2020-09-01 21:19:11 +00:00
<!doctype html>
< html lang = "en" class = "no-js" >
< head >
< meta charset = "utf-8" >
< meta name = "viewport" content = "width=device-width,initial-scale=1" >
< link rel = "canonical" href = "https://kubernetes.github.io/ingress-nginx/deploy/hardening-guide/" >
< link rel = "shortcut icon" href = "../../assets/images/favicon.png" >
2020-09-02 00:02:26 +00:00
< meta name = "generator" content = "mkdocs-1.1.2, mkdocs-material-5.5.12" >
2020-09-01 21:19:11 +00:00
< title > Hardening guide - NGINX Ingress Controller< / title >
2020-09-02 00:02:26 +00:00
< link rel = "stylesheet" href = "../../assets/stylesheets/main.4dd2dd8d.min.css" >
2020-09-01 21:19:11 +00:00
2020-09-02 00:02:26 +00:00
< link rel = "stylesheet" href = "../../assets/stylesheets/palette.6a5ad368.min.css" >
2020-09-01 21:19:11 +00:00
2020-09-02 00:02:26 +00:00
< meta name = "theme-color" content = "#009485" >
2020-09-01 21:19:11 +00:00
< link href = "https://fonts.gstatic.com" rel = "preconnect" crossorigin >
< link rel = "stylesheet" href = "https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback" >
< style > body , input { font-family : "Roboto" , - apple-system , BlinkMacSystemFont , Helvetica , Arial , sans-serif } code , kbd , pre { font-family : "Roboto Mono" , SFMono-Regular , Consolas , Menlo , monospace } < / style >
< link rel = "stylesheet" href = "../../extra.css" >
2020-09-02 00:02:26 +00:00
< script > window . ga = window . ga || function ( ) { ( ga . q = ga . q || [ ] ) . push ( arguments ) } , ga . l = + new Date , ga ( "create" , "UA-118407822-1" , "kubernetes.github.io" ) , ga ( "set" , "anonymizeIp" , ! 0 ) , ga ( "send" , "pageview" ) , document . addEventListener ( "DOMContentLoaded" , function ( ) { document . forms . search && document . forms . search . query . addEventListener ( "blur" , function ( ) { if ( this . value ) { var e = document . location . pathname ; ga ( "send" , "pageview" , e + "?q=" + this . value ) } } ) } ) , document . addEventListener ( "DOMContentSwitch" , function ( ) { ga ( "send" , "pageview" , document . location . pathname ) } ) < / script >
2020-09-01 21:19:11 +00:00
< script async src = "https://www.google-analytics.com/analytics.js" > < / script >
< / head >
< body dir = "ltr" data-md-color-scheme = "" data-md-color-primary = "teal" data-md-color-accent = "green" >
2020-09-02 00:02:26 +00:00
2020-09-01 21:19:11 +00:00
< input class = "md-toggle" data-md-toggle = "drawer" type = "checkbox" id = "__drawer" autocomplete = "off" >
< input class = "md-toggle" data-md-toggle = "search" type = "checkbox" id = "__search" autocomplete = "off" >
< label class = "md-overlay" for = "__drawer" > < / label >
< div data-md-component = "skip" >
< a href = "#hardening-guide" class = "md-skip" >
Skip to content
< / a >
< / div >
< div data-md-component = "announce" >
< / div >
< header class = "md-header" data-md-component = "header" >
< nav class = "md-header-nav md-grid" aria-label = "Header" >
< a href = "https://kubernetes.github.io/ingress-nginx" title = "NGINX Ingress Controller" class = "md-header-nav__button md-logo" aria-label = "NGINX Ingress Controller" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z" / > < / svg >
< / a >
< label class = "md-header-nav__button md-icon" for = "__drawer" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z" / > < / svg >
< / label >
< div class = "md-header-nav__title" data-md-component = "header-title" >
< div class = "md-header-nav__ellipsis" >
< span class = "md-header-nav__topic md-ellipsis" >
NGINX Ingress Controller
< / span >
< span class = "md-header-nav__topic md-ellipsis" >
Hardening guide
< / span >
< / div >
< / div >
< label class = "md-header-nav__button md-icon" for = "__search" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z" / > < / svg >
< / label >
< div class = "md-search" data-md-component = "search" role = "dialog" >
< label class = "md-search__overlay" for = "__search" > < / label >
< div class = "md-search__inner" role = "search" >
< form class = "md-search__form" name = "search" >
< input type = "text" class = "md-search__input" name = "query" aria-label = "Search" placeholder = "Search" autocapitalize = "off" autocorrect = "off" autocomplete = "off" spellcheck = "false" data-md-component = "search-query" data-md-state = "active" >
< label class = "md-search__icon md-icon" for = "__search" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z" / > < / svg >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z" / > < / svg >
< / label >
< button type = "reset" class = "md-search__icon md-icon" aria-label = "Clear" data-md-component = "search-reset" tabindex = "-1" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z" / > < / svg >
< / button >
< / form >
< div class = "md-search__output" >
< div class = "md-search__scrollwrap" data-md-scrollfix >
< div class = "md-search-result" data-md-component = "search-result" >
< div class = "md-search-result__meta" >
Initializing search
< / div >
< ol class = "md-search-result__list" > < / ol >
< / div >
< / div >
< / div >
< / div >
< / div >
< div class = "md-header-nav__source" >
< a href = "https://github.com/kubernetes/ingress-nginx/" title = "Go to repository" class = "md-source" >
< div class = "md-source__icon md-icon" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 448 512" > < path d = "M439.55 236.05L244 40.45a28.87 28.87 0 00-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 01-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 000 40.81l195.61 195.6a28.86 28.86 0 0040.8 0l194.69-194.69a28.86 28.86 0 000-40.81z" / > < / svg >
< / div >
< div class = "md-source__repository" >
kubernetes/ingress-nginx
< / div >
< / a >
< / div >
< / nav >
< / header >
< div class = "md-container" data-md-component = "container" >
< nav class = "md-tabs md-tabs--active" aria-label = "Tabs" data-md-component = "tabs" >
< div class = "md-tabs__inner md-grid" >
< ul class = "md-tabs__list" >
< li class = "md-tabs__item" >
< a href = "../.." class = "md-tabs__link" >
Welcome
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../" class = "md-tabs__link md-tabs__link--active" >
Deployment
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../user-guide/nginx-configuration/" class = "md-tabs__link" >
User guide
< / a >
< / li >
< li class = "md-tabs__item" >
< a href = "../../examples/" class = "md-tabs__link" >
Examples
< / a >
< / li >
< / ul >
< / div >
< / nav >
< main class = "md-main" data-md-component = "main" >
< div class = "md-main__inner md-grid" >
< div class = "md-sidebar md-sidebar--primary" data-md-component = "navigation" >
< div class = "md-sidebar__scrollwrap" >
< div class = "md-sidebar__inner" >
< nav class = "md-nav md-nav--primary" aria-label = "Navigation" data-md-level = "0" >
< label class = "md-nav__title" for = "__drawer" >
< a href = "https://kubernetes.github.io/ingress-nginx" title = "NGINX Ingress Controller" class = "md-nav__button md-logo" aria-label = "NGINX Ingress Controller" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z" / > < / svg >
< / a >
NGINX Ingress Controller
< / label >
< div class = "md-nav__source" >
< a href = "https://github.com/kubernetes/ingress-nginx/" title = "Go to repository" class = "md-source" >
< div class = "md-source__icon md-icon" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 448 512" > < path d = "M439.55 236.05L244 40.45a28.87 28.87 0 00-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 01-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 000 40.81l195.61 195.6a28.86 28.86 0 0040.8 0l194.69-194.69a28.86 28.86 0 000-40.81z" / > < / svg >
< / div >
< div class = "md-source__repository" >
kubernetes/ingress-nginx
< / div >
< / a >
< / div >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-1" type = "checkbox" id = "nav-1" >
< label class = "md-nav__link" for = "nav-1" >
Welcome
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "Welcome" data-md-level = "1" >
< label class = "md-nav__title" for = "nav-1" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Welcome
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../.." title = "Welcome" class = "md-nav__link" >
Welcome
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../how-it-works/" title = "How it works" class = "md-nav__link" >
How it works
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../troubleshooting/" title = "Troubleshooting" class = "md-nav__link" >
Troubleshooting
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../kubectl-plugin/" title = "kubectl plugin" class = "md-nav__link" >
kubectl plugin
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../development/" title = "Development" class = "md-nav__link" >
Development
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--active md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-2" type = "checkbox" id = "nav-2" checked >
< label class = "md-nav__link" for = "nav-2" >
Deployment
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "Deployment" data-md-level = "1" >
< label class = "md-nav__title" for = "nav-2" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Deployment
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../" title = "Installation Guide" class = "md-nav__link" >
Installation Guide
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../baremetal/" title = "Bare-metal considerations" class = "md-nav__link" >
Bare-metal considerations
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../rbac/" title = "Role Based Access Control (RBAC)" class = "md-nav__link" >
Role Based Access Control (RBAC)
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../upgrade/" title = "Upgrade" class = "md-nav__link" >
Upgrade
< / a >
< / li >
< li class = "md-nav__item md-nav__item--active" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "toc" type = "checkbox" id = "__toc" >
< label class = "md-nav__link md-nav__link--active" for = "__toc" >
Hardening guide
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< a href = "./" title = "Hardening guide" class = "md-nav__link md-nav__link--active" >
Hardening guide
< / a >
< nav class = "md-nav md-nav--secondary" aria-label = "Table of contents" >
< label class = "md-nav__title" for = "__toc" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Table of contents
