8000 Don't require default server TLS secret · nginx/kubernetes-ingress@2d9a279 · GitHub
[go: up one dir, main page]
Skip to content

Commit 2d9a279

Browse files
pleshakovpleshakov
committed
Don't require default server TLS secret
If the default server TLS secret is not configured via -default-server-tls-secret cli arg or it is not present on the filesystem at /etc/nginx/secrets/default, the Ingress Controller will configure NGINX to reject TLS connections to the default server. Note: The default server is used in NGINX configuration to handle HTTP and HTTPS request to hosts that are not configured by any Ingress, VirtualServer or TransportServer resources. The default server simply returns 404 responses.
1 parent 3d0c75d commit 2d9a279

File tree

8 files changed

+31
-7
lines changed

8 files changed

+31
-7
lines changed

cmd/nginx-ingress/main.go

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -91,9 +91,10 @@ var (
9191

9292
defaultServerSecret = flag.String("default-server-tls-secret", "",
9393
`A Secret with a TLS certificate and key for TLS termination of the default server. Format: <namespace>/<name>.
94-
If not set, certificate and key in the file "/etc/nginx/secrets/default" are used. If a secret is set,
95-
but the Ingress controller is not able to fetch it from Kubernetes API or a secret is not set and
96-
the file "/etc/nginx/secrets/default" does not exist, the Ingress controller will fail to start`)
94+
If not set, than the certificate and key in the file "/etc/nginx/secrets/default" are used.
95+
If "/etc/nginx/secrets/default" doesn't exist, the Ingress Controller will configure NGINX to reject TLS connections to the default server.
96+
If a secret is set, but the Ingress controller is not able to fetch it from Kubernetes API or it is not set and the Ingress Controller
97+
fails to read the file "/etc/nginx/secrets/default", the Ingress controller will fail to start.`)
9798

9899
versionFlag = flag.Bool("version", false, "Print the version and git-commit hash and exit")
99100

@@ -429,6 +430,8 @@ func main() {
429430
nginxManager.AppProtectPluginStart(aPPluginDone)
430431
}
431432

433+
var sslRejectHandshake bool
434+
432435
if *defaultServerSecret != "" {
433436
secret, err := getAndValidateSecret(kubeClient, *defaultServerSecret)
434437
if err != nil {
@@ -438,9 +441,14 @@ func main() {
438441
bytes := configs.GenerateCertAndKeyFileContent(secret)
439442
nginxManager.CreateSecret(configs.DefaultServerSecretName, bytes, nginx.TLSSecretFileMode)
440443
} else {
441-
_, err = os.Stat("/etc/nginx/secrets/default")
442-
if os.IsNotExist(err) {
443-
glog.Fatalf("A TLS cert and key for the default server is not found")
444+
_, err := os.Stat(configs.DefaultServerSecretPath)
445+
if err != nil {
446+
if os.IsNotExist(err) {
447+
// file doesn't exist - it is OK! we will reject TLS connections in the default server
448+
sslRejectHandshake = true
449+
} else {
450+
glog.Fatalf("Error checking the default server TLS cert and key in %s: %v", configs.DefaultServerSecretPath, err)
451+
}
444452
}
445453
}
446454

@@ -513,6 +521,7 @@ func main() {
513521
MainAppProtectLoadModule: *appProtect,
514522
EnableLatencyMetrics: *enableLatencyMetrics,
515523
EnablePreviewPolicies: *enablePreviewPolicies,
524+
SSLRejectHandshake: sslRejectHandshake,
516525
}
517526

518527
ngxConfig := configs.GenerateNginxMainConfig(staticCfgParams, cfgParams)

docs-web/configuration/global-configuration/command-line-arguments.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ Below we describe the available command-line arguments:
1515
Secret with a TLS certificate and key for TLS termination of the default server.
1616
1717
- If not set, certificate and key in the file "/etc/nginx/secrets/default" are used.
18-
- If a secret is set, but the Ingress controller is not able to fetch it from Kubernetes API, or if a secret is not set and the file "/etc/nginx/secrets/ default" does not exist, the Ingress controller will fail to start.
18+
- If "/etc/nginx/secrets/default" doesn't exist, the Ingress Controller will configure NGINX to reject TLS connections to the default server.
19+
- If a secret is set, but the Ingress controller is not able to fetch it from Kubernetes API, or it is not set and the Ingress Controller fails to read the file "/etc/nginx/secrets/default", the Ingress controller will fail to start.
1920
2021
Format: ``<namespace>/<name>``
2122

internal/configs/config_params.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,7 @@ type StaticConfigParams struct {
116116
PodName string
117117
EnableLatencyMetrics bool
118118
EnablePreviewPolicies bool
119+
SSLRejectHandshake bool
119120
}
120121

121122
// GlobalConfigParams holds global configuration parameters. For now, it only holds listeners.

internal/configs/configmaps.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -534,6 +534,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
534534
SSLDHParam: config.MainServerSSLDHParam,
535535
SSLPreferServerCiphers: config.MainServerSSLPreferServerCiphers,
536536
SSLProtocols: config.MainServerSSLProtocols,
537+
SSLRejectHandshake: staticCfgParams.SSLRejectHandshake,
537538
TLSPassthrough: staticCfgParams.TLSPassthrough,
538539
StreamLogFormat: config.MainStreamLogFormat,
539540
StreamLogFormatEscaping: config.MainStreamLogFormatEscaping,

internal/configs/configurator.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,9 @@ const (
4040
appProtectUserSigIndex = "/etc/nginx/waf/nac-usersigs/index.conf"
4141
)
4242

43+
// DefaultServerSecretPath is the full path to the Secret with a TLS cert and a key for the default server.
44+
const DefaultServerSecretPath = "/etc/nginx/secrets/default"
45+
4346
// DefaultServerSecretName is the filename of the Secret with a TLS cert and a key for the default server.
4447
const DefaultServerSecretName = "default"
4548

internal/configs/version1/config.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,7 @@ type MainConfig struct {
174174
ServerNamesHashBucketSize string
175175
ServerNamesHashMaxSize string
176176
ServerTokens string
177+
SSLRejectHandshake bool
177178
SSLCiphers string
178179
SSLDHParam string
179180
SSLPreferServerCiphers bool

internal/configs/version1/nginx-plus.tmpl

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,8 +130,12 @@ http {
130130
listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
131131
{{end}}
132132

133+
{{if .SSLRejectHandshake}}
134+
ssl_reject_handshake on;
135+
{{else}}
133136
ssl_certificate /etc/nginx/secrets/default;
134137
ssl_certificate_key /etc/nginx/secrets/default;
138+
{{end}}
135139

136140
{{range $setRealIPFrom := .SetRealIPFrom}}
137141
set_real_ip_from {{$setRealIPFrom}};{{end}}

internal/configs/version1/nginx.tmpl

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,8 +107,12 @@ http {
107107
listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
108108
{{end}}
109109

110+
{{if .SSLRejectHandshake}}
111+
ssl_reject_handshake on;
112+
{{else}}
110113
ssl_certificate /etc/nginx/secrets/default;
111114
ssl_certificate_key /etc/nginx/secrets/default;
115+
{{end}}
112116

113117
{{range $setRealIPFrom := .SetRealIPFrom}}
114118
set_real_ip_from {{$setRealIPFrom}};{{end}}

0 commit comments

Comments
 (0)
0