DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/deploy/hardening-guide/index.html

1833 lines
52 KiB
HTML
Raw Normal View History

Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link rel="canonical" href="https://kubernetes.github.io/ingress-nginx/deploy/hardening-guide/">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<meta name="generator" content="mkdocs-1.1.2, mkdocs-material-5.5.12">
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
<title>Hardening guide - NGINX Ingress Controller</title>
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<link rel="stylesheet" href="../../assets/stylesheets/main.4dd2dd8d.min.css">
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<link rel="stylesheet" href="../../assets/stylesheets/palette.6a5ad368.min.css">
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<meta name="theme-color" content="#009485">
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto",-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono",SFMono-Regular,Consolas,Menlo,monospace}</style>
<link rel="stylesheet" href="../../extra.css">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<script>window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)},ga.l=+new Date,ga("create","UA-118407822-1","kubernetes.github.io"),ga("set","anonymizeIp",!0),ga("send","pageview"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){if(this.value){var e=document.location.pathname;ga("send","pageview",e+"?q="+this.value)}})}),document.addEventListener("DOMContentSwitch",function(){ga("send","pageview",document.location.pathname)})</script>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
<script async src="https://www.google-analytics.com/analytics.js"></script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="teal" data-md-color-accent="green">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#hardening-guide" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header-nav md-grid" aria-label="Header">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo" aria-label="NGINX Ingress Controller">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
<label class="md-header-nav__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header-nav__title" data-md-component="header-title">
<div class="md-header-nav__ellipsis">
<span class="md-header-nav__topic md-ellipsis">
NGINX Ingress Controller
</span>
<span class="md-header-nav__topic md-ellipsis">
Hardening guide
</span>
</div>
</div>
<label class="md-header-nav__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" data-md-state="active">
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" data-md-component="search-reset" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05L244 40.45a28.87 28.87 0 00-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 01-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 000 40.81l195.61 195.6a28.86 28.86 0 0040.8 0l194.69-194.69a28.86 28.86 0 000-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<nav class="md-tabs md-tabs--active" aria-label="Tabs" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../.." class="md-tabs__link">
Welcome
</a>
</li>
<li class="md-tabs__item">
<a href="../" class="md-tabs__link md-tabs__link--active">
Deployment
</a>
</li>
<li class="md-tabs__item">
<a href="../../user-guide/nginx-configuration/" class="md-tabs__link">
User guide
</a>
</li>
<li class="md-tabs__item">
<a href="../../examples/" class="md-tabs__link">
Examples
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="navigation">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-nav__button md-logo" aria-label="NGINX Ingress Controller">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
NGINX Ingress Controller
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05L244 40.45a28.87 28.87 0 00-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 01-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 000 40.81l195.61 195.6a28.86 28.86 0 0040.8 0l194.69-194.69a28.86 28.86 0 000-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-1" type="checkbox" id="nav-1">
<label class="md-nav__link" for="nav-1">
Welcome
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="Welcome" data-md-level="1">
<label class="md-nav__title" for="nav-1">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Welcome
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." title="Welcome" class="md-nav__link">
Welcome
</a>
</li>
<li class="md-nav__item">
<a href="../../how-it-works/" title="How it works" class="md-nav__link">
How it works
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/" title="Troubleshooting" class="md-nav__link">
Troubleshooting
</a>
</li>
<li class="md-nav__item">
<a href="../../kubectl-plugin/" title="kubectl plugin" class="md-nav__link">
kubectl plugin
</a>
</li>
<li class="md-nav__item">
<a href="../../development/" title="Development" class="md-nav__link">
Development
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-2" type="checkbox" id="nav-2" checked>
<label class="md-nav__link" for="nav-2">
Deployment
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="Deployment" data-md-level="1">
<label class="md-nav__title" for="nav-2">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Deployment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" title="Installation Guide" class="md-nav__link">
Installation Guide
</a>
</li>
<li class="md-nav__item">
<a href="../baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
</a>
</li>
<li class="md-nav__item">
<a href="../upgrade/" title="Upgrade" class="md-nav__link">
Upgrade
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Hardening guide
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<a href="./" title="Hardening guide" class="md-nav__link md-nav__link--active">
Hardening guide
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Table of contents
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-guide" class="md-nav__link">
Configuration Guide
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-3" type="checkbox" id="nav-3">
<label class="md-nav__link" for="nav-3">
User guide
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="User guide" data-md-level="1">
<label class="md-nav__title" for="nav-3">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
User guide
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-3-1" type="checkbox" id="nav-3-1">
<label class="md-nav__link" for="nav-3-1">
NGINX Configuration
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="NGINX Configuration" data-md-level="2">
<label class="md-nav__title" for="nav-3-1">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
NGINX Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/basic-usage/" title="Basic usage" class="md-nav__link">
Basic usage
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/annotations/" title="Annotations" class="md-nav__link">
Annotations
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/configmap/" title="ConfigMap" class="md-nav__link">
ConfigMap
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/custom-template/" title="Custom NGINX template" class="md-nav__link">
Custom NGINX template
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/log-format/" title="Log format" class="md-nav__link">
Log format
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../user-guide/cli-arguments/" title="Command line arguments" class="md-nav__link">
Command line arguments
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/custom-errors/" title="Custom errors" class="md-nav__link">
Custom errors
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/default-backend/" title="Default backend" class="md-nav__link">
Default backend
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/fcgi-services/" title="Exposing FCGI services" class="md-nav__link">
Exposing FCGI services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/external-articles/" title="External Articles" class="md-nav__link">
External Articles
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/miscellaneous/" title="Miscellaneous" class="md-nav__link">
Miscellaneous
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/monitoring/" title="Prometheus and Grafana installation" class="md-nav__link">
Prometheus and Grafana installation
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/multiple-ingress/" title="Multiple Ingress controllers" class="md-nav__link">
Multiple Ingress controllers
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/tls/" title="TLS/HTTPS" class="md-nav__link">
TLS/HTTPS
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-3-13" type="checkbox" id="nav-3-13">
<label class="md-nav__link" for="nav-3-13">
Third party addons
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="Third party addons" data-md-level="2">
<label class="md-nav__title" for="nav-3-13">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Third party addons
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/modsecurity/" title="ModSecurity Web Application Firewall" class="md-nav__link">
ModSecurity Web Application Firewall
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/opentracing/" title="OpenTracing" class="md-nav__link">
OpenTracing
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-4" type="checkbox" id="nav-4">
<label class="md-nav__link" for="nav-4">
Examples
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="Examples" data-md-level="1">
<label class="md-nav__title" for="nav-4">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/PREREQUISITES/" title="Prerequisites" class="md-nav__link">
Prerequisites
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/affinity/cookie/" title="Sticky Sessions" class="md-nav__link">
Sticky Sessions
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-4-4" type="checkbox" id="nav-4-4">
<label class="md-nav__link" for="nav-4-4">
Auth
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="Auth" data-md-level="2">
<label class="md-nav__title" for="nav-4-4">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Auth
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/auth/basic/" title="Basic Authentication" class="md-nav__link">
Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/client-certs/" title="Client Certificate Authentication" class="md-nav__link">
Client Certificate Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/external-auth/" title="External Basic Authentication" class="md-nav__link">
External Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/oauth-external-auth/" title="External OAUTH Authentication" class="md-nav__link">
External OAUTH Authentication
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-4-5" type="checkbox" id="nav-4-5">
<label class="md-nav__link" for="nav-4-5">
Customization
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</label>
<nav class="md-nav" aria-label="Customization" data-md-level="2">
<label class="md-nav__title" for="nav-4-5">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Customization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/customization/configuration-snippets/" title="Configuration Snippets" class="md-nav__link">
Configuration Snippets
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-configuration/" title="Custom Configuration" class="md-nav__link">
Custom Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-errors/" title="Custom Errors" class="md-nav__link">
Custom Errors
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-headers/" title="Custom Headers" class="md-nav__link">
Custom Headers
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/ssl-dh-param/" title="Custom DH parameters for perfect forward secrecy" class="md-nav__link">
Custom DH parameters for perfect forward secrecy
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/sysctl/" title="Sysctl tuning" class="md-nav__link">
Sysctl tuning
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../examples/docker-registry/" title="Docker registry" class="md-nav__link">
Docker registry
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/grpc/" title="gRPC" class="md-nav__link">
gRPC
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/multi-tls/" title="Multi TLS certificate termination" class="md-nav__link">
Multi TLS certificate termination
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/rewrite/" title="Rewrite" class="md-nav__link">
Rewrite
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/static-ip/" title="Static IPs" class="md-nav__link">
Static IPs
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/tls-termination/" title="TLS termination" class="md-nav__link">
TLS termination
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/psp/" title="Pod Security Policy (PSP)" class="md-nav__link">
Pod Security Policy (PSP)
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<span class="md-nav__icon md-icon"></span>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
Table of contents
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-guide" class="md-nav__link">
Configuration Guide
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/hardening-guide.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
</a>
<h1 id="hardening-guide">Hardening Guide<a class="headerlink" href="#hardening-guide" title="Permanent link"></a></h1>
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link"></a></h2>
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<p>There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
overlapping in some points:</p>
<ul>
<li><a href="https://www.cisecurity.org/benchmark/nginx/">nginx CIS Benchmark</a></li>
<li><a href="https://cipherlist.eu/">cipherlist.eu</a> (one of many forks of the now dead project cipherli.st)</li>
</ul>
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<p>This guide describes, what of the different configurations described in those guides is already implemented as default
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
in the nginx implementation of kubernetes ingress, what needs to be configured, what is obsolete due to the fact that
the nginx is running as container (the CIS benchmark relates to a non-containerized installation) and what is difficult
or not possible.</p>
<p>Be aware that this is only a guide and you are responsible for your own implementation. Some of the configurations may
lead to have specific clients unable to reach your site or similar consequences.</p>
<p>This guide refers to chapters in the CIS Benchmark. For full explanation you should refer to the benchmark document itself</p>
<h2 id="configuration-guide">Configuration Guide<a class="headerlink" href="#configuration-guide" title="Permanent link"></a></h2>
<table>
<thead>
<tr>
<th align="left">Chapter in CIS benchmark</th>
<th align="left">Status</th>
<th align="left">Default</th>
<th align="left">Action to do if not default</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><strong>1 Initial Setup</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>1.1 Installation</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.1.1 Ensure NGINX is installed (Scored)</td>
<td align="left">OK</td>
<td align="left">done through helm charts / following documentation to deploy nginx ingress</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.1.2 Ensure NGINX is installed from source (Not Scored)</td>
<td align="left">OK</td>
<td align="left">done through helm charts / following documentation to deploy nginx ingress</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>1.2 Configure Software Updates</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.2.1 Ensure package manager repositories are properly configured (Not Scored)</td>
<td align="left">OK</td>
<td align="left">done via helm, nginx version could be overwritten, however compability is not ensured then</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.2.2 Ensure the latest software package is installed (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">done via helm, nginx version could be overwritten, however compability is not ensured then</td>
<td align="left">Plan for periodic updates</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2 Basic Configuration</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.1 Minimize NGINX Modules</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.1 Ensure only required modules are installed (Not Scored)</td>
<td align="left">OK</td>
<td align="left">Already only needed modules are installed, however proposals for further reduction are welcome</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.2 Ensure HTTP WebDAV module is not installed (Scored)</td>
<td align="left">RISK TO BE ACCEPTED</td>
<td align="left">It is installed, see compile options <a href="https://github.com/kubernetes/ingress-nginx/blob/master/images/nginx/rootfs/build.sh#L445">here</a>. Disabling that would require building own image for nginx ingress controller. The effort is too high in comparison to the achieved effect</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.3 Ensure modules with gzip functionality are disabled (Scored)</td>
<td align="left">RISK TO BE ACCEPTED</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.4 Ensure the autoindex module is disabled (Scored)</td>
<td align="left">OK</td>
<td align="left">No autoindex configs so far in ingress defaults</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.2 Account Security</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Not Scored)</td>
<td align="left">OK</td>
<td align="left">Pod configured as user www-data: <a href="https://github.com/kubernetes/ingress-nginx/blob/0cbe783f43a9313c9c26136e888324b1ee91a72f/charts/ingress-nginx/values.yaml#L10">See this line in helm chart values</a>. Compiled with user www-data: <a href="https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L529">See this line in build script</a></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.2.2 Ensure the NGINX service account is locked (Scored)</td>
<td align="left">OK</td>
<td align="left">Docker design ensures this</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.2.3 Ensure the NGINX service account has an invalid shell (Scored)</td>
<td align="left">OK</td>
<td align="left">Shell is nologin: <a href="https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L613">see this line in build script</a></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.3 Permissions and Ownership</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.1 Ensure NGINX directories and files are owned by root (Scored)</td>
<td align="left">OK</td>
<td align="left">Obsolete through docker-design and ingress controller needs to update the configs dynamically</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.2 Ensure access to NGINX directories and files is restricted (Scored)</td>
<td align="left">OK</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.3 Ensure the NGINX process ID (PID) file is secured (Scored)</td>
<td align="left">OK</td>
<td align="left">No PID-File due to docker design</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.4 Ensure the core dump directory is secured (Not Scored)</td>
<td align="left">OK</td>
<td align="left">No working_directory configured by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.4 Network Configuration</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored)</td>
<td align="left">OK</td>
<td align="left">Ensured by automatic nginx.conf configuration</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.4.2 Ensure requests for unknown host names are rejected (Not Scored)</td>
<td align="left">OK</td>
<td align="left">They are not rejected but send to the "default backend" delivering approriate errors (mostly 404)</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default is 75s</td>
<td align="left">configure keep-alive to 10 seconds <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#keep-alive">according to this documentation</a></td>
</tr>
<tr>
<td align="left">2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)</td>
<td align="left">RISK TO BE ACCEPTED</td>
<td align="left">Not configured, however the nginx default is 60s</td>
<td align="left">Not configurable</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.5 Information Disclosure</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.5.1 Ensure server_tokens directive is set to <code>off</code> (Scored)</td>
<td align="left">OK</td>
Deploy GitHub Pages
2020-09-17 12:53:19 +00:00
<td align="left">server_tokens is configured to off by default</td>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
<td align="left"></td>
</tr>
<tr>
<td align="left">2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">404 shows no version at all, 503 and 403 show "nginx", which is hardcoded <a href="https://github.com/nginx/nginx/blob/master/src/http/ngx_http_special_response.c#L36">see this line in nginx source code</a></td>
<td align="left">configure custom error pages at least for 403, 404 and 503 and 500</td>
</tr>
<tr>
<td align="left">2.5.3 Ensure hidden file serving is disabled (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">config not set</td>
<td align="left">configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please</td>
</tr>
<tr>
<td align="left">2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">hide not configured</td>
<td align="left">configure hide-headers with array of "X-Powered-By" and "Server": <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#hide-headers">according to this documentation</a></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>3 Logging</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.1 Ensure detailed logging is enabled (Not Scored)</td>
<td align="left">OK</td>
<td align="left">Ningx ingress has a very detailled log format by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.2 Ensure access logging is enabled (Scored)</td>
<td align="left">OK</td>
<td align="left">Access log is enabled by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.3 Ensure error logging is enabled and set to the info logging level (Scored)</td>
<td align="left">OK</td>
<td align="left">Error log is configured by default. The log level does not matter, because it is all sent to STDOUT anyway</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.4 Ensure log files are rotated (Scored)</td>
<td align="left">OBSOLETE</td>
<td align="left">Log file handling is not part of the nginx ingress and should be handled separatly</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.5 Ensure error logs are sent to a remote syslog server (Not Scored)</td>
<td align="left">OBSOLETE</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.6 Ensure access logs are sent to a remote syslog server (Not Scored)</td>
<td align="left">OBSOLETE</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.7 Ensure proxies pass source IP information (Scored)</td>
<td align="left">OK</td>
<td align="left">Headers are set by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>4 Encryption</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>4.1 TLS / SSL Configuration</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.1 Ensure HTTP is redirected to HTTPS (Scored)</td>
<td align="left">OK</td>
<td align="left">Redirect to TLS is default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.2 Ensure a trusted certificate and trust chain is installed (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">For installing certs there are enough manuals in the web. A good way is to use lets encrypt through cert-manager</td>
<td align="left">Install proper certificates or use lets encrypt with cert-manager</td>
</tr>
<tr>
<td align="left">4.1.3 Ensure private key permissions are restricted (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.4 Ensure only modern TLS protocols are used (Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">Default is TLS 1.2 + 1.3, while this is okay for CIS Benchmark, cipherlist.eu only recommends 1.3. This may cut off old OS's</td>
<td align="left">Set controller.config.ssl-protocols to "TLSv1.3"</td>
</tr>
<tr>
<td align="left">4.1.5 Disable weak ciphers (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default ciphers are already good, but cipherlist.eu recommends even stronger ciphers</td>
<td align="left">Set controller.config.ssl-ciphers to "EECDH+AESGCM:EDH+AESGCM"</td>
</tr>
<tr>
<td align="left">4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">No custom DH parameters are generated</td>
<td align="left">Generate dh parameters for each ingress deployment you use - <a href="https://kubernetes.github.io/ingress-nginx/examples/customization/ssl-dh-param/">see here for a how to</a></td>
</tr>
<tr>
<td align="left">4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Not enabled</td>
<td align="left">set via <a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-ocsp">this configuration parameter</a></td>
</tr>
<tr>
<td align="left">4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored)</td>
<td align="left">OK</td>
<td align="left">HSTS is enabled by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored)</td>
<td align="left">ACTION NEEDED / RISK TO BE ACCEPTED</td>
<td align="left">HKPK not enabled by default</td>
<td align="left">If lets encrypt is not used, set correct HPKP header. There are several ways to implement this - with the helm charts it works via controller.add-headers. If lets encrypt is used, this is complicated, a solution here is yet unknown</td>
</tr>
<tr>
<td align="left">4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored)</td>
<td align="left">DEPENDS ON BACKEND</td>
<td align="left">Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh</td>
<td align="left">If backend allows it, <a href="https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/">manual is here</a></td>
</tr>
<tr>
<td align="left">4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored)</td>
<td align="left">DEPENDS ON BACKEND</td>
<td align="left">Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh</td>
<td align="left">If backend allows it, <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#backend-certificate-authentication">see configuration here</a></td>
</tr>
<tr>
<td align="left">4.1.12 Ensure your domain is preloaded (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Preload is not active by default</td>
<td align="left">Set controller.config.hsts-preload to true</td>
</tr>
<tr>
<td align="left">4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)</td>
Deploy GitHub Pages
2020-09-18 08:40:04 +00:00
<td align="left">OK</td>
<td align="left">Session tickets are disabled by default</td>
<td align="left"></td>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</tr>
<tr>
<td align="left">4.1.14 Ensure HTTP/2.0 is used (Not Scored)</td>
<td align="left">OK</td>
<td align="left">http2 is set by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5 Request Filtering and Restrictions</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5.1 Access Control</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">Depends on use case, geo ip module is compiled into nginx ingress controller, there are several ways to use it</td>
<td align="left">If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!)</td>
</tr>
<tr>
<td align="left">5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">Depends on use case</td>
<td align="left">If required it can be set via config snippet</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5.2 Request Limits</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default timeout is 60s</td>
<td align="left">Set via <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#client-header-timeout">this configuration parameter</a> and respective body aequivalent</td>
</tr>
<tr>
<td align="left">5.2.2 Ensure the maximum request body size is set correctly (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default is 1m</td>
<td align="left">set via <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#proxy-body-size">this configuration parameter</a></td>
</tr>
<tr>
<td align="left">5.2.3 Ensure the maximum buffer size for URIs is defined (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default is 4 8k</td>
<td align="left">Set via <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#large-client-header-buffers">this configuration parameter</a></td>
</tr>
<tr>
<td align="left">5.2.4 Ensure the number of connections per IP address is limited (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">No limit set</td>
<td align="left">Depends on use case, limit can be set via <a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting">these annotations</a></td>
</tr>
<tr>
<td align="left">5.2.5 Ensure rate limits by IP address are set (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">No limit set</td>
<td align="left">Depends on use case, limit can be set via <a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting">these annotations</a></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5.3 Browser Security</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Header not set by default</td>
<td align="left">Several ways to implement this - with the helm charts it works via controller.add-headers</td>
</tr>
<tr>
<td align="left">5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left">See previous answer</td>
</tr>
<tr>
<td align="left">5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left">See previous answer</td>
</tr>
<tr>
<td align="left">5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left">See previous answer</td>
</tr>
<tr>
<td align="left">5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress</td>
<td align="left">check backend webserver</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>6 Mandatory Access Control</strong></td>
<td align="left">n/a</td>
<td align="left">too high level, depends on backends</td>
<td align="left"></td>
</tr>
</tbody>
</table>
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<style type="text/css" rel="stylesheet">
@media only screen and (min-width: 768px) {
td:nth-child(1){
white-space:normal !important;
}
.md-typeset table:not([class]) td {
padding: .2rem .3rem;
}
}
</style>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
</article>
</div>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid" aria-label="Footer">
<a href="../upgrade/" title="Upgrade" class="md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-footer-nav__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer-nav__title">
<div class="md-ellipsis">
<span class="md-footer-nav__direction">
Previous
</span>
Upgrade
</div>
</div>
</a>
<a href="../../user-guide/nginx-configuration/" title="Introduction" class="md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-footer-nav__title">
<div class="md-ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Introduction
</div>
</div>
<div class="md-footer-nav__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
</div>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
<script src="../../assets/javascripts/vendor.3636a4ec.min.js"></script>
<script src="../../assets/javascripts/bundle.e9fe3281.min.js"></script><script id="__lang" type="application/json">{"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents"}</script>
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
<script>
app = initialize({
base: "../..",
features: ["tabs", "instant"],
search: Object.assign({
Deploy GitHub Pages
2020-09-02 00:02:26 +00:00
worker: "../../assets/javascripts/worker/search.5eca75d3.min.js"
Deploy GitHub Pages
2020-09-01 21:19:11 +00:00
}, typeof search !== "undefined" && search)
})
</script>
</body>
</html>
Reference in a new issue Copy permalink