DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/deploy/hardening-guide/index.html
k8s-ci-robot 042f2225c6 Deploy GitHub Pages
2020-10-12 11:10:08 +00:00

1833 lines
No EOL
52 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link rel="canonical" href="https://kubernetes.github.io/ingress-nginx/deploy/hardening-guide/">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.1.2, mkdocs-material-5.5.12">
<title>Hardening guide - NGINX Ingress Controller</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.4dd2dd8d.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.6a5ad368.min.css">
<meta name="theme-color" content="#009485">
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto",-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono",SFMono-Regular,Consolas,Menlo,monospace}</style>
<link rel="stylesheet" href="../../extra.css">
<script>window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)},ga.l=+new Date,ga("create","UA-118407822-1","kubernetes.github.io"),ga("set","anonymizeIp",!0),ga("send","pageview"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){if(this.value){var e=document.location.pathname;ga("send","pageview",e+"?q="+this.value)}})}),document.addEventListener("DOMContentSwitch",function(){ga("send","pageview",document.location.pathname)})</script>
<script async src="https://www.google-analytics.com/analytics.js"></script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="teal" data-md-color-accent="green">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#hardening-guide" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header-nav md-grid" aria-label="Header">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo" aria-label="NGINX Ingress Controller">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
<label class="md-header-nav__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header-nav__title" data-md-component="header-title">
<div class="md-header-nav__ellipsis">
<span class="md-header-nav__topic md-ellipsis">
NGINX Ingress Controller
</span>
<span class="md-header-nav__topic md-ellipsis">
Hardening guide
</span>
</div>
</div>
<label class="md-header-nav__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" data-md-state="active">
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" data-md-component="search-reset" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05L244 40.45a28.87 28.87 0 00-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 01-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 000 40.81l195.61 195.6a28.86 28.86 0 0040.8 0l194.69-194.69a28.86 28.86 0 000-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<nav class="md-tabs md-tabs--active" aria-label="Tabs" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../.." class="md-tabs__link">
Welcome
</a>
</li>
<li class="md-tabs__item">
<a href="../" class="md-tabs__link md-tabs__link--active">
Deployment
</a>
</li>
<li class="md-tabs__item">
<a href="../../user-guide/nginx-configuration/" class="md-tabs__link">
User guide
</a>
</li>
<li class="md-tabs__item">
<a href="../../examples/" class="md-tabs__link">
Examples
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="navigation">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-nav__button md-logo" aria-label="NGINX Ingress Controller">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>
</a>
NGINX Ingress Controller
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05L244 40.45a28.87 28.87 0 00-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 01-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 000 40.81l195.61 195.6a28.86 28.86 0 0040.8 0l194.69-194.69a28.86 28.86 0 000-40.81z"/></svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-1" type="checkbox" id="nav-1">
<label class="md-nav__link" for="nav-1">
Welcome
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Welcome" data-md-level="1">
<label class="md-nav__title" for="nav-1">
<span class="md-nav__icon md-icon"></span>
Welcome
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." title="Welcome" class="md-nav__link">
Welcome
</a>
</li>
<li class="md-nav__item">
<a href="../../how-it-works/" title="How it works" class="md-nav__link">
How it works
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/" title="Troubleshooting" class="md-nav__link">
Troubleshooting
</a>
</li>
<li class="md-nav__item">
<a href="../../kubectl-plugin/" title="kubectl plugin" class="md-nav__link">
kubectl plugin
</a>
</li>
<li class="md-nav__item">
<a href="../../development/" title="Development" class="md-nav__link">
Development
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-2" type="checkbox" id="nav-2" checked>
<label class="md-nav__link" for="nav-2">
Deployment
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Deployment" data-md-level="1">
<label class="md-nav__title" for="nav-2">
<span class="md-nav__icon md-icon"></span>
Deployment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" title="Installation Guide" class="md-nav__link">
Installation Guide
</a>
</li>
<li class="md-nav__item">
<a href="../baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
</a>
</li>
<li class="md-nav__item">
<a href="../upgrade/" title="Upgrade" class="md-nav__link">
Upgrade
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Hardening guide
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" title="Hardening guide" class="md-nav__link md-nav__link--active">
Hardening guide
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-guide" class="md-nav__link">
Configuration Guide
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-3" type="checkbox" id="nav-3">
<label class="md-nav__link" for="nav-3">
User guide
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="User guide" data-md-level="1">
<label class="md-nav__title" for="nav-3">
<span class="md-nav__icon md-icon"></span>
User guide
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-3-1" type="checkbox" id="nav-3-1">
<label class="md-nav__link" for="nav-3-1">
NGINX Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="NGINX Configuration" data-md-level="2">