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "#overview" class = "md-nav__link" >
Overview
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#configuration-guide" class = "md-nav__link" >
Configuration Guide
< / a >
< / li >
< / ul >
< / nav >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-3" type = "checkbox" id = "nav-3" >
< label class = "md-nav__link" for = "nav-3" >
User guide
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "User guide" data-md-level = "1" >
< label class = "md-nav__title" for = "nav-3" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
User guide
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-3-1" type = "checkbox" id = "nav-3-1" >
< label class = "md-nav__link" for = "nav-3-1" >
NGINX Configuration
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "NGINX Configuration" data-md-level = "2" >
< label class = "md-nav__title" for = "nav-3-1" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
NGINX Configuration
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../user-guide/nginx-configuration/" title = "Introduction" class = "md-nav__link" >
Introduction
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/basic-usage/" title = "Basic usage" class = "md-nav__link" >
Basic usage
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/nginx-configuration/annotations/" title = "Annotations" class = "md-nav__link" >
Annotations
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/nginx-configuration/configmap/" title = "ConfigMap" class = "md-nav__link" >
ConfigMap
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/nginx-configuration/custom-template/" title = "Custom NGINX template" class = "md-nav__link" >
Custom NGINX template
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/nginx-configuration/log-format/" title = "Log format" class = "md-nav__link" >
Log format
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/cli-arguments/" title = "Command line arguments" class = "md-nav__link" >
Command line arguments
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/custom-errors/" title = "Custom errors" class = "md-nav__link" >
Custom errors
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/default-backend/" title = "Default backend" class = "md-nav__link" >
Default backend
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/exposing-tcp-udp-services/" title = "Exposing TCP and UDP services" class = "md-nav__link" >
Exposing TCP and UDP services
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/fcgi-services/" title = "Exposing FCGI services" class = "md-nav__link" >
Exposing FCGI services
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/ingress-path-matching/" title = "Regular expressions in paths" class = "md-nav__link" >
Regular expressions in paths
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/external-articles/" title = "External Articles" class = "md-nav__link" >
External Articles
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/miscellaneous/" title = "Miscellaneous" class = "md-nav__link" >
Miscellaneous
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/monitoring/" title = "Prometheus and Grafana installation" class = "md-nav__link" >
Prometheus and Grafana installation
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/multiple-ingress/" title = "Multiple Ingress controllers" class = "md-nav__link" >
Multiple Ingress controllers
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/tls/" title = "TLS/HTTPS" class = "md-nav__link" >
TLS/HTTPS
< / a >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-3-13" type = "checkbox" id = "nav-3-13" >
< label class = "md-nav__link" for = "nav-3-13" >
Third party addons
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "Third party addons" data-md-level = "2" >
< label class = "md-nav__title" for = "nav-3-13" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Third party addons
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../user-guide/third-party-addons/modsecurity/" title = "ModSecurity Web Application Firewall" class = "md-nav__link" >
ModSecurity Web Application Firewall
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../user-guide/third-party-addons/opentracing/" title = "OpenTracing" class = "md-nav__link" >
OpenTracing
< / a >
< / li >
< / ul >
< / nav >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-4" type = "checkbox" id = "nav-4" >
< label class = "md-nav__link" for = "nav-4" >
Examples
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "Examples" data-md-level = "1" >
< label class = "md-nav__title" for = "nav-4" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Examples
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../examples/" title = "Introduction" class = "md-nav__link" >
Introduction
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/PREREQUISITES/" title = "Prerequisites" class = "md-nav__link" >
Prerequisites
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/affinity/cookie/" title = "Sticky Sessions" class = "md-nav__link" >
Sticky Sessions
< / a >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-4-4" type = "checkbox" id = "nav-4-4" >
< label class = "md-nav__link" for = "nav-4-4" >
Auth
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "Auth" data-md-level = "2" >
< label class = "md-nav__title" for = "nav-4-4" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Auth
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../examples/auth/basic/" title = "Basic Authentication" class = "md-nav__link" >
Basic Authentication
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/auth/client-certs/" title = "Client Certificate Authentication" class = "md-nav__link" >
Client Certificate Authentication
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/auth/external-auth/" title = "External Basic Authentication" class = "md-nav__link" >
External Basic Authentication
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/auth/oauth-external-auth/" title = "External OAUTH Authentication" class = "md-nav__link" >
External OAUTH Authentication
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item md-nav__item--nested" >
< input class = "md-nav__toggle md-toggle" data-md-toggle = "nav-4-5" type = "checkbox" id = "nav-4-5" >
< label class = "md-nav__link" for = "nav-4-5" >
Customization
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
< / label >
< nav class = "md-nav" aria-label = "Customization" data-md-level = "2" >
< label class = "md-nav__title" for = "nav-4-5" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Customization
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "../../examples/customization/configuration-snippets/" title = "Configuration Snippets" class = "md-nav__link" >
Configuration Snippets
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/customization/custom-configuration/" title = "Custom Configuration" class = "md-nav__link" >
Custom Configuration
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/customization/custom-errors/" title = "Custom Errors" class = "md-nav__link" >
Custom Errors
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/customization/custom-headers/" title = "Custom Headers" class = "md-nav__link" >
Custom Headers
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/customization/external-auth-headers/" title = "External authentication" class = "md-nav__link" >
External authentication
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/customization/ssl-dh-param/" title = "Custom DH parameters for perfect forward secrecy" class = "md-nav__link" >
Custom DH parameters for perfect forward secrecy
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/customization/sysctl/" title = "Sysctl tuning" class = "md-nav__link" >
Sysctl tuning
< / a >
< / li >
< / ul >
< / nav >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/docker-registry/" title = "Docker registry" class = "md-nav__link" >
Docker registry
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/grpc/" title = "gRPC" class = "md-nav__link" >
gRPC
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/multi-tls/" title = "Multi TLS certificate termination" class = "md-nav__link" >
Multi TLS certificate termination
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/rewrite/" title = "Rewrite" class = "md-nav__link" >
Rewrite
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/static-ip/" title = "Static IPs" class = "md-nav__link" >
Static IPs
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/tls-termination/" title = "TLS termination" class = "md-nav__link" >
TLS termination
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "../../examples/psp/" title = "Pod Security Policy (PSP)" class = "md-nav__link" >
Pod Security Policy (PSP)
< / a >
< / li >
< / ul >
< / nav >
< / li >
< / ul >
< / nav >
< / div >
< / div >
< / div >
< div class = "md-sidebar md-sidebar--secondary" data-md-component = "toc" >
< div class = "md-sidebar__scrollwrap" >
< div class = "md-sidebar__inner" >
< nav class = "md-nav md-nav--secondary" aria-label = "Table of contents" >
< label class = "md-nav__title" for = "__toc" >
2020-09-02 00:02:26 +00:00
< span class = "md-nav__icon md-icon" > < / span >
2020-09-01 21:19:11 +00:00
Table of contents
< / label >
< ul class = "md-nav__list" data-md-scrollfix >
< li class = "md-nav__item" >
< a href = "#overview" class = "md-nav__link" >
Overview
< / a >
< / li >
< li class = "md-nav__item" >
< a href = "#configuration-guide" class = "md-nav__link" >
Configuration Guide
< / a >
< / li >
< / ul >
< / nav >
< / div >
< / div >
< / div >
< div class = "md-content" >
< article class = "md-content__inner md-typeset" >
< a href = "https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/hardening-guide.md" title = "Edit this page" class = "md-content__button md-icon" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z" / > < / svg >
< / a >
< h1 id = "hardening-guide" > Hardening Guide< a class = "headerlink" href = "#hardening-guide" title = "Permanent link" > ¶< / a > < / h1 >
< h2 id = "overview" > Overview< a class = "headerlink" href = "#overview" title = "Permanent link" > ¶< / a > < / h2 >
2020-09-02 00:02:26 +00:00
< p > There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are
2020-09-01 21:19:11 +00:00
overlapping in some points:< / p >
< ul >
