-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
removing ingress Nginx default résponse header #11439
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
what is the output of /remove-kind bug |
hi @longwuyuan Yes , I have already set custom-default-backend . Below is output of curl to the dns . curl https://qa-pod1.com |
what are the default nginx response headers that you want to remove ? Show that output |
HIi @longwuyuan , First Whenever I do port scans the nginx response in it . Not shown: 999 filtered tcp ports (no-response) secondly for 302 response the custom-default-backend is not working seems . It has the nginx footer in it . |
|
Also, if the 302 response was from the controller, please show the data that the redirection 302 response is coming from the controller. That and any other info you can provide related to ;
it will help |
hi @longwuyuan , wanted to remove the nginx(receiver proxy) under version column . PORT STATE SERVICE VERSION |
Is it possible for you to create a container like If you can then I think someone can submit a PR to add that directive to the nginx.conf that is generated by openresty used by the project. But also AFAIK, port scan hardening is done on network-devices or host-os type of tcp/ip stacks rather than application images because the port-scan packet will arrive first on your router. I think google-search may show some iptables rules used to block port-scans. process profiling/fingerprinting blocking directives inside nginx.conf are not well-known so maybe wait for experts to comment here. I also don't know how easy it will be to find them (if they exist) at docs.nginx.com etc |
But on different thought, if your cluster is open to port-scans from SRC that you don't like, then the result of a port-scan is not a high criticality of your problems. I suspect your entire infra and its base minimal quality is. |
What happened:
During the port scanning we are seeing the Ingress nginx is returning default response headers in output .
Nmap scan report for abc.qa.com (52.89.98.54)
Host is up (0.26s latency).
Other addresses for abc.qa.com(not scanned): 4.227.169.40 44.39.116.10
rDNS record for 52.89.98.54: ec2-52-89-9-54.us-west-2.compute.amazonaws.com
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx (reverse proxy)
We trie to add server-tokens: "off" in ingress config map . still it didn't help me out .. Could you please suggest how to remove the default ngxin response headers from ingress-nginx ?
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
labels:
app: ingress-nginx
data:
allow-snippet-annotations: "true"
proxy-buffer-size: "8k"
proxy-set-headers: "{{ Namespace }}/mdm-custom-headers"
server-tokens: "off"
proxy-ssl-location-only: "true"
limit-req-status-code: "429"
What you expected to happen:
nginx (reverse proxy) shouldn't present in response header
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
v1.10.0
Kubernetes version (use
kubectl version
):kubectl version
Client Version: v1.30.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.9-eks-036c24b
WARNING: version difference between client (1.30) and server (1.28) exceeds the supported minor version skew of +/-1
Environment:
Cloud provider or hardware configuration: EKS
OS (e.g. from /etc/os-release): alpine
Kernel (e.g.
uname -a
): LinuxInstall tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
Basic cluster related info:
kubectl version
kubectl get nodes -o wide
How was the ingress-nginx-controller installed:
helm ls -A | grep -i ingress
helm -n <ingresscontrollernamespace> get values <helmreleasename>
Current State of the controller:
kubectl describe ingressclasses
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
Current state of ingress object, if applicable:
kubectl -n <appnamespace> get all,ing -o wide
kubectl -n <appnamespace> describe ing <ingressname>
Others:
kubectl describe ...
of any custom configmap(s) created and in useHow to reproduce this issue:
Anything else we need to know:
The text was updated successfully, but these errors were encountered: