search

sassoftware / viya4-deployment

This project contains Ansible code that creates a baseline in an existing Kubernetes environment for use with the SAS Viya Platform, generates the manifest for an order, and then can also deploy that order into the Kubernetes environment specified.
Apache License 2.0
70 stars 64 forks source link

feat: (IAC-298) Security update - `use-forwarded-headers` set to false for ingress-ngnix #428

Closed riragh closed 1 year ago

riragh commented 1 year ago

Changes:

Previously the default value for use-forwarded-headers was set to true. This has raised a security concern as it allows spoofing source IP via X-Forwarded-For header.

NGINX Ingress Controller states the use of use-forwarded-headers as follows:

If true, NGINX passes the incoming X-Forwarded-* headers to upstream. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers.

If false, NGINX ignores incoming X-Forwarded-* headers, filling them with the request information it sees. Use this option if NGINX is exposed directly to the internet, or it's behind a L3/packet-based load balancer that doesn't alter the source IP in the packets.

As NGINX is not behind another L7 proxy / load balancer this PR will set the use-forwarded-headers to false by default. Instructions are added in troubleshooting guide if user wishes to enable this setting.

Tests:

Verified on following scenarios, the deployment stabilized and applications were accessible using the change use-forwarded-headers = false. See additional details and tests in internal ticket: Scenario Task Provider Cadence
1 OOTB Azure fast:2020
2 OOTB AWS fast:2020
3 OOTB GCP fast:2020
riragh commented 1 year ago

I am ok with this as long as we tested the SAS coded and verified that the systems still work without this item.

Yes this change was verified on all the cloud providers, SAS Viya Platform deployments were successful and applications were accessible.