-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config/Annotations: Add ssl-forbid-http
and force-ssl-forbid-http
.
#12384
base: main
Are you sure you want to change the base?
Conversation
|
Welcome @gavinkflam! |
Hi @gavinkflam. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
✅ Deploy Preview for kubernetes-ingress-nginx ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
5657bd6
to
150a52e
Compare
Please see this post from me #11391 (comment) |
/ok-to-test |
/kind feature |
f339555
to
f1a96ee
Compare
Discussed in community meeting today with @rikatz. We may want to make it the default since this is a security best practice. Concern is it will become a breaking change. Open to any changes and suggestions. |
@gavinkflam like a lot of security we introduce in a minor release with the default turned off, to not break things. and then in the next minor turn it on, so folks can test with the defaults between releases. I am fine with leaving it off in this first release. |
f1a96ee
to
1d9a00f
Compare
@strongjz Sounds good. I have rebased and this is ready for review. |
ssl-forbid-http
and force-ssl-forbid-http
ssl-forbid-http
and force-ssl-forbid-http
.
1d9a00f
to
90bd3ee
Compare
@Gacko Thank you for reviewing. I have applied the changes and rebased. |
90bd3ee
to
f745efc
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: gavinkflam The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
According to OWASP, the best practice for HTTPS API services is to disable HTTP or fail HTTP requests. Redirection is a common but insecure practice. Misconfigured clients would inadvertently expose sensitive information such as API keys without ever knowing about it.
In my opinion, this is an important security feature. Without this feature, the only way to implement such best practice is snippets. However, snippets are almost always disabled for good reasons - prevent arbitrary code injection.
I've added two config map items and two annotations. They allow enforcing HTTPS connections by rejecting unencrypted requests with a forbidden error. The core implementation is just a small twist of the existing SSL redirect annotations. The maintenance overhead is minimal and totally justify the benefits.
This article Your API Shouldn't Redirect HTTP to HTTPS offers an in-depth comparison between this practice and redirecting HTTP traffic to HTTPS.
Types of changes
Which issue/s this PR fixes
fixes #11391
How Has This Been Tested?
Automated unit and e2e tests.
Checklist: