0

Even though I'm checking docs and github issues I cannot set HSTS headers properly in ingress configuration files via annotations. It duplicated the header.

My ingress annotations part looks like this:

  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-production"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.org/websocket-services: web-page
    nginx.ingress.kubernetes.io/websocket-services: web-page
    nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
    nginx.ingress.kubernetes.io/proxy-body-size: 20m
    nginx.ingress.kubernetes.io/client-max-body-size: 20m
    nginx.ingress.kubernetes.io/server-snippet: |
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

But the response headers in the browser show this: Duplicated HSTS headers

Why is that? Where the other header is set?

Murakami
  • 3,474
  • 7
  • 35
  • 89
  • Which version of Kubernetes did you use and how did you set up the cluster? Did you use bare metal installation or some cloud provider? – kkopczak Feb 09 '22 at 19:52
  • Hi, my k8s is 1.22.4 and it is set on Azure AKS – Murakami Feb 09 '22 at 23:53
  • Which version of Ingress did you use? How did you deploy it? Did you use any guide/tutorial or its your own configuration? Is it possible to provide some logs? Could you provide some scenario for replication? Did it happen since the configuration was applied or it worked fine until something happened? Does the same behavior occur in different browser? – kkopczak Feb 11 '22 at 15:58

1 Answers1

0

I had similar issue with duplicated strict-transport-security response header with the Kubernetes community NGINX Ingress (ingress-nginx). The issue was there were duplicate Ingress definitions defined (conflicting on the same wildcard domain / host). There appears to be an issue with OpenResty LUA where the logic fails to replace (as intended) the strict-transport-security response header when there are these conflicting Ingress objects defined.

Solution: Check all the ingress defined on the cluster with: kubectl get ingress -A and ensure there are not multiple Ingress defined for the same HOSTS.

You can disable this functionality (globally on the cluster) in the ingress controller via ConfigMap, see: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#http-strict-transport-security

By default, the ingress controller replaces any existing strict-transport-security response header with: strict-transport-security: max-age=15724800; includeSubDomains The other (duplicate) header you see is coming from your application, and I surmise it is not being replaced by the ingress because of a conflict in your Ingress definitions (two or more ingress definitions for the same HOST).

BCG
  • 1
  • 1