Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add default_server option for the default server #85

Closed
alexw23 opened this issue Dec 22, 2016 · 3 comments · Fixed by #115
Closed

Add default_server option for the default server #85

alexw23 opened this issue Dec 22, 2016 · 3 comments · Fixed by #115

Comments

@alexw23
Copy link

alexw23 commented Dec 22, 2016

As per kubernetes-retired/contrib#2213

If you're using wildcard host names the default backend will no longer be available due to the way nginx has predence on wildcards. By providing default_server it indicates a catch-all so regardless of wildcards if there is no direct match they will end up in default server block.
@markacola
Copy link

I'm currently being stung by this quite badly.
The server block for my wildcard is currently matching any host name not in another server block.
Additionally, the template output for https redirects uses the '$host' nginx variable instead of the $server.Hostname template variable for the redirects:
i.e.

if ($scheme = http) {
    return 301 https://$host$request_uri;
}

instead of:

if ($scheme = http) {
    return 301 https://{{ $server.Hostname }}$request_uri;
}

This means if my server gets a request for some random host it will respond with a valid 301 https redirect for that host.
i.e.

Request: GET http://example.com
Response: 301 https://example.com

Even without an ingress record for example.com.
Currently getting requests from random websites, presumably for free 301 https redirects.

@aledbf
Copy link
Member

aledbf commented Jan 9, 2017

@markacola this is already fix in this repo. Please check https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl#L255

@markacola markacola mentioned this issue Jan 9, 2017
Merged
@markacola
Copy link

@aledbf Sorry, i dont think I was very clear with my previous comment.
The server block of the Default Backend doesn't have default_server in the listen statement, so wild card domains (which have a higher order of precedence) will match before the Default Backend.
If the wildcard domain has an SSL config then it will include the if ($scheme = http) {... section.
This results in a server block that matches unknow hosts and includes a http -> https redirect in the / location block that uses whatever host was supplied in the request.
eg.

# Default Backend block
server {
  server_name _; #no default_server statement
  listen 80;
  
  location / {
    ...
  }
}

# Server block from ingress
server {
  server_name *.example.com;
  listen 80;
  listen 443 ssl spdy http2;
  ...

  location / {
    # enforce ssl on server side
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }
    ...
  }
}

With the above config a request with host http://unknownhost.com will be handled by the second server block, resulting in 301 with header Location: https://unknownhost.com.

haoqing0110 referenced this issue in stolostron/management-ingress Mar 5, 2021
handle error page (#85)
9e3060b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add default_server to listen statement for default backend
3 participants
@aledbf @alexw23 @markacola