<label class="md-nav__title" for="nav-3-1">
<span class="md-nav__icon md-icon"></span>
NGINX Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/basic-usage/" title="Basic usage" class="md-nav__link">
Basic usage
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/annotations/" title="Annotations" class="md-nav__link">
Annotations
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/configmap/" title="ConfigMap" class="md-nav__link">
ConfigMap
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/custom-template/" title="Custom NGINX template" class="md-nav__link">
Custom NGINX template
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/log-format/" title="Log format" class="md-nav__link">
Log format
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../user-guide/cli-arguments/" title="Command line arguments" class="md-nav__link">
Command line arguments
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/custom-errors/" title="Custom errors" class="md-nav__link">
Custom errors
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/default-backend/" title="Default backend" class="md-nav__link">
Default backend
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/fcgi-services/" title="Exposing FCGI services" class="md-nav__link">
Exposing FCGI services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/external-articles/" title="External Articles" class="md-nav__link">
External Articles
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/miscellaneous/" title="Miscellaneous" class="md-nav__link">
Miscellaneous
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/monitoring/" title="Prometheus and Grafana installation" class="md-nav__link">
Prometheus and Grafana installation
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/multiple-ingress/" title="Multiple Ingress controllers" class="md-nav__link">
Multiple Ingress controllers
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/tls/" title="TLS/HTTPS" class="md-nav__link">
TLS/HTTPS
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-3-13" type="checkbox" id="nav-3-13">
<label class="md-nav__link" for="nav-3-13">
Third party addons
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Third party addons" data-md-level="2">
<label class="md-nav__title" for="nav-3-13">
<span class="md-nav__icon md-icon"></span>
Third party addons
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/modsecurity/" title="ModSecurity Web Application Firewall" class="md-nav__link">
ModSecurity Web Application Firewall
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/opentracing/" title="OpenTracing" class="md-nav__link">
OpenTracing
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-4" type="checkbox" id="nav-4">
<label class="md-nav__link" for="nav-4">
Examples
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Examples" data-md-level="1">
<label class="md-nav__title" for="nav-4">
<span class="md-nav__icon md-icon"></span>
Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/PREREQUISITES/" title="Prerequisites" class="md-nav__link">
Prerequisites
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/affinity/cookie/" title="Sticky Sessions" class="md-nav__link">
Sticky Sessions
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-4-4" type="checkbox" id="nav-4-4">
<label class="md-nav__link" for="nav-4-4">
Auth
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Auth" data-md-level="2">
<label class="md-nav__title" for="nav-4-4">
<span class="md-nav__icon md-icon"></span>
Auth
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/auth/basic/" title="Basic Authentication" class="md-nav__link">
Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/client-certs/" title="Client Certificate Authentication" class="md-nav__link">
Client Certificate Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/external-auth/" title="External Basic Authentication" class="md-nav__link">
External Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/oauth-external-auth/" title="External OAUTH Authentication" class="md-nav__link">
External OAUTH Authentication
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="nav-4-5" type="checkbox" id="nav-4-5">
<label class="md-nav__link" for="nav-4-5">
Customization
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Customization" data-md-level="2">
<label class="md-nav__title" for="nav-4-5">
<span class="md-nav__icon md-icon"></span>
Customization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/customization/configuration-snippets/" title="Configuration Snippets" class="md-nav__link">
Configuration Snippets
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-configuration/" title="Custom Configuration" class="md-nav__link">
Custom Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-errors/" title="Custom Errors" class="md-nav__link">
Custom Errors
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-headers/" title="Custom Headers" class="md-nav__link">
Custom Headers
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/ssl-dh-param/" title="Custom DH parameters for perfect forward secrecy" class="md-nav__link">
Custom DH parameters for perfect forward secrecy
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/sysctl/" title="Sysctl tuning" class="md-nav__link">
Sysctl tuning
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../examples/docker-registry/" title="Docker registry" class="md-nav__link">
Docker registry
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/grpc/" title="gRPC" class="md-nav__link">
gRPC
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/multi-tls/" title="Multi TLS certificate termination" class="md-nav__link">
Multi TLS certificate termination
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/rewrite/" title="Rewrite" class="md-nav__link">
Rewrite
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/static-ip/" title="Static IPs" class="md-nav__link">
Static IPs
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/tls-termination/" title="TLS termination" class="md-nav__link">
TLS termination