< li > < a href = "https://www.cisecurity.org/benchmark/nginx/" > nginx CIS Benchmark< / a > < / li >
< li > < a href = "https://cipherlist.eu/" > cipherlist.eu< / a > (one of many forks of the now dead project cipherli.st)< / li >
< / ul >
2020-09-02 00:02:26 +00:00
< p > This guide describes, what of the different configurations described in those guides is already implemented as default
2020-09-01 21:19:11 +00:00
in the nginx implementation of kubernetes ingress, what needs to be configured, what is obsolete due to the fact that
the nginx is running as container (the CIS benchmark relates to a non-containerized installation) and what is difficult
or not possible.< / p >
< p > Be aware that this is only a guide and you are responsible for your own implementation. Some of the configurations may
lead to have specific clients unable to reach your site or similar consequences.< / p >
< p > This guide refers to chapters in the CIS Benchmark. For full explanation you should refer to the benchmark document itself< / p >
< h2 id = "configuration-guide" > Configuration Guide< a class = "headerlink" href = "#configuration-guide" title = "Permanent link" > ¶< / a > < / h2 >
< table >
< thead >
< tr >
< th align = "left" > Chapter in CIS benchmark< / th >
< th align = "left" > Status< / th >
< th align = "left" > Default< / th >
< th align = "left" > Action to do if not default< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td align = "left" > < strong > 1 Initial Setup< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 1.1 Installation< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 1.1.1 Ensure NGINX is installed (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > done through helm charts / following documentation to deploy nginx ingress< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 1.1.2 Ensure NGINX is installed from source (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > done through helm charts / following documentation to deploy nginx ingress< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 1.2 Configure Software Updates< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 1.2.1 Ensure package manager repositories are properly configured (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > done via helm, nginx version could be overwritten, however compability is not ensured then< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 1.2.2 Ensure the latest software package is installed (Not Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > done via helm, nginx version could be overwritten, however compability is not ensured then< / td >
< td align = "left" > Plan for periodic updates< / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 2 Basic Configuration< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 2.1 Minimize NGINX Modules< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.1.1 Ensure only required modules are installed (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Already only needed modules are installed, however proposals for further reduction are welcome< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.1.2 Ensure HTTP WebDAV module is not installed (Scored)< / td >
2020-10-03 00:26:10 +00:00
< td align = "left" > OK< / td >
< td align = "left" > < / td >
2020-09-01 21:19:11 +00:00
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.1.3 Ensure modules with gzip functionality are disabled (Scored)< / td >
2020-10-03 00:26:10 +00:00
< td align = "left" > OK< / td >
< td align = "left" > < / td >
2020-09-01 21:19:11 +00:00
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.1.4 Ensure the autoindex module is disabled (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > No autoindex configs so far in ingress defaults< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 2.2 Account Security< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Pod configured as user www-data: < a href = "https://github.com/kubernetes/ingress-nginx/blob/0cbe783f43a9313c9c26136e888324b1ee91a72f/charts/ingress-nginx/values.yaml#L10" > See this line in helm chart values< / a > . Compiled with user www-data: < a href = "https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L529" > See this line in build script< / a > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.2.2 Ensure the NGINX service account is locked (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Docker design ensures this< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.2.3 Ensure the NGINX service account has an invalid shell (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Shell is nologin: < a href = "https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L613" > see this line in build script< / a > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 2.3 Permissions and Ownership< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.3.1 Ensure NGINX directories and files are owned by root (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Obsolete through docker-design and ingress controller needs to update the configs dynamically< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.3.2 Ensure access to NGINX directories