diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index e4a1147d4a..861f956fda 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -262,6 +262,7 @@ Example usage: `custom-http-errors: 404,415` **enable-sticky-sessions:** Enables sticky sessions using cookies. This is provided by [nginx-sticky-module-ng](https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng) module. +**enable-underscores-in-headers:** Enables underscores in header names. This is disabled by default. **enable-vts-status:** Allows the replacement of the default status page with a third party module named [nginx-module-vts](https://github.com/vozlt/nginx-module-vts). @@ -287,6 +288,8 @@ https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http- **hsts-preload:** Enables or disables the preload attribute in the HSTS feature (if is enabled) +**ignore-invalid-headers:** set if header fields with invalid names should be ignored. This is 'true' by default. + **keep-alive:** Sets the time during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout @@ -415,6 +418,7 @@ The following table shows the options, the default value and a description. |custom-http-errors|" "| |enable-dynamic-tls-records|"true"| |enable-sticky-sessions|"false"| +|enable-underscores-in-headers|"false"| |enable-vts-status|"false"| |error-log-level|notice| |gzip-types|see use-gzip description above| @@ -422,6 +426,7 @@ The following table shows the options, the default value and a description. |hsts-include-subdomains|"true"| |hsts-max-age|"15724800"| |hsts-preload|"false"| +|ignore-invalid-headers|"true"| |keep-alive|"75"| |map-hash-bucket-size|"64"| |max-worker-connections|"16384"| diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go index 3b22c10ba6..92f512b9ed 100644 --- a/controllers/nginx/pkg/config/config.go +++ b/controllers/nginx/pkg/config/config.go @@ -101,6 +101,16 @@ type Configuration struct { // DisableIpv6 disable listening on ipv6 address DisableIpv6 bool `json:"disable-ipv6,omitempty"` + // EnableUnderscoresInHeaders enables underscores in header names + // http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers + // By default this is disabled + EnableUnderscoresInHeaders bool `json:"enable-underscores-in-headers"` + + // IgnoreInvalidHeaders set if header fields with invalid names should be ignored + // http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers + // By default this is enabled + IgnoreInvalidHeaders bool `json:"ignore-invalid-headers"` + // EnableStickySessions enabled sticky sessions using cookies // https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng // By default this is disabled @@ -266,15 +276,17 @@ type Configuration struct { // NewDefault returns the default nginx configuration func NewDefault() Configuration { cfg := Configuration{ - ClientHeaderBufferSize: "1k", - EnableDynamicTLSRecords: true, - ErrorLogLevel: errorLevel, - HTTP2MaxFieldSize: "4k", - HTTP2MaxHeaderSize: "16k", - HSTS: true, + ClientHeaderBufferSize: "1k", + EnableDynamicTLSRecords: true, + EnableUnderscoresInHeaders: false, + ErrorLogLevel: errorLevel, + HTTP2MaxFieldSize: "4k", + HTTP2MaxHeaderSize: "16k", + HSTS: true, HSTSIncludeSubdomains: true, HSTSMaxAge: hstsMaxAge, HSTSPreload: false, + IgnoreInvalidHeaders: true, GzipTypes: gzipTypes, KeepAlive: 75, LargeClientHeaderBuffers: "4 8k", diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index e15dc1f676..32311055a8 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -69,6 +69,9 @@ http { server_names_hash_bucket_size {{ $cfg.ServerNameHashBucketSize }}; map_hash_bucket_size {{ $cfg.MapHashBucketSize }}; + underscores_in_headers {{ if $cfg.IgnoreInvalidHeaders }}on{{ else }}off{{ end }}; + ignore_invalid_headers {{ if $cfg.EnableUnderscoresInHeaders }}on{{ else }}off{{ end }}; + include /etc/nginx/mime.types; default_type text/html; {{ if $cfg.UseGzip }}