K
Q

Kubernetes nginx ingress prevent response from default-backend on https

5/27/2020

Currently with the nginx ingress in kubernetes it will always respond to direct IP requests (i.e. http://1.1.1.1) with the default-backend and there doesn't appear to be a way of disabling it.

Worse, it will also respond to https://1.1.1.1 in the same manner with a self-signed cert (you can override it but obviously even if you provide a valid cert, it still won't be valid against an IP request) This is a major security vulnerability that causes any site using Kubernetes and nginx ingress to fail PCI compliance network scans.

AND there is no way of overriding this behavior in your ingress defintion.

I'm trying to figure out how without hacking to be able to prevent the default-backend from responding to https on an IP request given that there is never a case in a production environment where this would be secure and will always cause PCI failure.

How does one get the nginx ingress to not respond to https on an IP request?

-- James Hancock
kubernetes
kubernetes-ingress
nginx

Similar Questions

kubernetes: Unable to attach or mount volumes timed out waiting for the condition
Why can't find osd pod in kubernetes after deploying rook-ceph?
How to achieve the association of file and memory in K8S?
Gitlab Kubernetes Cluster hosted on Ubuntu - Authentication error when adding to Gitlab

1 Answer

5/28/2020

I tried googling and tested several ideas but non of them worked.

I also tried reading nginx-ingress code but didn't find anything satisfying.

I think that the best thing you could do is to ask developers. Just open an issue on nginx-ingress github repository.

-- HelloWorld
Source: StackOverflow