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/psp/" title="Pod Security Policy (PSP)" class="md-nav__link">
Pod Security Policy (PSP)
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-guide" class="md-nav__link">
Configuration Guide
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/hardening-guide.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
</a>
<h1 id="hardening-guide">Hardening Guide<a class="headerlink" href="#hardening-guide" title="Permanent link"></a></h1>
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link"></a></h2>
<p>There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are
overlapping in some points:</p>
<ul>
<li><a href="https://www.cisecurity.org/benchmark/nginx/">nginx CIS Benchmark</a></li>
<li><a href="https://cipherlist.eu/">cipherlist.eu</a> (one of many forks of the now dead project cipherli.st)</li>
</ul>
<p>This guide describes, what of the different configurations described in those guides is already implemented as default
in the nginx implementation of kubernetes ingress, what needs to be configured, what is obsolete due to the fact that
the nginx is running as container (the CIS benchmark relates to a non-containerized installation) and what is difficult
or not possible.</p>
<p>Be aware that this is only a guide and you are responsible for your own implementation. Some of the configurations may
lead to have specific clients unable to reach your site or similar consequences.</p>
<p>This guide refers to chapters in the CIS Benchmark. For full explanation you should refer to the benchmark document itself</p>
<h2 id="configuration-guide">Configuration Guide<a class="headerlink" href="#configuration-guide" title="Permanent link"></a></h2>
<table>
<thead>
<tr>
<th align="left">Chapter in CIS benchmark</th>
<th align="left">Status</th>
<th align="left">Default</th>
<th align="left">Action to do if not default</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><strong>1 Initial Setup</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>1.1 Installation</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.1.1 Ensure NGINX is installed (Scored)</td>
<td align="left">OK</td>
<td align="left">done through helm charts / following documentation to deploy nginx ingress</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.1.2 Ensure NGINX is installed from source (Not Scored)</td>
<td align="left">OK</td>
<td align="left">done through helm charts / following documentation to deploy nginx ingress</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>1.2 Configure Software Updates</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.2.1 Ensure package manager repositories are properly configured (Not Scored)</td>
<td align="left">OK</td>
<td align="left">done via helm, nginx version could be overwritten, however compability is not ensured then</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">1.2.2 Ensure the latest software package is installed (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">done via helm, nginx version could be overwritten, however compability is not ensured then</td>
<td align="left">Plan for periodic updates</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2 Basic Configuration</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.1 Minimize NGINX Modules</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.1 Ensure only required modules are installed (Not Scored)</td>
<td align="left">OK</td>
<td align="left">Already only needed modules are installed, however proposals for further reduction are welcome</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.2 Ensure HTTP WebDAV module is not installed (Scored)</td>
<td align="left">OK</td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.3 Ensure modules with gzip functionality are disabled (Scored)</td>
<td align="left">OK</td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.1.4 Ensure the autoindex module is disabled (Scored)</td>
<td align="left">OK</td>
<td align="left">No autoindex configs so far in ingress defaults</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.2 Account Security</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Not Scored)</td>
<td align="left">OK</td>
<td align="left">Pod configured as user www-data: <a href="https://github.com/kubernetes/ingress-nginx/blob/0cbe783f43a9313c9c26136e888324b1ee91a72f/charts/ingress-nginx/values.yaml#L10">See this line in helm chart values</a>. Compiled with user www-data: <a href="https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L529">See this line in build script</a></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.2.2 Ensure the NGINX service account is locked (Scored)</td>
<td align="left">OK</td>
<td align="left">Docker design ensures this</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.2.3 Ensure the NGINX service account has an invalid shell (Scored)</td>
<td align="left">OK</td>
<td align="left">Shell is nologin: <a href="https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L613">see this line in build script</a></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.3 Permissions and Ownership</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.1 Ensure NGINX directories and files are owned by root (Scored)</td>
<td align="left">OK</td>
<td align="left">Obsolete through docker-design and ingress controller needs to update the configs dynamically</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.2 Ensure access to NGINX directories and files is restricted (Scored)</td>
<td align="left">OK</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.3 Ensure the NGINX process ID (PID) file is secured (Scored)</td>
<td align="left">OK</td>
<td align="left">No PID-File due to docker design</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.3.4 Ensure the core dump directory is secured (Not Scored)</td>
<td align="left">OK</td>
<td align="left">No working_directory configured by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.4 Network Configuration</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored)</td>
