add configuration to disable listening on ipv6

kubernetes · Mar 8, 2017 · 48f28bd · 48f28bd
1 parent f1062e0
commit 48f28bd
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md
@@ -242,6 +242,9 @@ Example usage: `custom-http-errors: 404,415`
 **disable-access-log:** Disables the Access Log from the entire Ingress Controller. This is 'false' by default.
 
 
+**disable-ipv6:** Disable listening on IPV6. This is 'false' by default.
+
+
 **enable-dynamic-tls-records:** Enables dynamically sized TLS records to improve time-to-first-byte. Enabled by default. See [CloudFlare's blog](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency) for more information.
 
 

diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
@@ -97,6 +97,9 @@ type Configuration struct {
 	//http://nginx.org/en/docs/http/ngx_http_log_module.html
 	DisableAccessLog bool `json:"disable-access-log,omitempty"`
 
+	// DisableIpv6 disable listening on ipv6 address
+	DisableIpv6 bool `json:"disable-ipv6,omitempty"`
+
 	// EnableStickySessions enabled sticky sessions using cookies
 	// https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
 	// By default this is disabled
@@ -249,6 +252,7 @@ func NewDefault() Configuration {
 	cfg := Configuration{
 		ClientHeaderBufferSize:  "1k",
 		DisableAccessLog:        false,
+		DisableIpv6:		 false,
 		EnableDynamicTLSRecords: true,
 		ErrorLogLevel:           errorLevel,
 		HSTS:                    true,

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -208,10 +208,10 @@ http {
     {{ range $index, $server := .Servers }}
     server {
         server_name {{ $server.Hostname }};
-        listen [::]:80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server ipv6only=off reuseport backlog={{ $backlogSize }}{{end}};
+        listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}};
         {{/* Listen on 442 because port 443 is used in the stream section */}}
         {{/* This listen on port 442 cannot contains proxy_protocol directive because port 443 is in charge of decoding the protocol */}}
-        {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}[::]:443 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server ipv6only=off reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
+        {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}{{ if not $cfg.DisableIpv6 }}[::]:{{ end }}443 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
         {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
         # PEM sha: {{ $server.SSLPemChecksum }}
         ssl_certificate                         {{ $server.SSLCertificate }};
@@ -366,7 +366,7 @@ http {
         # with an external software (like sysdig)
         location /nginx_status {
             allow 127.0.0.1;
-            allow ::1;
+            {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }}
             deny all;
 
             access_log off;
@@ -384,7 +384,7 @@ http {
         # Use the port 18080 (random value just to avoid known ports) as default port for nginx.
         # Changing this value requires a change in:
         # https://github.com/kubernetes/contrib/blob/master/ingress/controllers/nginx/nginx/command.go#L104
-        listen [::]:18080 ipv6only=off default_server reuseport backlog={{ .BacklogSize }};
+        listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}18080 ipv6only=off default_server reuseport backlog={{ .BacklogSize }};
 
         location {{ $healthzURI }} {
             access_log off;
@@ -406,7 +406,7 @@ http {
         # TODO: enable extraction for vts module.
         location /internal_nginx_status {
             allow 127.0.0.1;
-            allow ::1;
+            {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }}
             deny all;
 
             access_log off;
@@ -466,7 +466,7 @@ stream {
     {{ buildSSLPassthroughUpstreams $backends .PassthroughBackends }}
 
     server {
-        listen                  [::]:443 ipv6only=off{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};
+        listen                  {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}443 {{ if not $cfg.DisableIpv6 }}ipv6only=off{{ end }}{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};
         proxy_pass              $stream_upstream;
         ssl_preread             on;
     }