Option for enabling only TLSv1.2 and TLSv1.3 and strong ciphers and HSTS
pomland-94 opened this issue · 10 comments
Hey,
I ran an Instance if this operator on my OpenShift cluster, but the reputation on SSLLabs ist worst because by default TLSv1.0 is enabled and weak ciphers. Is there an Option to change this?
HSTS and Protocols are here: https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/#auth-and-ssltls
They are both global settings, it can be overridden for a specific hostname with snippets
The operator doesn't saves my config Flags. I installed the Operator inside my OpenShift and created an Ingress Controller, with the following config but my data attributes get ignored:
apiVersion: charts.nginx.org/v1alpha1 kind: NginxIngress metadata: name: nginx namespace: nginx-ingress spec: controller: logLevel: 1 nodeSelector: {} customPorts: [] extraContainers: [] initContainers: [] config: annotations: {} entries: {} ingressClass: nginx includeYear: false resources: requests: cpu: 100m memory: 128Mi pod: annotations: {} extraLabels: {} enableCertManager: false hostNetwork: false affinity: {} enableLatencyMetrics: false setAsDefaultIngress: false customConfigMap: '' terminationGracePeriodSeconds: 30 lifecycle: {} nginxStatus: allowCidrs: 127.0.0.1 enable: true port: 8080 watchNamespace: '' nginxReloadTimeout: 60000 healthStatus: false appprotect: enable: false enableCustomResources: true globalConfiguration: create: false spec: {} reportIngressStatus: annotations: {} enable: true enableLeaderElection: true ingressLink: '' nginxplus: false volumeMounts: [] kind: deployment enablePreviewPolicies: false service: externalIPs: [] customPorts: [] loadBalancerIP: '' annotations: {} externalTrafficPolicy: Local httpPort: enable: true nodePort: '' port: 80 targetPort: 80 httpsPort: enable: true nodePort: '' port: 443 targetPort: 443 loadBalancerSourceRanges: [] extraLabels: {} type: NodePort create: true readyStatus: enable: true port: 8081 replicaCount: 2 serviceAccount: imagePullSecretName: '' volumes: [] enableSnippets: false nginxDebug: false appprotectdos: debug: false enable: false maxDaemons: 0 maxWorkers: 0 memory: 0 defaultTLS: {} image: pullPolicy: IfNotPresent repository: nginx/nginx-ingress tag: 2.4.0-ubi enableTLSPassthrough: true tolerations: [] enableOIDC: false healthStatusURI: /nginx-health disableIPV6: false nginxServiceMesh: enable: false enableEgress: false prometheus: create: true port: 9113 scheme: http secret: '' rbac: create: true data: ssl-protocols: "TLSv1.2"
I created a config map with this values:
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-config
data:
ssl-protocols: "TLSv1.2 TLSv1.3"
http2: "True"
proxy-protocol: "True"
but this also didn't get applied
Was there any log output related to the pod?
Such as some error after it caught the resource change?
No nothing
I apply the ConfigMap but nothing happened, in the pod logs nothing happened. When I create a controller inside the Operator and place key/value pairs inside the data: attribute it gets ignored and don't show up in the deployment yaml
@pomland-94 are you able to provide the output of nginx -T and copy it in this thread?
Are you using our CRDS or standard ingress resource?
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.
This issue was closed because it has been stalled for 10 days with no activity.