DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-09-12 12:51:00 +00:00
parent 700e4bf32f
commit 4f06fb09d5
8 changed files with 245 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

15
user-guide/nginx-configuration/annotations/index.html
View file

@ -2238,15 +2238,18 @@ This can be used to mitigate <a href="https://www.nginx.com/blog/mitigating-ddos
<h3 id="permanent-redirect-code">Permanent Redirect Code<a class="headerlink" href="#permanent-redirect-code" title="Permanent link">&para;</a></h3>
<p>This annotation allows you to modify the status code used for permanent redirects. For example <code class="codehilite">nginx.ingress.kubernetes.io/permanent-redirect-code: &#39;308&#39;</code> would return your permanent-redirect with a 308.</p>
<h3 id="ssl-passthrough">SSL Passthrough<a class="headerlink" href="#ssl-passthrough" title="Permanent link">&para;</a></h3>
<p>The annotation <code class="codehilite">nginx.ingress.kubernetes.io/ssl-passthrough</code> allows to configure TLS termination in the pod and not in NGINX.</p>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>Using the annotation <code class="codehilite">nginx.ingress.kubernetes.io/ssl-passthrough</code> invalidates all the other available annotations.
This is because SSL Passthrough works on level 4 of the OSI stack (TCP), not on the HTTP/HTTPS level.</p>
<p>The annotation <code class="codehilite">nginx.ingress.kubernetes.io/ssl-passthrough</code> instructs the controller to send TLS connections directly
to the backend instead of letting NGINX decrypt the communication. See also <a href="../../tls/#ssl-passthrough">TLS/HTTPS</a> in
the User guide.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>SSL Passthrough is <strong>disabled by default</strong> and requires starting the controller with the
<a href="../../cli-arguments/"><code class="codehilite">--enable-ssl-passthrough</code></a> flag.</p>
</div>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>The use of this annotation requires the flag <code class="codehilite">--enable-ssl-passthrough</code> (By default it is disabled).</p>
<p>Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough
invalidates all the other annotations set on an Ingress object.</p>
</div>
<h3 id="secure-backends-deprecated-since-0180">Secure backends DEPRECATED (since 0.18.0)<a class="headerlink" href="#secure-backends-deprecated-since-0180" title="Permanent link">&para;</a></h3>
<p>Please use <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;HTTPS&quot;</code></p>

21
user-guide/tls/index.html
View file

@ -1239,10 +1239,23 @@ If this flag is not provided NGINX will use a self-signed certificate.</p>
<p>For instance, if you have a TLS secret <code class="codehilite">foo-tls</code> in the <code class="codehilite">default</code> namespace,
add <code class="codehilite">--default-ssl-certificate=default/foo-tls</code> in the <code class="codehilite">nginx-controller</code> deployment.</p>
<h2 id="ssl-passthrough">SSL Passthrough<a class="headerlink" href="#ssl-passthrough" title="Permanent link">&para;</a></h2>
<p>The flag <code class="codehilite">--enable-ssl-passthrough</code> enables the SSL passthrough feature.
By default this feature is disabled.</p>
<p>This is required to enable passthrough backends in Ingress configurations.</p>
<p>TODO: Improve this documentation.</p>
<p>The <a href="../cli-arguments/"><code class="codehilite">--enable-ssl-passthrough</code></a> flag enables the SSL Passthrough feature, which is disabled by
default. This is required to enable passthrough backends in Ingress objects.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>This feature is implemented by intercepting <strong>all traffic</strong> on the configured HTTPS port (default: 443) and handing
it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.</p>
</div>
<p>SSL Passthrough leverages <a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI</a> and reads the virtual domain from the TLS negotiation, which requires compatible
clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back
and forth between the backend and the client.</p>
<p>If there is no hostname matching the requested host name, the request is handed over to NGINX on the configured
passthrough proxy port (default: 442), which proxies the request to the default backend.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Unlike HTTP backends, traffic to Passthrough backends is sent to the <em>clusterIP</em> of the backing Service instead of
individual Endpoints.</p>
</div>
<h2 id="http-strict-transport-security">HTTP Strict Transport Security<a class="headerlink" href="#http-strict-transport-security" title="Permanent link">&para;</a></h2>
<p>HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified
through the use of a special response header. Once a supported browser receives