breaking change: by default do not trust any client #3333
Conversation
k8s-ci-robot
added
approved
k8s-ci-robot
added
the
cncf-cla: yes
ElvinEfendi
force-pushed
the
dont-trust-by-default
branch
from
89afa1e
to
b15701a
Compare
|
This change makes nginx-ingress not trust the IP for the The correct change to the defaults would be I 100% support setting |
@Dirbaio is there any practical security implication with this? I agree that modifying |
|
They're more rare, but there are indeed vulnerabilities that can be caused by the other X-Forwarded-* headers spoofing. For example: Software often uses X-Forwarded-Host, X-Forwarded-Scheme to build "links to itself" to use in emails and such. If you can mess with these, you can make these links go somewhere else, which can be bad for password reset emails, for example. Aside from vulns, disabling all |
ElvinEfendi
force-pushed
the
dont-trust-by-default
branch
from
b15701a
to
98705cf
Compare
ElvinEfendi
force-pushed
the
dont-trust-by-default
branch
from
98705cf
to
5f3b48e
Compare
ElvinEfendi
changed the title
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, ElvinEfendi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
Currently we configure Nginx in a way that it trusts any client to extract true client IP address from X-Forwarded-For header using realip module. This PR makes it so that by default it does not trust any client at all.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer: