From 12d4aadf7448e71fd2747f4402859343c9e24d11 Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Thu, 20 Apr 2017 18:12:16 -0300
Subject: [PATCH] Allow configuration of features underscores_in_headers and
 ignore_invalid_headers

---
 controllers/nginx/configuration.md            |  5 ++++
 controllers/nginx/pkg/config/config.go        | 24 ++++++++++++++-----
 .../rootfs/etc/nginx/template/nginx.tmpl      |  3 +++
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md
index e4a1147d4a..861f956fda 100644
--- a/controllers/nginx/configuration.md
+++ b/controllers/nginx/configuration.md
@@ -262,6 +262,7 @@ Example usage: `custom-http-errors: 404,415`
 
 **enable-sticky-sessions:**  Enables sticky sessions using cookies. This is provided by [nginx-sticky-module-ng](https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng) module.
 
+**enable-underscores-in-headers:** Enables underscores in header names. This is disabled by default.
 
 **enable-vts-status:** Allows the replacement of the default status page with a third party module named [nginx-module-vts](https://github.com/vozlt/nginx-module-vts).
 
@@ -287,6 +288,8 @@ https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-
 
 **hsts-preload:** Enables or disables the preload attribute in the HSTS feature (if is enabled)
 
+**ignore-invalid-headers:** set if header fields with invalid names should be ignored. This is 'true' by default.
+
 **keep-alive:** Sets the time during which a keep-alive client connection will stay open on the server side.
 The zero value disables keep-alive client connections.
 http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
@@ -415,6 +418,7 @@ The following table shows the options, the default value and a description.
 |custom-http-errors|" "|
 |enable-dynamic-tls-records|"true"|
 |enable-sticky-sessions|"false"|
+|enable-underscores-in-headers|"false"|
 |enable-vts-status|"false"|
 |error-log-level|notice|
 |gzip-types|see use-gzip description above|
@@ -422,6 +426,7 @@ The following table shows the options, the default value and a description.
 |hsts-include-subdomains|"true"|
 |hsts-max-age|"15724800"|
 |hsts-preload|"false"|
+|ignore-invalid-headers|"true"|
 |keep-alive|"75"|
 |map-hash-bucket-size|"64"|
 |max-worker-connections|"16384"|
diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
index 3b22c10ba6..92f512b9ed 100644
--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@@ -101,6 +101,16 @@ type Configuration struct {
 	// DisableIpv6 disable listening on ipv6 address
 	DisableIpv6 bool `json:"disable-ipv6,omitempty"`
 
+	// EnableUnderscoresInHeaders enables underscores in header names
+	// http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
+	// By default this is disabled
+	EnableUnderscoresInHeaders bool `json:"enable-underscores-in-headers"`
+
+	// IgnoreInvalidHeaders set if header fields with invalid names should be ignored
+	// http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
+	// By default this is enabled
+	IgnoreInvalidHeaders bool `json:"ignore-invalid-headers"`
+
 	// EnableStickySessions enabled sticky sessions using cookies
 	// https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
 	// By default this is disabled
@@ -266,15 +276,17 @@ type Configuration struct {
 // NewDefault returns the default nginx configuration
 func NewDefault() Configuration {
 	cfg := Configuration{
-		ClientHeaderBufferSize:  "1k",
-		EnableDynamicTLSRecords: true,
-		ErrorLogLevel:           errorLevel,
-		HTTP2MaxFieldSize:       "4k",
-		HTTP2MaxHeaderSize:      "16k",
-		HSTS:                    true,
+		ClientHeaderBufferSize:     "1k",
+		EnableDynamicTLSRecords:    true,
+		EnableUnderscoresInHeaders: false,
+		ErrorLogLevel:              errorLevel,
+		HTTP2MaxFieldSize:          "4k",
+		HTTP2MaxHeaderSize:         "16k",
+		HSTS:                       true,
 		HSTSIncludeSubdomains:    true,
 		HSTSMaxAge:               hstsMaxAge,
 		HSTSPreload:              false,
+		IgnoreInvalidHeaders:     true,
 		GzipTypes:                gzipTypes,
 		KeepAlive:                75,
 		LargeClientHeaderBuffers: "4 8k",
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index e15dc1f676..32311055a8 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -69,6 +69,9 @@ http {
     server_names_hash_bucket_size   {{ $cfg.ServerNameHashBucketSize }};
     map_hash_bucket_size            {{ $cfg.MapHashBucketSize }};
 
+    underscores_in_headers          {{ if $cfg.IgnoreInvalidHeaders }}on{{ else }}off{{ end }};
+    ignore_invalid_headers          {{ if $cfg.EnableUnderscoresInHeaders }}on{{ else }}off{{ end }};
+
     include /etc/nginx/mime.types;
     default_type text/html;
     {{ if $cfg.UseGzip }}