Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure directive in NGINX Template file #200

Closed
rikatz opened this issue Feb 1, 2017 · 1 comment
Closed

Insecure directive in NGINX Template file #200

rikatz opened this issue Feb 1, 2017 · 1 comment

Comments

@rikatz
Copy link
Contributor

rikatz commented Feb 1, 2017

In nginx.tmpl, we're using the following:

https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl#L23

set_real_ip_from 0.0.0.0/0

This might allow anyone, forcing in it's headers the variable X-Forwarded-For to override the real IP to anything it wants.

One side effect would be an attacker to mask it's own IP Address inside Nginx Logs. It also would allow someone to spoof it's own IP, including (but not tested) overriding the 'whitelist' restriction.
phekmat added a commit to phekmat/ingress that referenced this issue May 12, 2017
@phekmat
Add config for X-Forwarded-For trust
dd894f0 
Use the same config option for `set_real_ip_from` when not using proxy protocol. The default remains `0.0.0.0/0`, which is insecure if the ingress is publicly accessible. This at least provides a workaround for kubernetes#200
@phekmat phekmat mentioned this issue May 12, 2017
Merged
@aledbf
Copy link
Member

aledbf commented May 17, 2017

fixed by #709

@aledbf aledbf closed this as completed May 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aledbf @rikatz