<td align="left">OK</td>
<td align="left">Ensured by automatic nginx.conf configuration</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.4.2 Ensure requests for unknown host names are rejected (Not Scored)</td>
<td align="left">OK</td>
<td align="left">They are not rejected but send to the "default backend" delivering approriate errors (mostly 404)</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default is 75s</td>
<td align="left">configure keep-alive to 10 seconds <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#keep-alive">according to this documentation</a></td>
</tr>
<tr>
<td align="left">2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)</td>
<td align="left">RISK TO BE ACCEPTED</td>
<td align="left">Not configured, however the nginx default is 60s</td>
<td align="left">Not configurable</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>2.5 Information Disclosure</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.5.1 Ensure server_tokens directive is set to <code>off</code> (Scored)</td>
<td align="left">OK</td>
<td align="left">server_tokens is configured to off by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">404 shows no version at all, 503 and 403 show "nginx", which is hardcoded <a href="https://github.com/nginx/nginx/blob/master/src/http/ngx_http_special_response.c#L36">see this line in nginx source code</a></td>
<td align="left">configure custom error pages at least for 403, 404 and 503 and 500</td>
</tr>
<tr>
<td align="left">2.5.3 Ensure hidden file serving is disabled (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">config not set</td>
<td align="left">configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please</td>
</tr>
<tr>
<td align="left">2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">hide not configured</td>
<td align="left">configure hide-headers with array of "X-Powered-By" and "Server": <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#hide-headers">according to this documentation</a></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>3 Logging</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.1 Ensure detailed logging is enabled (Not Scored)</td>
<td align="left">OK</td>
<td align="left">nginx ingress has a very detailed log format by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.2 Ensure access logging is enabled (Scored)</td>
<td align="left">OK</td>
<td align="left">Access log is enabled by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.3 Ensure error logging is enabled and set to the info logging level (Scored)</td>
<td align="left">OK</td>
<td align="left">Error log is configured by default. The log level does not matter, because it is all sent to STDOUT anyway</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.4 Ensure log files are rotated (Scored)</td>
<td align="left">OBSOLETE</td>
<td align="left">Log file handling is not part of the nginx ingress and should be handled separatly</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.5 Ensure error logs are sent to a remote syslog server (Not Scored)</td>
<td align="left">OBSOLETE</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.6 Ensure access logs are sent to a remote syslog server (Not Scored)</td>
<td align="left">OBSOLETE</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">3.7 Ensure proxies pass source IP information (Scored)</td>
<td align="left">OK</td>
<td align="left">Headers are set by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>4 Encryption</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>4.1 TLS / SSL Configuration</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.1 Ensure HTTP is redirected to HTTPS (Scored)</td>
<td align="left">OK</td>
<td align="left">Redirect to TLS is default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.2 Ensure a trusted certificate and trust chain is installed (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">For installing certs there are enough manuals in the web. A good way is to use lets encrypt through cert-manager</td>
<td align="left">Install proper certificates or use lets encrypt with cert-manager</td>
</tr>
<tr>
<td align="left">4.1.3 Ensure private key permissions are restricted (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.4 Ensure only modern TLS protocols are used (Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">Default is TLS 1.2 + 1.3, while this is okay for CIS Benchmark, cipherlist.eu only recommends 1.3. This may cut off old OS's</td>
<td align="left">Set controller.config.ssl-protocols to "TLSv1.3"</td>
</tr>
<tr>
<td align="left">4.1.5 Disable weak ciphers (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default ciphers are already good, but cipherlist.eu recommends even stronger ciphers</td>
<td align="left">Set controller.config.ssl-ciphers to "EECDH+AESGCM:EDH+AESGCM"</td>
</tr>
<tr>
<td align="left">4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">No custom DH parameters are generated</td>
<td align="left">Generate dh parameters for each ingress deployment you use - <a href="https://kubernetes.github.io/ingress-nginx/examples/customization/ssl-dh-param/">see here for a how to</a></td>
</tr>
<tr>
<td align="left">4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Not enabled</td>
<td align="left">set via <a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-ocsp">this configuration parameter</a></td>
</tr>
<tr>
<td align="left">4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored)</td>
<td align="left">OK</td>
<td align="left">HSTS is enabled by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored)</td>
<td align="left">ACTION NEEDED / RISK TO BE ACCEPTED</td>
<td align="left">HKPK not enabled by default</td>
<td align="left">If lets encrypt is not used, set correct HPKP header. There are several ways to implement this - with the helm charts it works via controller.add-headers. If lets encrypt is used, this is complicated, a solution here is yet unknown</td>
</tr>
<tr>
<td align="left">4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored)</td>
