Added configmap settings to support perfect forward secrecy

Nico Schieder · Nico Schieder · commit eadba666d0ab · 2016-11-30T15:55:48.000+01:00
diff --git a/nginx-controller/controller/controller.go b/nginx-controller/controller/controller.go
@@ -364,6 +364,29 @@ func (lbc *LoadBalancerController) syncCfgm(key string) {
 			}
 		}
 
+		// SSL block
+		if sslProtocols, exists := cfgm.Data["ssl-protocols"]; exists {
+			cfg.MainServerSSLProtocols = sslProtocols
+		}
+		if sslPreferServerCiphers, exists, err := nginx.GetMapKeyAsBool(cfgm.Data, "ssl-prefer-server-ciphers", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
+				cfg.MainServerSSLPreferServerCiphers = sslPreferServerCiphers
+			}
+		}
+		if sslCiphers, exists := cfgm.Data["ssl-ciphers"]; exists {
+			cfg.MainServerSSLCiphers = strings.Trim(sslCiphers, "\n")
+		}
+		if sslDHParamFile, exists := cfgm.Data["ssl-dhparam-file"]; exists {
+			sslDHParamFile = strings.Trim(sslDHParamFile, "\n")
+			fileName, err := lbc.cnf.AddOrUpdateDHParam(sslDHParamFile)
+			if err != nil {
+				glog.Errorf("Configmap %s/%s: Could not update dhparams: %v", cfgm.GetNamespace(), cfgm.GetName(), err)
+			}
+			cfg.MainServerSSLDHParam = fileName
+		}
+
 		if logFormat, exists := cfgm.Data["log-format"]; exists {
 			cfg.MainLogFormat = logFormat
 		}
@@ -467,7 +490,7 @@ func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) nginx.
 			glog.Warningf("Error retrieving secret %v for Ingress %v: %v", secretName, ing.Name, err)
 			continue
 		}
-		ingEx.Secrets[secretName] = secret
+		ingEx.Secrets[fmt.Sprintf("%s-%s", ing.GetNamespace(), secretName)] = secret
 	}
 
 	ingEx.Endpoints = make(map[string][]string)
diff --git a/nginx-controller/nginx/config.go b/nginx-controller/nginx/config.go
@@ -16,6 +16,11 @@ type Config struct {
 	HSTS                          bool
 	HSTSMaxAge                    int64
 	HSTSIncludeSubdomains         bool
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+	MainServerSSLProtocols           string
+	MainServerSSLPreferServerCiphers bool
+	MainServerSSLCiphers             string
+	MainServerSSLDHParam             string
 }
 
 // NewDefaultConfig creates a Config with default values
diff --git a/nginx-controller/nginx/configurator.go b/nginx-controller/nginx/configurator.go
@@ -29,6 +29,10 @@ func NewConfigurator(nginx *NginxController, config *Config) *Configurator {
 	return &cnf
 }
 
+func (cnf *Configurator) AddOrUpdateDHParam(content string) (string, error) {
+	return cnf.nginx.AddOrUpdateDHParam(content)
+}
+
 // AddOrUpdateIngress adds or updates NGINX configuration for an Ingress resource
 func (cnf *Configurator) AddOrUpdateIngress(name string, ingEx *IngressEx) {
 	cnf.lock.Lock()
@@ -387,6 +391,10 @@ func (cnf *Configurator) UpdateConfig(config *Config) {
 		ServerNamesHashBucketSize: config.MainServerNamesHashBucketSize,
 		ServerNamesHashMaxSize:    config.MainServerNamesHashMaxSize,
 		LogFormat:                 config.MainLogFormat,
+		SSLProtocols:              config.MainServerSSLProtocols,
+		SSLCiphers:                config.MainServerSSLCiphers,
+		SSLDHParam:                config.MainServerSSLDHParam,
+		SSLPreferServerCiphers:    config.MainServerSSLPreferServerCiphers,
 	}
 
 	cnf.nginx.UpdateMainConfigFile(mainCfg)
diff --git a/nginx-controller/nginx/nginx.conf.tmpl b/nginx-controller/nginx/nginx.conf.tmpl
@@ -38,6 +38,10 @@ http {
         default upgrade;
         ''      close;
     }
+    {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
+    {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
+    {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
+    {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}
 
     include /etc/nginx/conf.d/*.conf;
 }
diff --git a/nginx-controller/nginx/nginx.go b/nginx-controller/nginx/nginx.go
@@ -11,6 +11,8 @@ import (
 	"github.com/golang/glog"
 )
 
+const dhparamFilename = "dhparam.pem"
+
 // NginxController Updates NGINX configuration, starts and reloads NGINX
 type NginxController struct {
 	nginxConfdPath string
@@ -70,6 +72,11 @@ type NginxMainConfig struct {
 	ServerNamesHashBucketSize string
 	ServerNamesHashMaxSize    string
 	LogFormat                 string
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+	SSLProtocols           string
+	SSLPreferServerCiphers bool
+	SSLCiphers             string
+	SSLDHParam             string
 }
 
 // NewUpstreamWithDefaultServer creates an upstream with the default server.
@@ -91,7 +98,7 @@ func NewNginxController(nginxConfPath string, local bool) (*NginxController, err
 	}
 
 	if !local {
-		ngxc.createCertsDir()
+		createDir(ngxc.nginxCertsPath)
 	}
 
 	cfg := &NginxMainConfig{ServerNamesHashMaxSize: NewDefaultConfig().MainServerNamesHashMaxSize}
@@ -121,6 +128,24 @@ func (nginx *NginxController) AddOrUpdateIngress(name string, config IngressNgin
 	nginx.templateIt(config, filename)
 }
 
+// AddOrUpdateDHParam creates the servers dhparam.pem file
+func (nginx *NginxController) AddOrUpdateDHParam(dhparam string) (string, error) {
+	fileName := nginx.nginxCertsPath + "/" + dhparamFilename
+	if !nginx.local {
+		pem, err := os.Create(fileName)
+		if err != nil {
+			return fileName, fmt.Errorf("Couldn't create file %v: %v", fileName, err)
+		}
+		defer pem.Close()
+
+		_, err = pem.WriteString(dhparam)
+		if err != nil {
+			return fileName, fmt.Errorf("Couldn't write to pem file %v: %v", fileName, err)
+		}
+	}
+	return fileName, nil
+}
+
 // AddOrUpdateCertAndKey creates a .pem file wth the cert and the key with the
 // specified name
 func (nginx *NginxController) AddOrUpdateCertAndKey(name string, cert string, key string) string {
@@ -211,9 +236,9 @@ func (nginx *NginxController) Start() {
 	}
 }
 
-func (nginx *NginxController) createCertsDir() {
-	if err := os.Mkdir(nginx.nginxCertsPath, os.ModeDir); err != nil {
-		glog.Fatalf("Couldn't create directory %v: %v", nginx.nginxCertsPath, err)
+func createDir(path string) {
+	if err := os.Mkdir(path, os.ModeDir); err != nil {
+		glog.Fatalf("Couldn't create directory %v: %v", path, err)
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,10 @@ http {`
`38`	`38`	`default upgrade;`
`39`	`39`	`'' close;`
`40`	`40`	`}`
	`41`	`+ {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}`
	`42`	`+ {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}`
	`43`	`+ {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}`
	`44`	`+ {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}`
`41`	`45`
`42`	`46`	`include /etc/nginx/conf.d/*.conf;`
`43`	`47`	`}`