【问题标题】:How do I set custom headers using Google Kubernetes Engine?如何使用 Google Kubernetes Engine 设置自定义标头?
【发布时间】:2021-10-02 15:01:50
【问题描述】:

我了解 NGINX Ingress 控制器允许 custom header creation 使用 ConfigMap。有没有:

  1. 一种将 NGINX 用于 GKE 或
  2. 的方法
  3. 直接在networking.gke.io中指定自定义头 命名空间?

我对设置 HTTPS Strict Transport SecurityUpgrade Insecure RequestsContent Security Policy 标头特别感兴趣。我觉得redirectToHttp功能默认没有启用这些功能是一个小小的奖励,所以我迫切需要任何想法。

【问题讨论】:

    标签: kubernetes http-headers google-kubernetes-engine kubernetes-ingress nginx-ingress


    【解决方案1】:

    取自我的 Nginx 入口配置值之一:

    HSTS - 在 controller.config 下:

      hsts: "True" # default is "False". Enables HTTP Strict Transport Security (HSTS): the HSTS header is added to the responses from backends. See https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
      hsts-max-age: "31536000" # default is 2592000 (1 month).
      hsts-include-subdomains: "True" # default is "False".
    

    重定向到 HTTPS - 在注释下:

    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    

    CORS - 在注释下:

    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "http://localhost:8888/"
    nginx.ingress.kubernetes.io/cors-max-age: "3600"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,apikey,x-apikey,Accept-Language,impersonated,source"
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, PATCH, OPTIONS"
    

    因此,示例如下所示:

    ❯ kubectl get configmaps -n ingress nginx-ingress-0-24-controller -o yaml

    apiVersion: v1
    data:
      Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
        style-src 'self' 'unsafe-inline'; frame-src 'self'
      Referrer-Policy: 'Referrer-Policy: strict-origin-when-cross-origin'
      X-API-Token: x
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-Using-Nginx-Controller: "true"
      X-XSS-Protection: 1; mode=block
      client_body_buffer_size: 128k
      client_max_body_size: 24M
      enable-vts-status: "true"
      hsts: "True"
      hsts-include-subdomains: "True"
      hsts-max-age: "31536000"
      http-snippet: |
        more_clear_headers 'Server';
      log-format-upstream: '{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr",
        "x-forward-for": "$proxy_add_x_forwarded_for", "request_id": "$request_id", "remote_user":
        "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status":
        $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri",
        "request_query": "$args", "request_length": $request_length, "duration": $request_time,
        "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent":
        "$http_user_agent"}'
      proxy-hide-headers: Server, server, Access-Control-Allow-Origin, X-Using-Nginx-Controller
      proxy-set-headers: ingress/nginx-ingress-0-24-custom-headers
      server-tokens: "False"
      ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
      ssl-protocols: TLSv1.2
      use-http2: "true"
    kind: ConfigMap
    metadata:
      creationTimestamp: "2020-08-20T08:46:22Z"
      labels:
        app: nginx-ingress
        chart: nginx-ingress-1.8.2
        component: controller
        heritage: Tiller
        release: nginx-ingress-0-24
      name: nginx-ingress-0-24-controller
      namespace: ingress
      resourceVersion: "205918413"
      selfLink: /api/v1/namespaces/ingress/configmaps/nginx-ingress-0-24-controller
      uid: 9fc20850-e2c1-11ea-87b8-42010af00186
    

    虽然注释进入入口 yaml:

    ❯ kubectl get ingresses -n system nginx-ingress-ingress-config protect-private -o yaml

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        kubernetes.io/ingress.class: nginx-0-24
        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      creationTimestamp: "2021-03-05T13:03:49Z"
    (...)
    

    【讨论】:

    • 谢谢。您是否将这些放入 Ingress 的注释中?
    • 在这种情况下,我使用的是 terraform 和 locals 文件,但最后只不过是带有配置的 yaml 文件,让我删除所有敏感数据并在我的答案中发布一个示例,因此它清除
    • 太棒了。这看起来很有希望!我对 ConfigMaps 不太熟悉,所以“CORS - Under annotations:”会进入入口注释还是控制器?
    • 我已经在我为此控制器设置的每个入口的注释中设置了它们。
    猜你喜欢
    • 2021-08-12
    • 2014-02-21
    • 2016-08-28
    • 1970-01-01
    • 1970-01-01
    • 2019-05-26
    • 2012-01-18
    • 1970-01-01
    • 2021-12-26
    相关资源
    最近更新 更多