阻止NGINX入口响应公共IP [英] Prevent NGINX-ingress from responding to public IP
问题描述
用于阻止NGINX响应公共IP或使其重定向到其他位置(如另一个URL)的过程是什么?
What's the process for either preventing NGINX from responding to the Public IP, or to get it to redirect to somewhere else - like another URL.
我有点沮丧,因为在这种情况下,我似乎找不到任何地方的文档方式.我们也在使用cert-manager.
I'm a little stumped as I can't seem to find much in the way of documentation anywhere for this situation. We're using cert-manager too.
基本上,PEN测试失败了,因为公共IP正在使用NGINX/k8s自签名证书进行响应.我们不想要或不需要那个!
Essentially a PEN Test has failed because the public IP is responding with an NGINX/ k8s self-signed cert. We don't want or need that!
推荐答案
可以解决此问题;对于HTTP来说很容易,对于HTTPS来说很困难.主要问题是为IP地址颁发证书,而不是由任何颁发者执行的(例如,lettencrypt都没有),因此您必须找到一个证书或尝试使用现在使用的任何证书.
It's possible to solve this; easy for HTTP and difficult for HTTPS. The main problem is to issue a certificate for an IP address, not any issuer does that (letsencrypt for example doesn't), so you have to find one or try whichever you use now.
要处理未知主机(如IP地址),您可以创建一个规则中没有 host 字段的入口对象.这将使创建的入口作为默认"或后备"规则工作,因此将在 Host 标头(任何入口 with <规则中的code> host .
To handle unknown hosts (like an IP address) you can create an ingress object without host field in rules. This will make the created ingress work as 'default' or 'fallback' rule, thus it will be used when there is no better match by Host header (any ingress with host in rules).
要创建一个入口对象,您需要一个服务,下面是如何在没有端点的情况下创建虚拟服务的方法:
To create an ingress object you need a service and here's how you can create a dummy service without endpoints:
apiVersion: v1
kind: Service
metadata:
name: dummy-service
spec:
clusterIP: None
接下来,它的入口:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: default-ingress
annotations:
kubernetes.io/ingress_class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
# Nginx will place this in server block
# You can redirect all requests somewhere:
return 301 https://example.com/;
# or just:
#return 403;
spec:
rules:
# This rule has no 'host' field and because of that
# NGINX won't include 'server_name' directive in
# vhost configuration. What this means is that this
# ingress rule will be used only if the request
# comes with 'Host' header for which there is no
# specific rule (IP-address for example).
- http:
paths:
- backend:
servicePort: 80
serviceName: dummy-service
在这一点上,您已经为HTTP和HTTPS使用重定向(或403),尽管后者具有伪证书.如果您设法为IP地址颁发证书并将其保存为机密,那么下一步就是让NGINX使用它而不是其默认的虚拟证书.为此,您需要通过添加-default-ssl-certificate 参数来修改入口控制器部署:
At this point you've got redirect (or 403) working for HTTP and HTTPS, although the latter with a dummy certificate. If you managed to issue a certificate for your IP addresses and save it as a secret, the next thing is to make NGINX to use it instead of its default dummy certificate. For that you need to modify ingress controller deployment by adding --default-ssl-certificate argument:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-nginx-controller
spec:
template:
spec:
containers:
- name: controller
args:
- /nginx-ingress-controller
# use 'namespace/secret_name' as the value for the argument
- --default-ssl-certificate=default/ip-cert-secret
现在NGINX将使用有效的证书来响应IP地址.
Now NGINX will respond to IP addresses with a valid certificate.
奖金:如果您拥有可以为IP地址颁发证书的证书管理者 Issuer 或 ClusterIssuer (例如自签名证书)),您可以请求带有以下清单的证书:
Bonus: if you have a cert-manager Issuer or ClusterIssuer that can issue a certificate for IP address (like self-signed one), you can request a certificate with the following manifest:
#apiVersion: cert-manager.io/v1
apiVersion: cert-manager.io/v1beta1
kind: Certificate
metadata:
name: ip-cert
spec:
secretName: ip-cert-secret
duration: 2160h # 90d
renewBefore: 360h # 15d
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
commonName: Dummy
ipAddresses:
- 10.1.1.13 # fill the list
issuerRef:
name: # insert issuer name
kind: # Issuer or ClusterIssuer
group: cert-manager.io
这篇关于阻止NGINX入口响应公共IP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
