防止在Nginx中遍历Kubernetes中的入口

分享于 

2分钟阅读

互联网

  繁體

问题:

我定义了以下入口:


---


apiVersion: extensions/v1beta1


kind: Ingress


metadata:


 name: someName


 namespace: test


 annotations:


 kubernetes.io/ingress.class: "ingress-public"


 nginx.ingress.kubernetes.io/affinity: "cookie"


 nginx.ingress.kubernetes.io/session-cookie-name: "JSESSIONID"


 nginx.ingress.kubernetes.io/connection-proxy-header: "keep-alive"


 nginx.ingress.kubernetes.io/server-snippet: |


 # block if not / or /test or /something


 if ($request_uri !~* "(^/(?:(?:test|something)(?:/|$)|$))") {


 return 404 ;


 break;


 }


 # redirect if proto_http


 if ($http_x_forwarded_proto = 'http') {


 return 301 https://$host$request_uri;


 break;


 }



 # hsts required header


 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;



spec:


 rules:


 - host: myhost.example.com


 http:


 paths:


 - path: /


 backend:


 serviceName: someservice


 servicePort: 80



我现在有两个问题。

  • 请求/test%2F..%2Fconfig不返回404,即使这与正规表达式不匹配
  • 请求/test/..-2Fconfig允许访问/config

是否有更好的正规表达式来覆盖这些情况,或者有办法将$request_uri转换为绝对uri,以便正规表达式编码的uri能够工作?

正规表达式在这里有一些测试用例:https://regex101.com/r/Msu402/1


答案1:


location ~* ^/(?!test|something) {


 return 404;


}





PRE  DIR  Nginx  Kubernetes  Traversal  Ingres  
相关文章