Kubernetes-ingress: Can't disable default backend or handle direct public IP Request

Created on 27 May 2020  路  4Comments  路  Source: nginxinc/kubernetes-ingress

Describe the bug
If you request http directly http(s)://xxx.xxx.xxx.xxx the default backend is invoked. This is an issue for PCI compliance because it is using a self-signed cert and even if you were using an official cert, it would still fail because it wouldn't match the host obviously. There doesn't appear to be any way to intercept IP direct at all nor is there a way to tell the ingress controller to ignore the request outright. (i.e. I don't want it to respond at all to https at the very least for anything that isn't a valid and mapped route.

To Reproduce
Any ingress config that is bound to a public IP will exhibit this behavior.

Expected behavior
Should by default not respond on https at all for the default backend or at the very least allow us to define in the setup that we don't want a default backend at all.

Additional context
As it stands right now, this will fail all PCI scans.

proposal

Most helpful comment

@pleshakov Thanks for the suggestion, but no because I need SSL working everywhere EXCEPT if there is a direct request to the IP only. (and I'm trying to make sure that this doesn't step out of config options)

I.e. http://some.domain.com as a default-backend is fine. I don't really care. but https://1.1.1.1 should neve respond. This should be actively blocked because it can never be a secure configuration.

AND I should be able to dump everything except for the healthz entirely. I.e. no response at all to http not https unless it's to a properly mapped configuration. I.e. the default-backend should only respond to the healthz endpoint and nothing else per a configuration, because only then do you have a secure configuration.

All 4 comments

Hi @JohnGalt1717

Should by default not respond on https at all for the default backend or at the very least allow us to define in the setup that we don't want a default backend at all.

There is a way to make NGINX break any client attempts to establish a TLS connection. For connections to the default server, you need to configure: ssl_ciphers NULL; in the default server.

Unfortunately, it is only possibly if you modify the main config template -- https://github.com/nginxinc/kubernetes-ingress/blob/master/internal/configs/version1/nginx.tmpl#L102 You can add the line ssl_ciphers NULL; to the default server and specify the modified template via a ConfigMap https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.0/examples/custom-templates

Could this approach work for you?

@pleshakov Thanks for the suggestion, but no because I need SSL working everywhere EXCEPT if there is a direct request to the IP only. (and I'm trying to make sure that this doesn't step out of config options)

I.e. http://some.domain.com as a default-backend is fine. I don't really care. but https://1.1.1.1 should neve respond. This should be actively blocked because it can never be a secure configuration.

AND I should be able to dump everything except for the healthz entirely. I.e. no response at all to http not https unless it's to a properly mapped configuration. I.e. the default-backend should only respond to the healthz endpoint and nothing else per a configuration, because only then do you have a secure configuration.

I am also facing this exact same issue with compliance.

Same problem here. Every week I get an alert from our cloud vendor that the k8s cluster is using a self-signed certificate for web service https://x.x.x.x.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

RazaGR picture RazaGR  路  6Comments

nabheet picture nabheet  路  7Comments

bprashanth picture bprashanth  路  6Comments

ajpinedam picture ajpinedam  路  4Comments

jmastr picture jmastr  路  4Comments