Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nginx: Option to not use incoming X-Forwarded headers #1668

Closed
albertvaka opened this issue Nov 8, 2017 · 2 comments
Closed

nginx: Option to not use incoming X-Forwarded headers #1668

albertvaka opened this issue Nov 8, 2017 · 2 comments

Comments

@albertvaka
Copy link
Contributor

I'm reopening #1309 as, if I understand correctly, it hasn't been fixed:

Currently, if you deploy nginx-ingress-controller facing directly to the internet (via NodePort/HostPort or a LoadBalancer service), end users can spoof their IP by sending an X-Forwarded-For header, which will be forwarded to the backend services. Same for the other X-Forwarded headers.

By looking at the template, there seems no config option to disable this.

It would be great to have one - in the current state the nginx ingress is insecure by default when exposing it directly to the internet.

@aledbf
Copy link
Member

aledbf commented Nov 8, 2017

@albertvaka this is not correct. If you configure a cluster in AWS using a L7 ELB it works as expected
https://github.com/kubernetes/ingress-nginx/tree/master/deploy#aws

Edit: keep in mind you need to adjust the proxy-real-ip-cidr setting in the configuration configmap

@aledbf
Copy link
Member

aledbf commented Nov 8, 2017

@albertvaka please post the steps you are following that reproduce the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants