HSTS not supported with VS #5964
Replies: 10 comments
-
|
Hi @ElvenSpellmaker thanks for reporting! Be sure to check out the docs while you wait for a human to take a look at this 🙂 Cheers! |
Beta Was this translation helpful? Give feedback.
-
I did 🙂 |
Beta Was this translation helpful? Give feedback.
-
|
I think I've found this: I assume this is why, so is it no longer possibly to apply a blanket SSL redirect on a global level? What about HSTS? |
Beta Was this translation helpful? Give feedback.
-
|
I also see this: But I can't see a way to set HSTS on a VirtualServer level... |
Beta Was this translation helpful? Give feedback.
-
|
So it looks like there's no way to enforce HSTS at all (without enabling snippets perhaps) and no way to globally redirect to HTTPS. |
Beta Was this translation helpful? Give feedback.
-
|
Two ways to handle redirecting to HTTPS
Doing it at the VS level gives the granular control, in case there is a path that is not wanted to be redirected. |
Beta Was this translation helpful? Give feedback.
-
|
@ElvenSpellmaker @brianehlert I can suggest a workaround - you can put the following into the ConfigMap which will enable both TLS redirects and HSTS for VirtualServers: data:
server-snippets: |
proxy_hide_header Strict-Transport-Security;
set $hsts_header_val "";
if ($scheme = 'https') {
set $hsts_header_val "max-age=31536000";
}
add_header Strict-Transport-Security "$hsts_header_val" always;
if ($scheme = 'http') {
return 302 https://$host$request_uri;
}Now if we deploy this example -- https://github.com/nginxinc/kubernetes-ingress/tree/master/examples-of-custom-resources/basic-configuration -- and apply that ConfigMap, we will get: |
Beta Was this translation helpful? Give feedback.
-
|
For me too, config map ssl-protocols setting TLSV1.2 is not working. I am connecting .NET C# application hosted in Azure to Azure File Share. Azure File Share requires TLS 1.2 version and I have configured the same in nginx configmap using ssl-protocol argument. I still get SSL handshake error. |
Beta Was this translation helpful? Give feedback.
-
But this has to be applied per VirtualServer which is really clunky and won't fly with any compliance team. Are VirtualServers considered deprecated for native Ingress objects which do support these options? |
Beta Was this translation helpful? Give feedback.
-
|
NGINX Ingress Controller is moving forward with the CRDs. VirtualServer, VirtualServerRoute, TransportServer, Policy. |
Beta Was this translation helpful? Give feedback.
-
Describe the bug Using Nginx Ingress when I try to apply
ssl-redirectandhststhey don't seem to be working.Going to foo.foo.com gives me http with no redirect.
To Reproduce As per: https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/
Note it says that
ssl-redirectis on by default but it doesn't appear to be. 🤔A ConfigMap like the following: https://user-images.githubusercontent.com/2286713/132874484-d5d30bee-437c-42f2-be2b-03d55f569e11.png
Nginx configuration like so:
yml - name: nginx-ingress image: 'nginx/nginx-ingress:1.8.1' args: - '-nginx-configmaps=$(POD_NAMESPACE)/nginx-config' - '-default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret' - '-global-configuration=$(POD_NAMESPACE)/nginx-configuration'(Note if the ConfigMap doesn't exist it will fail to start so it's clearly reading it but not doing anything with the values.)
VirtualServers like the following:
yml apiVersion: k8s.nginx.org/v1 metadata: name: foo namespace: foo kind: VirtualServer spec: host: foo.foo.com routes: - action: pass: foo path: / tls: secret: wildcard-tls upstreams: - name: foo port: 80 service: foo tls: enable: falseExpected behavior When going to foo.foo.com a SSL 301 redirect should be present and an HSTS header on the redirected content.
additional
Aha! Link: https://nginx.aha.io/features/IC-303
Beta Was this translation helpful? Give feedback.
All reactions