<td align="left">DEPENDS ON BACKEND</td>
<td align="left">Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh</td>
<td align="left">If backend allows it, <a href="https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/">manual is here</a></td>
</tr>
<tr>
<td align="left">4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored)</td>
<td align="left">DEPENDS ON BACKEND</td>
<td align="left">Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh</td>
<td align="left">If backend allows it, <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#backend-certificate-authentication">see configuration here</a></td>
</tr>
<tr>
<td align="left">4.1.12 Ensure your domain is preloaded (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Preload is not active by default</td>
<td align="left">Set controller.config.hsts-preload to true</td>
</tr>
<tr>
<td align="left">4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)</td>
<td align="left">OK</td>
<td align="left">Session tickets are disabled by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">4.1.14 Ensure HTTP/2.0 is used (Not Scored)</td>
<td align="left">OK</td>
<td align="left">http2 is set by default</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5 Request Filtering and Restrictions</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5.1 Access Control</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">Depends on use case, geo ip module is compiled into nginx ingress controller, there are several ways to use it</td>
<td align="left">If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!)</td>
</tr>
<tr>
<td align="left">5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">Depends on use case</td>
<td align="left">If required it can be set via config snippet</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5.2 Request Limits</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default timeout is 60s</td>
<td align="left">Set via <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#client-header-timeout">this configuration parameter</a> and respective body aequivalent</td>
</tr>
<tr>
<td align="left">5.2.2 Ensure the maximum request body size is set correctly (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default is 1m</td>
<td align="left">set via <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#proxy-body-size">this configuration parameter</a></td>
</tr>
<tr>
<td align="left">5.2.3 Ensure the maximum buffer size for URIs is defined (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Default is 4 8k</td>
<td align="left">Set via <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#large-client-header-buffers">this configuration parameter</a></td>
</tr>
<tr>
<td align="left">5.2.4 Ensure the number of connections per IP address is limited (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">No limit set</td>
<td align="left">Depends on use case, limit can be set via <a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting">these annotations</a></td>
</tr>
<tr>
<td align="left">5.2.5 Ensure rate limits by IP address are set (Not Scored)</td>
<td align="left">OK/ACTION NEEDED</td>
<td align="left">No limit set</td>
<td align="left">Depends on use case, limit can be set via <a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting">these annotations</a></td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>5.3 Browser Security</strong></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left">5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Header not set by default</td>
<td align="left">Several ways to implement this - with the helm charts it works via controller.add-headers</td>
</tr>
<tr>
<td align="left">5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left">See previous answer</td>
</tr>
<tr>
<td align="left">5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left">See previous answer</td>
</tr>
<tr>
<td align="left">5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">See previous answer</td>
<td align="left">See previous answer</td>
</tr>
<tr>
<td align="left">5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored)</td>
<td align="left">ACTION NEEDED</td>
<td align="left">Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress</td>
<td align="left">check backend webserver</td>
</tr>
<tr>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><strong>6 Mandatory Access Control</strong></td>
<td align="left">n/a</td>
<td align="left">too high level, depends on backends</td>
<td align="left"></td>
</tr>
</tbody>
</table>
<style type="text/css" rel="stylesheet">
@media only screen and (min-width: 768px) {
td:nth-child(1){
white-space:normal !important;
}
.md-typeset table:not([class]) td {
padding: .2rem .3rem;
}
}
</style>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid" aria-label="Footer">
<a href="../upgrade/" title="Upgrade" class="md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-footer-nav__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer-nav__title">
<div class="md-ellipsis">
<span class="md-footer-nav__direction">
Previous
</span>
Upgrade
</div>
</div>
</a>
<a href="../../user-guide/nginx-configuration/" title="Introduction" class="md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-footer-nav__title">
<div class="md-ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Introduction
</div>
</div>
<div class="md-footer-nav__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
</div>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<script src="../../assets/javascripts/vendor.3636a4ec.min.js"></script>
<script src="../../assets/javascripts/bundle.e9fe3281.min.js"></script><script id="__lang" type="application/json">{"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents"}</script>
<script>
app = initialize({
base: "../..",
features: ["tabs", "instant"],
search: Object.assign({
worker: "../../assets/javascripts/worker/search.5eca75d3.min.js"
}, typeof search !== "undefined" && search)
})
</script>
</body>
</html>
Reference in a new issue View git blame Copy permalink