Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turn off server_tokens for nginx http->https redirect vhost #18314

Closed
wants to merge 3 commits into from
Closed

Turn off server_tokens for nginx http->https redirect vhost #18314

wants to merge 3 commits into from

Conversation

sizowie
Copy link

@sizowie sizowie commented Mar 7, 2023
edited
Loading

This change turns off server_tokens (NGINX version in the HTTP response header) for the http->https redirect vhost in the NGINX configuration template.

Why?

NGINX "security" options like server_tokens should be the same in the http redirect vhost as for the https vhost, otherwise hiding the NGINX release in https vhost wouldn't make sense.

http

# curl -v http://localhost        
....     
< Server: nginx/1.22.0

https

# curl -v https://localhost
...      
< Server: nginx

Please indicate you've done the following:

  • Well Written Title and Summary of the PR
  • Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
  • Accepted the DCO. Commits without the DCO will delay acceptance.
  • Made sure tests are passing and test coverage is added if needed.
  • Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

@sizowie sizowie requested a review from a team as a code owner March 7, 2023 09:26
@Vad1mo Vad1mo added the release-note/update Update or Fix label Mar 8, 2023
@Vad1mo
Copy link
Member

Vad1mo commented Mar 8, 2023

@sizowie can you indicate, in your PR the benefits for Harbor and their users?

@codecov
Copy link

codecov bot commented Mar 8, 2023
edited
Loading

Codecov Report

Merging #18314 (aca5b91) into main (c8120d5) will increase coverage by 0.16%.
Report is 103 commits behind head on main.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #18314      +/-   ##
==========================================
+ Coverage   67.38%   67.54%   +0.16%     
==========================================
  Files         981      999      +18     
  Lines      107194   111450    +4256     
  Branches     2698     2973     +275     
==========================================
+ Hits        72228    75282    +3054     
- Misses      31085    31941     +856     
- Partials     3881     4227     +346
Flag Coverage Δ
unittests 67.52% <ø> (+0.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 92 files with indirect coverage changes

@sizowie
Copy link
Author

sizowie commented Mar 8, 2023

@sizowie can you indicate, in your PR the benefits for Harbor and their users?

sure, description updated.

@wy65701436 wy65701436 assigned zyyw and unassigned stonezdj, wy65701436 and chlins Mar 20, 2023
@Vad1mo
Copy link
Member

Vad1mo commented Apr 12, 2023

Makes sense, it is common practice and security advice to not print tokens

@wy65701436
Copy link
Contributor

hi @sizowie would you mind to provide some references for this change?

And the similar comments with this change,

Harbor provides a default configuration for Nginx, but users can enable or disable any configurations based on their specific requirements. However, this default configuration is only applicable for online/offline installations. What if a user installs Harbor on Kubernetes and prefers to use Contour as the proxy?

@wy65701436 wy65701436 added the more-info-needed The issue author need to provide more details and context to the issue label May 30, 2023
@sizowie
Copy link
Author

sizowie commented Jul 5, 2023

hi @sizowie would you mind to provide some references for this change?

And the similar comments with this change,

Harbor provides a default configuration for Nginx, but users can enable or disable any configurations based on their specific requirements. However, this default configuration is only applicable for online/offline installations. What if a user installs Harbor on Kubernetes and prefers to use Contour as the proxy?

http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
Enables or disables emitting nginx version on error pages and in the “Server” response header field.

This change only applies to users that are using the nginx container from the harbor online/offline-installer to ensure a minimum default hardened reverse proxy.

@github-actions
Copy link

github-actions bot commented Sep 4, 2023

This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.

@github-actions github-actions bot added the Stale label Sep 4, 2023
@github-actions
Copy link

github-actions bot commented Oct 5, 2023

This PR was closed because it has been stalled for 30 days with no activity. If this PR is still relevant, please re-open a new PR against main.

@github-actions github-actions bot closed this Oct 5, 2023
@Vad1mo Vad1mo removed the Stale label Oct 5, 2023
@Vad1mo Vad1mo reopened this Oct 5, 2023
@Vad1mo
Copy link
Member

Vad1mo commented Oct 5, 2023

Hey @goharbor/maintainers can we get this merged? this is a sensible basic configuration setting for Harbor.

@Vad1mo Vad1mo enabled auto-merge (squash) October 5, 2023 21:37
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 5, 2023

This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.

@github-actions github-actions bot added the Stale label Dec 5, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 5, 2024

This PR was closed because it has been stalled for 30 days with no activity. If this PR is still relevant, please re-open a new PR against main.

@github-actions github-actions bot closed this Jan 5, 2024
auto-merge was automatically disabled January 5, 2024 09:03

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vad1mo Vad1mo Vad1mo approved these changes

Assignees

@stonezdj stonezdj

@wy65701436 wy65701436

@zyyw zyyw

@MinerYang MinerYang

Labels
more-info-needed The issue author need to provide more details and context to the issue release-note/update Update or Fix Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@sizowie @Vad1mo @wy65701436 @stonezdj @zyyw @chlins @MinerYang