如何使用 Google Kubernetes Engine 设置自定义 headers?

How do I set custom headers using Google Kubernetes Engine?

我了解 NGINX Ingress 控制器允许 custom header creation 使用 ConfigMap。有没有:

  1. 一种将 NGINX 用于 GKE 的方法或
  2. 在networking.gke.io中直接指定自定义headers 命名空间?

我对设置 HTTPS Strict Transport Security, Upgrade Insecure Requests and Content Security Policy headers 特别感兴趣。我发现 redirectToHttp 功能在默认情况下不启用这些功能,所以我很想知道任何想法。

取自我的一个 Nginx 入口配置值:

HSTS - 在 controller.config 下:

  hsts: "True" # default is "False". Enables HTTP Strict Transport Security (HSTS): the HSTS header is added to the responses from backends. See https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  hsts-max-age: "31536000" # default is 2592000 (1 month).
  hsts-include-subdomains: "True" # default is "False".

重定向到 HTTPS - 在注释下:

nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

CORS - 根据注释:

nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "http://localhost:8888/"
nginx.ingress.kubernetes.io/cors-max-age: "3600"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,apikey,x-apikey,Accept-Language,impersonated,source"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, PATCH, OPTIONS"

因此,示例如下所示:

❯ kubectl get configmaps -n ingress nginx-ingress-0-24-controller -o yaml

apiVersion: v1
data:
  Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
    style-src 'self' 'unsafe-inline'; frame-src 'self'
  Referrer-Policy: 'Referrer-Policy: strict-origin-when-cross-origin'
  X-API-Token: x
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-Using-Nginx-Controller: "true"
  X-XSS-Protection: 1; mode=block
  client_body_buffer_size: 128k
  client_max_body_size: 24M
  enable-vts-status: "true"
  hsts: "True"
  hsts-include-subdomains: "True"
  hsts-max-age: "31536000"
  http-snippet: |
    more_clear_headers 'Server';
  log-format-upstream: '{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr",
    "x-forward-for": "$proxy_add_x_forwarded_for", "request_id": "$request_id", "remote_user":
    "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status":
    $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri",
    "request_query": "$args", "request_length": $request_length, "duration": $request_time,
    "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent":
    "$http_user_agent"}'
  proxy-hide-headers: Server, server, Access-Control-Allow-Origin, X-Using-Nginx-Controller
  proxy-set-headers: ingress/nginx-ingress-0-24-custom-headers
  server-tokens: "False"
  ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  ssl-protocols: TLSv1.2
  use-http2: "true"
kind: ConfigMap
metadata:
  creationTimestamp: "2020-08-20T08:46:22Z"
  labels:
    app: nginx-ingress
    chart: nginx-ingress-1.8.2
    component: controller
    heritage: Tiller
    release: nginx-ingress-0-24
  name: nginx-ingress-0-24-controller
  namespace: ingress
  resourceVersion: "205918413"
  selfLink: /api/v1/namespaces/ingress/configmaps/nginx-ingress-0-24-controller
  uid: 9fc20850-e2c1-11ea-87b8-42010af00186

当注释进入入口 yaml 时:

❯ kubectl get ingresses -n system nginx-ingress-ingress-config protect-private -o yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-0-24
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
  creationTimestamp: "2021-03-05T13:03:49Z"
(...)