and files is restricted (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > See previous answer< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.3.3 Ensure the NGINX process ID (PID) file is secured (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > No PID-File due to docker design< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.3.4 Ensure the core dump directory is secured (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > No working_directory configured by default< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 2.4 Network Configuration< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Ensured by automatic nginx.conf configuration< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.4.2 Ensure requests for unknown host names are rejected (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > They are not rejected but send to the "default backend" delivering approriate errors (mostly 404)< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Default is 75s< / td >
< td align = "left" > configure keep-alive to 10 seconds < a href = "https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#keep-alive" > according to this documentation< / a > < / td >
< / tr >
< tr >
< td align = "left" > 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)< / td >
< td align = "left" > RISK TO BE ACCEPTED< / td >
< td align = "left" > Not configured, however the nginx default is 60s< / td >
< td align = "left" > Not configurable< / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 2.5 Information Disclosure< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.5.1 Ensure server_tokens directive is set to < code > off< / code > (Scored)< / td >
< td align = "left" > OK< / td >
2020-09-17 12:53:19 +00:00
< td align = "left" > server_tokens is configured to off by default< / td >
2020-09-01 21:19:11 +00:00
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > 404 shows no version at all, 503 and 403 show "nginx", which is hardcoded < a href = "https://github.com/nginx/nginx/blob/master/src/http/ngx_http_special_response.c#L36" > see this line in nginx source code< / a > < / td >
< td align = "left" > configure custom error pages at least for 403, 404 and 503 and 500< / td >
< / tr >
< tr >
< td align = "left" > 2.5.3 Ensure hidden file serving is disabled (Not Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > config not set< / td >
< td align = "left" > configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please< / td >
< / tr >
< tr >
< td align = "left" > 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > hide not configured< / td >
< td align = "left" > configure hide-headers with array of "X-Powered-By" and "Server": < a href = "https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#hide-headers" > according to this documentation< / a > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 3 Logging< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 3.1 Ensure detailed logging is enabled (Not Scored)< / td >
< td align = "left" > OK< / td >
2020-10-12 11:10:08 +00:00
< td align = "left" > nginx ingress has a very detailed log format by default< / td >
2020-09-01 21:19:11 +00:00
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 3.2 Ensure access logging is enabled (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Access log is enabled by default< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 3.3 Ensure error logging is enabled and set to the info logging level (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Error log is configured by default. The log level does not matter, because it is all sent to STDOUT anyway< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 3.4 Ensure log files are rotated (Scored)< / td >
< td align = "left" > OBSOLETE< / td >
< td align = "left" > Log file handling is not part of the nginx ingress and should be handled separatly< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 3.5 Ensure error logs are sent to a remote syslog server (Not Scored)< / td >
< td align = "left" > OBSOLETE< / td >
< td align = "left" > See previous answer< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 3.6 Ensure access logs are sent to a remote syslog server (Not Scored)< / td >
< td align = "left" > OBSOLETE< / td >
< td align = "left" > See previous answer< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 3.7 Ensure proxies pass source IP information (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Headers are set by default< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 4 Encryption< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 4.1 TLS / SSL Configuration< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.1 Ensure HTTP is redirected to HTTPS (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > Redirect to TLS is default< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.2 Ensure a trusted certificate and trust chain is installed (Not Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > For installing certs there are enough manuals in the web. A good way is to use lets encrypt through cert-manager< / td >
