Configure the front-end server to exclusively use HTTP/2 to communicate to back-end systems

[vadlakiran]

we have WebInspect has detected the application to be vulnerable to an HTTP Request Smuggling attack
how to do below fix, i did not get the HTTP/2 fix

Configure the front-end server to exclusively use HTTP/2 to communicate to back-end systems.
Disable back-end connection reuse

To Reproduce
Steps to reproduce the behavior:

1. Deploy x to '...' using some.yaml
2. View logs on '....'
3. See error

Expected behavior
A clear and concise description of what you expected to happen.

Your environment
Version of the Ingress Controller - release version or a specific commit: v1.10.1
Version of Kubernetes : v1.21.5
Kubernetes platform (e.g. Mini-kube or GCP): on premesise k8s cluster
Using NGINX or NGINX Plus: NGINX as daemonset

• Version of the Ingress Controller - release version or a specific commit: v1.10.1
• Version of Kubernetes: v1.21.5
• Kubernetes platform (e.g. Mini-kube or GCP): on Premesise k8s cluster
• Using NGINX or NGINX Plus : NGINX

Additional context
Add any other context about the problem here. Any log files you want to share.

[github-actions]

Hi @vadlakiran thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[brianehlert]

Thanks for the issue @vadlakiran
I need to check though. Are you using this project or are you using ingress-nginx?
Considering the version of the ingress controller that you are reporting. I am speculating you are using the community maintained ingress-nginx project.

That said, any additional information that you could provide would be useful.
I am not fully clear on what you mean by: Configure the front-end server to exclusively use HTTP/2 to communicate to back-end systems if you could further explain, that would be useful.

[vadlakiran]

@brianehlert yes we are using this project only nginxinc , we have deployed as daemonset as nginx-ingress and vs.
we have volunerbility to enabled the http/2 protocol, below is the configmap .

{{- if .Values.global.setuptypeipv4 }} kind: ConfigMap apiVersion: v1 metadata: name: nginx-config namespace: "{{ .Values.global.namespace }}" data: server-tokens: "false" client-max-body-size: "0" proxy-max-temp-file-size: "0" worker-connections: "30000" proxy-body-size: "0" proxy-read-timeout: "600" proxy-send-timeout: "600" ssl-ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:!RC4:!RC2:!DES:!3DES:!SHA:!SHA256:!SHA384:!MD5+HIGH:+MEDIUM ssl-protocols: TLSv1.2 {{- if .Values.global.nglog_integration }} http-snippets: | add_header X-Frame-Options SAMEORIGIN always; log_format customformat '$http_X_FORWADED_For-$remote_addr $remote_user [$time_local] "$request" ' '$status $body_bytes_sent' '"$http_referer"' '"$http_user_agent"' '"$upstream_addr" "$request_time" "$upstream_response_time" "$pipe"'; access_log syslog:server={{ .Values.global.ng_syslog_server }}:{{ .Values.global.ng_syslog_port }},facility=local7,tag=RMSLog_Origin_nginx,severity=info customformat; {{- else }} http-snippets: | add_header X-Frame-Options SAMEORIGIN always; {{- end }} log-format-upstream: | '$http_X_FORWADED_For-$remote_addr $remote_user [$time_local] "$request" ' '$status $body_bytes_sent' '"$http_referer"' '"$http_user_agent"' '"$upstream_addr" "$request_time" "$upstream_response_time" "$pipe"' {{- end }}

[shaun-nx]

Hi @vadlakiran

Let me see if I understand the issue correctly.

1. You are running release v1.10.1 the NGINX Ingress Controller
2. WebInspect has detected that your deployment of the NGINX Ingress Controller is vulnerable an HTTP Request Smuggling attack
3. You have enabled HTTP/2 using a config-map
4. After enabling HTTP/2, Webinspect is still detecting the vulnerability in you deployment

Is what I said correct?

[vadlakiran]

@shaun-nx 1and 2nd points correct , to avoid 2nf point I want to enable HTTP2 .
How to do that ?

[shaun-nx]

Ah I see! @vadlakiran
Documentation here explains how to configure http2 wit ha ConfgMap

Here is an example ConfigMap:

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
  namespace: nginx-ingress
data:
  http2: "True"

[shaun-nx]

Hi @vadlakiran just checking in. Did the ConfigMap I provided work for you?

[shaun-nx]

Hi @vadlakiran we'd love to hear back to know if the provided ConfigMap has worked for your issue.

[j1m-ryan]

Closing this issue due to 3 months of inactivity, but please feel free to open another it if you have further updates.