Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Config/Annotations: Add ssl-forbid-http and force-ssl-forbid-http. #12384

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

gavinkflam
Copy link

@gavinkflam gavinkflam commented Nov 19, 2024

What this PR does / why we need it:

API-only endpoints should disable HTTP altogether and only support encrypted connections. When that is not possible, API endpoints should fail requests made over unencrypted HTTP connections instead of redirecting them.

According to OWASP, the best practice for HTTPS API services is to disable HTTP or fail HTTP requests. Redirection is a common but insecure practice. Misconfigured clients would inadvertently expose sensitive information such as API keys without ever knowing about it.

In my opinion, this is an important security feature. Without this feature, the only way to implement such best practice is snippets. However, snippets are almost always disabled for good reasons - prevent arbitrary code injection.

I've added two config map items and two annotations. They allow enforcing HTTPS connections by rejecting unencrypted requests with a forbidden error. The core implementation is just a small twist of the existing SSL redirect annotations. The maintenance overhead is minimal and totally justify the benefits.


This article Your API Shouldn't Redirect HTTP to HTTPS offers an in-depth comparison between this practice and redirecting HTTP traffic to HTTPS.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

Which issue/s this PR fixes

fixes #11391

How Has This Been Tested?

Automated unit and e2e tests.

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added unit and/or e2e tests to cover my changes.
  • All new and existing tests passed.

Copy link

linux-foundation-easycla bot commented Nov 19, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: gavinkflam / name: Gavin Lam (90bd3ee)

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. area/docs needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 19, 2024
@k8s-ci-robot k8s-ci-robot added area/lua Issues or PRs related to lua code needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Nov 19, 2024
@k8s-ci-robot
Copy link
Contributor

Welcome @gavinkflam!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority labels Nov 19, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @gavinkflam. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 19, 2024
Copy link

netlify bot commented Nov 19, 2024

Deploy Preview for kubernetes-ingress-nginx ready!

Name Link
🔨 Latest commit 90bd3ee
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/6757a3088f455b000879c611
😎 Deploy Preview https://deploy-preview-12384--kubernetes-ingress-nginx.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Nov 19, 2024
@longwuyuan
Copy link
Contributor

Please see this post from me #11391 (comment)

@strongjz
Copy link
Member

/ok-to-test
/priority backlog
/triage accepted

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 19, 2024
@strongjz strongjz self-assigned this Nov 19, 2024
@strongjz
Copy link
Member

/kind feature

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Nov 19, 2024
@gavinkflam
Copy link
Author

Discussed in community meeting today with @rikatz. We may want to make it the default since this is a security best practice. Concern is it will become a breaking change.

Open to any changes and suggestions.

@strongjz strongjz added this to the release-1.13 milestone Nov 24, 2024
@strongjz
Copy link
Member

strongjz commented Dec 4, 2024

@gavinkflam like a lot of security we introduce in a minor release with the default turned off, to not break things.

and then in the next minor turn it on, so folks can test with the defaults between releases.

I am fine with leaving it off in this first release.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gavinkflam
Once this PR has been reviewed and has the lgtm label, please ask for approval from rikatz. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gavinkflam
Copy link
Author

@strongjz Sounds good. I have rebased and this is ready for review.

@Gacko Gacko changed the title Config/Annotations: Add ssl-forbid-http and force-ssl-forbid-http Config/Annotations: Add ssl-forbid-http and force-ssl-forbid-http. Dec 9, 2024
docs/user-guide/nginx-configuration/annotations.md Outdated Show resolved Hide resolved
docs/user-guide/nginx-configuration/annotations.md Outdated Show resolved Hide resolved
docs/user-guide/nginx-configuration/annotations.md Outdated Show resolved Hide resolved
docs/user-guide/nginx-configuration/annotations.md Outdated Show resolved Hide resolved
docs/user-guide/nginx-configuration/configmap.md Outdated Show resolved Hide resolved
docs/user-guide/nginx-configuration/configmap.md Outdated Show resolved Hide resolved
docs/user-guide/tls.md Outdated Show resolved Hide resolved
docs/user-guide/tls.md Outdated Show resolved Hide resolved
docs/user-guide/tls.md Outdated Show resolved Hide resolved
docs/user-guide/nginx-configuration/annotations.md Outdated Show resolved Hide resolved
@gavinkflam
Copy link
Author

@Gacko Thank you for reviewing. I have applied the changes and rebased.

@gavinkflam gavinkflam requested a review from Gacko December 10, 2024 04:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/docs area/lua Issues or PRs related to lua code cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add option to forbid plain http requests (where ssl-redirect is unsafe)
6 participants