< td align = "left" > Install proper certificates or use lets encrypt with cert-manager< / td >
< / tr >
< tr >
< td align = "left" > 4.1.3 Ensure private key permissions are restricted (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > See previous answer< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.4 Ensure only modern TLS protocols are used (Scored)< / td >
< td align = "left" > OK/ACTION NEEDED< / td >
< td align = "left" > Default is TLS 1.2 + 1.3, while this is okay for CIS Benchmark, cipherlist.eu only recommends 1.3. This may cut off old OS's< / td >
< td align = "left" > Set controller.config.ssl-protocols to "TLSv1.3"< / td >
< / tr >
< tr >
< td align = "left" > 4.1.5 Disable weak ciphers (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Default ciphers are already good, but cipherlist.eu recommends even stronger ciphers< / td >
< td align = "left" > Set controller.config.ssl-ciphers to "EECDH+AESGCM:EDH+AESGCM"< / td >
< / tr >
< tr >
< td align = "left" > 4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > No custom DH parameters are generated< / td >
< td align = "left" > Generate dh parameters for each ingress deployment you use - < a href = "https://kubernetes.github.io/ingress-nginx/examples/customization/ssl-dh-param/" > see here for a how to< / a > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Not enabled< / td >
< td align = "left" > set via < a href = "https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-ocsp" > this configuration parameter< / a > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > HSTS is enabled by default< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored)< / td >
< td align = "left" > ACTION NEEDED / RISK TO BE ACCEPTED< / td >
< td align = "left" > HKPK not enabled by default< / td >
< td align = "left" > If lets encrypt is not used, set correct HPKP header. There are several ways to implement this - with the helm charts it works via controller.add-headers. If lets encrypt is used, this is complicated, a solution here is yet unknown< / td >
< / tr >
< tr >
< td align = "left" > 4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored)< / td >
< td align = "left" > DEPENDS ON BACKEND< / td >
< td align = "left" > Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh< / td >
< td align = "left" > If backend allows it, < a href = "https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/" > manual is here< / a > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored)< / td >
< td align = "left" > DEPENDS ON BACKEND< / td >
< td align = "left" > Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh< / td >
< td align = "left" > If backend allows it, < a href = "https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#backend-certificate-authentication" > see configuration here< / a > < / td >
< / tr >
< tr >
< td align = "left" > 4.1.12 Ensure your domain is preloaded (Not Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Preload is not active by default< / td >
< td align = "left" > Set controller.config.hsts-preload to true< / td >
< / tr >
< tr >
< td align = "left" > 4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)< / td >
2020-09-18 08:40:04 +00:00
< td align = "left" > OK< / td >
< td align = "left" > Session tickets are disabled by default< / td >
< td align = "left" > < / td >
2020-09-01 21:19:11 +00:00
< / tr >
< tr >
< td align = "left" > 4.1.14 Ensure HTTP/2.0 is used (Not Scored)< / td >
< td align = "left" > OK< / td >
< td align = "left" > http2 is set by default< / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 5 Request Filtering and Restrictions< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 5.1 Access Control< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)< / td >
< td align = "left" > OK/ACTION NEEDED< / td >
< td align = "left" > Depends on use case, geo ip module is compiled into nginx ingress controller, there are several ways to use it< / td >
< td align = "left" > If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!)< / td >
< / tr >
< tr >
< td align = "left" > 5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored)< / td >
< td align = "left" > OK/ACTION NEEDED< / td >
< td align = "left" > Depends on use case< / td >
< td align = "left" > If required it can be set via config snippet< / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 5.2 Request Limits< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Default timeout is 60s< / td >
< td align = "left" > Set via < a href = "https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#client-header-timeout" > this configuration parameter< / a > and respective body aequivalent< / td >
< / tr >
< tr >
< td align = "left" > 5.2.2 Ensure the maximum request body size is set correctly (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Default is 1m< / td >
< td align = "left" > set via < a href = "https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#proxy-body-size" > this configuration parameter< / a > < / td >
< / tr >
< tr >
< td align = "left" > 5.2.3 Ensure the maximum buffer size for URIs is defined (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Default is 4 8k< / td >
