removing ingress Nginx default résponse header

[uttam-phygitalz]

What happened:

During the port scanning we are seeing the Ingress nginx is returning default response headers in output .

Nmap scan report for abc.qa.com (52.89.98.54)
Host is up (0.26s latency).
Other addresses for abc.qa.com(not scanned): 4.227.169.40 44.39.116.10
rDNS record for 52.89.98.54: ec2-52-89-9-54.us-west-2.compute.amazonaws.com
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx (reverse proxy)

We trie to add server-tokens: "off" in ingress config map . still it didn't help me out .. Could you please suggest how to remove the default ngxin response headers from ingress-nginx ?

kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
labels:
app: ingress-nginx
data:
allow-snippet-annotations: "true"
proxy-buffer-size: "8k"
proxy-set-headers: "{{ Namespace }}/mdm-custom-headers"
server-tokens: "off"
proxy-ssl-location-only: "true"
limit-req-status-code: "429"

What you expected to happen:

nginx (reverse proxy) shouldn't present in response header

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

v1.10.0

Kubernetes version (use kubectl version):

kubectl version
Client Version: v1.30.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.9-eks-036c24b
WARNING: version difference between client (1.30) and server (1.28) exceeds the supported minor version skew of +/-1
Environment:

• Cloud provider or hardware configuration: EKS

• OS (e.g. from /etc/os-release): alpine

• Kernel (e.g. uname -a): Linux

• Install tools:

  • Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.

• Basic cluster related info:

  • kubectl version
  • kubectl get nodes -o wide

• How was the ingress-nginx-controller installed:

  • If helm was used then please show output of helm ls -A | grep -i ingress
  • If helm was used then please show output of helm -n <ingresscontrollernamespace> get values <helmreleasename>
  • If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
  • if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances

• Current State of the controller:

  • kubectl describe ingressclasses
  • kubectl -n <ingresscontrollernamespace> get all -A -o wide
  • kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
  • kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>

• Current state of ingress object, if applicable:

  • kubectl -n <appnamespace> get all,ing -o wide
  • kubectl -n <appnamespace> describe ing <ingressname>
  • If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag

• Others:

  • Any other related information like ;
    • copy/paste of the snippet (if applicable)
    • kubectl describe ... of any custom configmap(s) created and in use
    • Any other related information that may help

How to reproduce this issue:

Anything else we need to know:

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[longwuyuan]

https://kubernetes.github.io/ingress-nginx/examples/customization/custom-errors/#customized-default-backend

what is the output of curl LB-IP-Address

/remove-kind bug
/kind support

[uttam-phygitalz]

hi @longwuyuan

Yes , I have already set custom-default-backend . Below is output of curl to the dns .

curl https://qa-pod1.com
The page you're looking for could not be found.""

[longwuyuan]

what are the default nginx response headers that you want to remove ? Show that output

[uttam-phygitalz]

HIi @longwuyuan ,

First Whenever I do port scans the nginx response in it .

Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx (reverse proxy)
|_http-title: Site doesn't have a title (text/html).

secondly for 302 response the custom-default-backend is not working seems . It has the nginx footer in it .

[longwuyuan]

• which words/text you want to remove in portscan output ?
• nginx in footer or anything else there is from your own custom default backend so why are you reporting it here ?

[longwuyuan]

Also, if the 302 response was from the controller, please show the data that the redirection 302 response is coming from the controller. That and any other info you can provide related to ;

• request that caused the 302 response
• the ingress that contains the rule that matched that request
• any other config or logs related to the controller sending a 302

it will help

[uttam-phygitalz]

hi @longwuyuan ,

wanted to remove the nginx(receiver proxy) under version column .

PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx (reverse proxy)

[longwuyuan]

Is it possible for you to create a container like docker run -d --rm --name mynginx nginx:alpine and try to configure it to block that port-scan to your taste.

If you can then I think someone can submit a PR to add that directive to the nginx.conf that is generated by openresty used by the project.

But also AFAIK, port scan hardening is done on network-devices or host-os type of tcp/ip stacks rather than application images because the port-scan packet will arrive first on your router. I think google-search may show some iptables rules used to block port-scans.

process profiling/fingerprinting blocking directives inside nginx.conf are not well-known so maybe wait for experts to comment here. I also don't know how easy it will be to find them (if they exist) at docs.nginx.com etc

[longwuyuan]

But on different thought, if your cluster is open to port-scans from SRC that you don't like, then the result of a port-scan is not a high criticality of your problems. I suspect your entire infra and its base minimal quality is.