle Demers
72271e9313
FastCGI backend support (#2982) 
Co-authored-by: Pierrick Charron <pierrick@adoy.net>
 2019-07-31 10:39:21 -04:00
Gabor Lekeny
def13fc06c Add proxy_ssl_* directives 
Add support for backends which require client certificate (eg. NiFi)
authentication. The `proxy-ssl-secret` k8s annotation references a
secret which is used to authenticate to the backend server. All other
directives fine tune the backend communication.

The following annotations are supported:
* proxy-ssl-secret
* proxy-ssl-ciphers
* proxy-ssl-protocol
* proxy-ssl-verify
* proxy-ssl-verify-depth
 2019-07-18 03:21:52 +02:00
Kubernetes Prow Robot
589c9a20f9
Merge pull request #4278 from moolen/feat/auth-req-cache 
feat: auth-req caching
 2019-07-17 12:06:12 -07:00
Moritz Johner
23504db770 feat: auth-req caching 
add a way to configure the `proxy_cache_*` [1] directive for external-auth.
The user-defined cache_key may contain sensitive information
(e.g. Authorization header).
We want to store *only* a hash of that key, not the key itself on disk.

[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
 2019-07-17 18:39:04 +02:00
Kubernetes Prow Robot
fe6c086580
Merge pull request #4288 from eshicks4/proxy-http-version-annotation 
added proxy-http-version annotation to override the HTTP/1.1 default …
 2019-07-11 11:43:07 -07:00
Manuel Alejandro de Brito Fontes
1e07cc6933
Disable access log in stream section for configuration socket 2019-07-10 13:42:13 -04:00
E. Stuart Hicks
3b0c523e49 added proxy-http-version annotation to override the HTTP/1.1 default connection type to reverse proxy backends 2019-07-08 14:32:00 -04:00
Kubernetes Prow Robot
7c297e001a
Merge pull request #4246 from ElvinEfendi/proxy-alternative-upstream-name 
introduce proxy_alternative_upstream_name Nginx var
 2019-07-04 19:20:35 -07:00
Elvin Efendi
8b208cac93 introduce proxy_alternative_upstream_name Nginx var to differentiate canary requests 2019-07-04 19:43:20 -04:00
Manuel Alejandro de Brito Fontes
8807db9748
Check and complete intermediate SSL certificates 2019-07-04 19:13:21 -04:00
Elvin Efendi
27df697dde introduce ngx.var.balancer_ewma_score 2019-07-03 16:50:22 -04:00
Manuel Alejandro de Brito Fontes
591887089f
Add e2e test suite to detect memory leaks in lua 2019-06-27 22:05:52 -04:00
Manuel Alejandro de Brito Fontes
ddffa2a173
Enable arm again 2019-06-26 23:00:58 -04:00
Kubernetes Prow Robot
5dfc7e211f
Merge pull request #4221 from aledbf/upgrade-nginx-image 
Switch to openresty image
 2019-06-24 09:45:57 -07:00
Manuel Alejandro de Brito Fontes
991f95f6bf
Migrate to openresty 2019-06-23 22:29:11 -04:00
Manuel Alejandro de Brito Fontes
d7b213d979
Do not set Host header when backend protocol is grpc 2019-06-18 23:44:10 -04:00
Sebastiaan Tammer
c11583dc5f Only load modsecurity_module when ModSec is active 2019-06-11 16:39:52 +02:00
Manuel Alejandro de Brito Fontes
c4597522bf
Refactor whitelist from map to standard allow directives 2019-05-27 04:55:38 -04:00
weltschraet
abca32ba8e reduce memory footprint and cpu usage when modsecurity and owasp rules are enabled globally 2019-05-18 19:08:30 +02:00
MRoci
8b7f069b56
load modsecurity.conf on ModSecurity.Enable 2019-05-13 17:39:06 +02:00
okryvoshapka-connyun
8cc9afe8ee Added Global External Authentication settings to configmap parameters incl. addons 2019-05-03 12:08:16 +02:00
Kubernetes Prow Robot
34734edc6e
Merge pull request #4005 from Shopify/proxy-next-upstream-timeout 
Support proxy_next_upstream_timeout
 2019-04-15 09:10:09 -07:00
Alex Kursell
ffeb1fe348 Support proxy_next_upstream_timeout 2019-04-15 11:08:57 -04:00
Elvin Efendi
2f3cf1a6c0 do not create empty access_by_lua_block 2019-04-13 16:11:46 -04:00
Elvin Efendi
8f81538b0d lua plugin system 2019-04-04 09:25:22 -04:00