< td align = "left" > Set via < a href = "https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#large-client-header-buffers" > this configuration parameter< / a > < / td >
< / tr >
< tr >
< td align = "left" > 5.2.4 Ensure the number of connections per IP address is limited (Not Scored)< / td >
< td align = "left" > OK/ACTION NEEDED< / td >
< td align = "left" > No limit set< / td >
< td align = "left" > Depends on use case, limit can be set via < a href = "https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting" > these annotations< / a > < / td >
< / tr >
< tr >
< td align = "left" > 5.2.5 Ensure rate limits by IP address are set (Not Scored)< / td >
< td align = "left" > OK/ACTION NEEDED< / td >
< td align = "left" > No limit set< / td >
< td align = "left" > Depends on use case, limit can be set via < a href = "https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting" > these annotations< / a > < / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 5.3 Browser Security< / strong > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > 5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Header not set by default< / td >
< td align = "left" > Several ways to implement this - with the helm charts it works via controller.add-headers< / td >
< / tr >
< tr >
< td align = "left" > 5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > See previous answer< / td >
< td align = "left" > See previous answer< / td >
< / tr >
< tr >
< td align = "left" > 5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > See previous answer< / td >
< td align = "left" > See previous answer< / td >
< / tr >
< tr >
< td align = "left" > 5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > See previous answer< / td >
< td align = "left" > See previous answer< / td >
< / tr >
< tr >
< td align = "left" > 5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored)< / td >
< td align = "left" > ACTION NEEDED< / td >
< td align = "left" > Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress< / td >
< td align = "left" > check backend webserver< / td >
< / tr >
< tr >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< td align = "left" > < / td >
< / tr >
< tr >
< td align = "left" > < strong > 6 Mandatory Access Control< / strong > < / td >
< td align = "left" > n/a< / td >
< td align = "left" > too high level, depends on backends< / td >
< td align = "left" > < / td >
< / tr >
< / tbody >
< / table >
2020-09-02 00:02:26 +00:00
< style type = "text/css" rel = "stylesheet" >
@media only screen and (min-width: 768px) {
td:nth-child(1){
white-space:normal !important;
}
.md-typeset table:not([class]) td {
padding: .2rem .3rem;
}
}
< / style >
2020-09-01 21:19:11 +00:00
< / article >
< / div >
< / div >
< / main >
< footer class = "md-footer" >
< div class = "md-footer-nav" >
< nav class = "md-footer-nav__inner md-grid" aria-label = "Footer" >
< a href = "../upgrade/" title = "Upgrade" class = "md-footer-nav__link md-footer-nav__link--prev" rel = "prev" >
< div class = "md-footer-nav__button md-icon" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z" / > < / svg >
< / div >
< div class = "md-footer-nav__title" >
< div class = "md-ellipsis" >
< span class = "md-footer-nav__direction" >
Previous
< / span >
Upgrade
< / div >
< / div >
< / a >
< a href = "../../user-guide/nginx-configuration/" title = "Introduction" class = "md-footer-nav__link md-footer-nav__link--next" rel = "next" >
< div class = "md-footer-nav__title" >
< div class = "md-ellipsis" >
< span class = "md-footer-nav__direction" >
Next
< / span >
Introduction
< / div >
< / div >
< div class = "md-footer-nav__button md-icon" >
< svg xmlns = "http://www.w3.org/2000/svg" viewBox = "0 0 24 24" > < path d = "M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z" / > < / svg >
< / div >
< / a >
< / nav >
< / div >
< div class = "md-footer-meta md-typeset" >
< div class = "md-footer-meta__inner md-grid" >
< div class = "md-footer-copyright" >
Made with
< a href = "https://squidfunk.github.io/mkdocs-material/" target = "_blank" rel = "noopener" >
Material for MkDocs
< / a >
< / div >
< / div >
< / div >
< / footer >
< / div >
2020-09-02 00:02:26 +00:00
< script src = "../../assets/javascripts/vendor.3636a4ec.min.js" > < / script >
< script src = "../../assets/javascripts/bundle.e9fe3281.min.js" > < / script > < script id = "__lang" type = "application/json" > { "clipboard.copy" : "Copy to clipboard" , "clipboard.copied" : "Copied to clipboard" , "search.config.lang" : "en" , "search.config.pipeline" : "trimmer, stopWordFilter" , "search.config.separator" : "[\\s\\-]+" , "search.result.placeholder" : "Type to start searching" , "search.result.none" : "No matching documents" , "search.result.one" : "1 matching document" , "search.result.other" : "# matching documents" } < / script >
2020-09-01 21:19:11 +00:00
< script >
app = initialize({
base: "../..",
features: ["tabs", "instant"],
search: Object.assign({
2020-09-02 00:02:26 +00:00
worker: "../../assets/javascripts/worker/search.5eca75d3.min.js"
2020-09-01 21:19:11 +00:00
}, typeof search !== "undefined" & & search)
})
< / script >
< / body >
< / html >
