Add support to hide headers from upstream servers (#1928)

kubernetes · Jan 18, 2018 · 8975800 · 8975800 · oxr463 · Jun 22, 2020
1 parent 858f339
commit 8975800
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 1 deletion.
diff --git a/docs/user-guide/configmap.md b/docs/user-guide/configmap.md
@@ -21,6 +21,7 @@ The following table shows a configuration option's name, type, and the default v
 |:---|:---|:------|
 |[add&#8209;headers](#add-headers)|string|""|
 |[allow&#8209;backend&#8209;server&#8209;header](#allow-backend-server-header)|bool|false|
+|[hide&#8209;headers&#8209](#hide-headers)|string array|empty|
 |[access&#8209;log&#8209;path](#access-log-path)|string|"/var/log/nginx/access.log"|
 |[error&#8209;log&#8209;path](#error-log-path)|string|"/var/log/nginx/error.log"|
 |[enable&#8209;dynamic&#8209;tls&#8209;records](#enable-dynamic-tls-records)|bool|true|
@@ -126,7 +127,12 @@ Sets custom headers from named configmap before sending traffic to the client. S
 
 ## allow-backend-server-header
 
-AllowBackendServerHeader enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled.
+Enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled.
+
+## hide-headers
+
+Sets additional header that will not be passed from the upstream server to the client response.
+Default: empty
 
 _References:_
 - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header

diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
@@ -462,6 +462,11 @@ type Configuration struct {
 	// Default: false
 	// Reason for the default: https://trac.nginx.org/nginx/ticket/1300
 	ReusePort bool `json:"reuse-port"`
+
+	// HideHeaders sets additional header that will not be passed from the upstream
+	// server to the client response
+	// Default: empty
+	HideHeaders []string `json:"hide-headers"`
 }
 
 // NewDefault returns the default nginx configuration

diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go
@@ -38,6 +38,7 @@ const (
 	bindAddress          = "bind-address"
 	httpRedirectCode     = "http-redirect-code"
 	proxyStreamResponses = "proxy-stream-responses"
+	hideHeaders          = "hide-headers"
 )
 
 var (
@@ -56,6 +57,8 @@ func ReadConfig(src map[string]string) config.Configuration {
 	skipUrls := make([]string, 0)
 	whitelist := make([]string, 0)
 	proxylist := make([]string, 0)
+	hideHeaderslist := make([]string, 0)
+
 	bindAddressIpv4List := make([]string, 0)
 	bindAddressIpv6List := make([]string, 0)
 	redirectCode := 308
@@ -71,6 +74,10 @@ func ReadConfig(src map[string]string) config.Configuration {
 			}
 		}
 	}
+	if val, ok := conf[hideHeaders]; ok {
+		delete(conf, hideHeaders)
+		hideHeaderslist = strings.Split(val, ",")
+	}
 	if val, ok := conf[skipAccessLogUrls]; ok {
 		delete(conf, skipAccessLogUrls)
 		skipUrls = strings.Split(val, ",")
@@ -133,6 +140,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	to.ProxyRealIPCIDR = proxylist
 	to.BindAddressIpv4 = bindAddressIpv4List
 	to.BindAddressIpv6 = bindAddressIpv6List
+	to.HideHeaders = hideHeaderslist
 	to.HTTPRedirectCode = redirectCode
 	to.ProxyStreamResponses = streamResponses
 

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -290,6 +290,9 @@ http {
     proxy_pass_header Server;
     {{ end }}
 
+    {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
+    {{ end }}
+
     {{ if not (empty $cfg.HTTPSnippet) }}
     # Custom code snippet configured in the configuration configmap
     {{ $cfg.HTTPSnippet }}