ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard
verified publisher icon kubernetes

Action: SanitiseRequestHeader is not yet supported

Open danfinn opened this issue 2 years ago • 9 comments

What happened:

We noticed recently that we have sensitive information being exposed in the logs coming from ingress-nginx. It appears modsecurity has a way to scrub these but I get the following error when trying to enable it:

nginx: [emerg] "modsecurity_rules" directive Rules error. File: <<reference missing or not informed>>. Line: 4. Column: 33. Action: SanitiseRequestHeader is not yet supported.  in /tmp/nginx-cfg1187505633:585
nginx: configuration file /tmp/nginx-cfg1187505633 test failed

What you expected to happen:

Ideally modsecurity would scrub the sensitive data

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller Release: v1.1.2 Build: bab0fbab0c1a7c3641bd379f27857113d574d904 Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.19.9

Kubernetes version (use kubectl version): Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.6", GitCommit:"7ffcdf755d47c73903854cc5955afcdcd8c95225", GitTreeState:"clean", BuildDate:"2023-10-09T14:43:34Z", GoVersion:"go1.19.10", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Azure AKS

  • OS (e.g. from /etc/os-release):

  • Kernel (e.g. uname -a):

  • Install tools:

    • Azue AKS

  • Basic cluster related info:

    • `Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.6", GitCommit:"7ffcdf755d47c73903854cc5955afcdcd8c95225", GitTreeState:"clean", BuildDate:"2023-10-09T14:43:34Z", GoVersion:"go1.19.10", Compiler:"gc", Platform:"linux/amd64"}
    • kubectl get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME aks-nodepool1-27276929-vmss000002 Ready agent 50d v1.26.6 10.13.249.184 Ubuntu 22.04.3 LTS 5.15.0-1041-azure containerd://1.7.1+azure-1 aks-nodepool1-27276929-vmss000003 Ready agent 50d v1.26.6 10.13.249.228 Ubuntu 22.04.3 LTS 6.2.0-1011-azure containerd://1.7.1+azure-1 aks-nodepool1-27276929-vmss000005 Ready agent 50d v1.26.6 10.13.248.54 Ubuntu 22.04.3 LTS 5.15.0-1041-azure containerd://1.7.1+azure-1 aks-nodepool1-27276929-vmss000007 Ready agent 50d v1.26.6 10.13.248.10 Ubuntu 22.04.3 LTS 6.2.0-1011-azure containerd://1.7.1+azure-1 aks-nodepool1-27276929-vmss00000z Ready agent 43d v1.26.6 10.13.251.128 Ubuntu 22.04.3 LTS 5.15.0-1041-azure containerd://1.7.1+azure-1 aks-nodepool1-27276929-vmss000049 Ready agent 12d v1.26.6 10.13.248.236 Ubuntu 22.04.3 LTS 5.15.0-1041-azure containerd://1.7.1+azure-1 aks-nodepool1-27276929-vmss00004c Ready agent 10d v1.26.6 10.13.249.98 Ubuntu 22.04.3 LTS 5.15.0-1041-azure containerd://1.7.1+azure-1 aks-nodepool1-27276929-vmss00004u Ready agent 41h v1.26.6 10.13.248.152 Ubuntu 22.04.3 LTS 5.15.0-1041-azure containerd://1.7.1+azure-1 akswp000000 Ready agent 48d v1.26.6 10.13.252.107 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp000001 Ready agent 48d v1.26.6 10.13.252.56 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp000002 Ready agent 48d v1.26.6 10.13.254.177 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp000004 Ready agent 48d v1.26.6 10.13.254.130 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp00000c Ready agent 47d v1.26.6 10.13.252.209 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp00000e Ready agent 47d v1.26.6 10.13.248.238 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp00000f Ready agent 46d v1.26.6 10.13.249.94 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp00001f Ready agent 27d v1.26.6 10.13.250.88 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp00001y Ready agent 22d v1.26.6 10.13.250.248 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp00002k Ready agent 18d v1.26.6 10.13.251.41 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp00002n Ready agent 15d v1.26.6 10.13.251.178 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp000032 Ready agent 6d6h v1.26.6 10.13.248.99 Windows Server 2019 Datacenter 10.0.17763.4737 containerd://1.6.21+azure akswp22000000 Ready agent 53d v1.26.6 10.13.249.250 Windows Server 2022 Datacenter 10.0.20348.1906 containerd://1.6.21+azure akswp22000001 Ready agent 53d v1.26.6 10.13.250.194 Windows Server 2022 Datacenter 10.0.20348.1906 containerd://1.6.21+azure

  • How was the ingress-nginx-controller installed:

    • nginx-hl-idx-14 pw-hl-idx-14-1001389117 1 2023-10-31 17:11:04.439548761 +0000 UTC deployed ingress-nginx-4.0.18 1.1.2

  • Current State of the controller:

    • Name: nginx-hl-idx-14-ingressclass Labels: app.kubernetes.io/component=controller app.kubernetes.io/instance=nginx-hl-idx-14 app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=ingress-nginx app.kubernetes.io/part-of=ingress-nginx app.kubernetes.io/version=1.1.2 helm.sh/chart=ingress-nginx-4.0.18 Annotations: meta.helm.sh/release-name: nginx-hl-idx-14 meta.helm.sh/release-namespace: pw-hl-idx-14-1001389117 Controller: hl-idx-14.io/nginx-hl-idx-14-ingressclass Events: <none>

  • Current state of ingress object, if applicable: N/A

  • Others: N/A

How to reproduce this issue: Try to apply scrubbing with the following setting:

SecAction "phase:5,nolog,pass,\    
sanitiseRequestHeader:Authorization"

danfinn avatar Oct 31 '23 17:10 danfinn