Allow setting headers per location #9693
Comments
rikatz
added
the
kind/feature
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
As a open source project, this seems appropriate ; Its a difficult choice. |
|
I created a PR #9742 with a different way to define the headers. I used a configmap for the headers. |
|
The admin component that Ricardo mentions is critical here in my opinion.
Does your configMap factor that only admin can set headers via a configMap.
…On Thu, 16 Mar, 2023, 11:28 am Christian Groschupp, < ***@***.***> wrote:
I created a PR #9742
<#9742> with a different
way to define the headers. I used a configmap for the headers.
—
Reply to this email directly, view it on GitHub
<#9693 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGZVWTAUUASZZBUQZX2NMDW4KTZ7ANCNFSM6AAAAAAVQNYJRU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
With the current implementation of my PR it is not possible to restrict it directly. Implementing some kind of whitelist can be a complex task, here are some thoughts:
|
|
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach |
github-actions
bot
added
the
lifecycle/frozen
|
This https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-headers exists now . There is very little resources available to allocate to this work. The little developer-time is all occupied with security and Gateway-API work. We are actually stopping support for useful features that are not close implications of the Ingress-API as its hard to support/maintain them. Since there is no action-item being tracked here and this issue is just adding to the tally of open issues without tracking any action-item, I will close the issue for now. /close |
|
@longwuyuan: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
One thing I've realized is that people has been using snippets to add headers to be sent to upstream per location or per server. I think we can do better here. If this is a case where people would stop using snippets in favor of using a new way of setting headers, I would +1 and prioritize this.
My proposal:
Above will set on the location a new header "X-Forwarded-Prefix = /bla"
We do some check on annotations to verify if some header annotation exists, and use it. My only concern here is always the arbitrary data problem and if this can be used, as an example, to bypass some restrictions, force nginx to connect to some other upstream, etc.
Maybe another thing is saying that "we allow headers as soon as the ingress controller owner allows headers", so admin would set a list of allowed headers, and then users could use it.
The text was updated successfully, but these errors were encountered: