diff --git a/controllers/nginx/pkg/cmd/controller/nginx.go b/controllers/nginx/pkg/cmd/controller/nginx.go index fc6cdd4a07..979b25f23d 100644 --- a/controllers/nginx/pkg/cmd/controller/nginx.go +++ b/controllers/nginx/pkg/cmd/controller/nginx.go @@ -479,6 +479,18 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { } } + addHeaders := map[string]string{} + if cfg.AddHeaders != "" { + cmap, exists, err := n.storeLister.ConfigMap.GetByKey(cfg.AddHeaders) + if err != nil { + glog.Warningf("unexpected error reading configmap %v: %v", cfg.AddHeaders, err) + } + + if exists { + addHeaders = cmap.(*api_v1.ConfigMap).Data + } + } + sslDHParam := "" if cfg.SSLDHParam != "" { secretName := cfg.SSLDHParam @@ -507,6 +519,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { content, err := n.t.Write(config.TemplateConfig{ ProxySetHeaders: setHeaders, + AddHeaders: addHeaders, MaxOpenFiles: maxOpenFiles, BacklogSize: sysctlSomaxconn(), Backends: ingressCfg.Backends, diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go index 4fc209de92..67c7d6bcf0 100644 --- a/controllers/nginx/pkg/config/config.go +++ b/controllers/nginx/pkg/config/config.go @@ -83,6 +83,9 @@ const ( type Configuration struct { defaults.Backend `json:",squash"` + // Sets the name of the configmap that contains the headers to pass to the client + AddHeaders string `json:"add-headers,omitempty"` + // AllowBackendServerHeader enables the return of the header Server from the backend // instead of the generic nginx string. // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header @@ -368,7 +371,7 @@ func NewDefault() Configuration { SkipAccessLogURLs: []string{}, }, UpstreamKeepaliveConnections: 0, - LimitConnZoneVariable: defaultLimitConnZoneVariable, + LimitConnZoneVariable: defaultLimitConnZoneVariable, } if glog.V(5) { @@ -392,6 +395,7 @@ func (cfg Configuration) BuildLogFormatUpstream() string { // TemplateConfig contains the nginx configuration to render the file nginx.conf type TemplateConfig struct { ProxySetHeaders map[string]string + AddHeaders map[string]string MaxOpenFiles int BacklogSize int Backends []*ingress.Backend diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index 8f7eba0aac..627348b61d 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -3,6 +3,7 @@ {{ $healthzURI := .HealthzURI }} {{ $backends := .Backends }} {{ $proxyHeaders := .ProxySetHeaders }} +{{ $addHeaders := .AddHeaders }} daemon off; worker_processes {{ $cfg.WorkerProcesses }}; @@ -92,6 +93,11 @@ http { gzip_proxied any; {{ end }} + # Custom headers for response + {{ range $k, $v := $addHeaders }} + add_header {{ $k }} "{{ $v }}"; + {{ end }} + server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }}; # disable warnings @@ -324,6 +330,7 @@ http { return 302 {{ $location.Redirect.AppRoot }}; } {{ end }} + {{ if not (empty $authPath) }} location = {{ $authPath }} { internal; @@ -427,7 +434,7 @@ http { # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; - # Custom headers + # Custom headers to proxied server {{ range $k, $v := $proxyHeaders }} proxy_set_header {{ $k }} "{{ $v }}"; {{ end }}