Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add public ingress config docs #401

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Add public ingress config docs #401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
34ba36e
add radixconfig docs for new fields in network.ingress.public
nilsgstrabo Oct 8, 2024
92a0a77
replace script-src unsafe-inline with sha256 in CSP
nilsgstrabo Oct 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion public-site/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ NGINX configuration:

- `/proxy/server.conf`: Configuration used for production. Serves the statically built files.
- `/proxy/server.dev.conf`: Configuration used for development. Proxies requests to docusaurus backend.
- `/proxy/securityheaders`: Contains security related headers for the HTTP response. Included in both production and development configurations.
- `/proxy/securityheaders`: Contains security related headers for the HTTP response. Included in both production and development configurations. The `Content-Security-Profile` value for `script-src` includes two sha256 values (`$script_src_dev_sha` when running in dev mode, and `$script_src_prod_sha` for production build) for inline javascript generated by docusaurs. These scripts can change when packages are updated, which will cause the sha256 values to be invalid, causing the web page to fail. In this happens the values for both variables must be updated. Chrome (and chromium based browsers) will print the expected value in `Developer Tools` > `Console`. Run `make dev-up` to get the value for `$script_src_dev_sha`, and `make prod-up` for `$script_src_prod_sha`. Update both variables with the new corresponding values and test that both dev and prod builds works by running `dev-up` and then `prod-up`.

## docusaurus

Expand Down
19 changes: 17 additions & 2 deletions public-site/docs/radix-config/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1166,28 +1166,43 @@ spec:
network:
ingress:
public:
proxyBodySize: 500m
proxyReadTimeout: 5
proxySendTimeout: 10
allow:
- 100.1.1.1
- 110.1.1.1/30
environmentConfig:
- environment: dev
network:
ingress:
proxyBodySize: 20m
proxyReadTimeout: 30
proxySendTimeout: 30
public:
allow: []
- environment: qa
network:
ingress:
public:
proxyBodySize: 100m
allow:
- 200.1.1.1
- 200.10.1.1
- environment: prod
```

The `network.ingress.public.allow` property defines a list of public IP addresses or CIDRs allowed to access the component's public endpoints. The `allow` list can be configured on the component level and/or in `environmentConfig` for a specific environment. `environmentConfig` takes precedence over component level configuration. Setting `allow` to an empty list allows access from all public IP addresses.
`network.ingress.public` contains settings used to control the behavior of [public endpoints](../docs/topic-domain-names/). These settings can be configured on the component level and/or in `environmentConfig` for a specific environment. `environmentConfig` takes precedence over component level configuration.

In the example, `allow` is configured on the component level with two IP address ranges. This configuration will apply to all environments, unless `allow` is configured in `environmentConfig`. For environment `dev`, `allow` to en empty list, which will allow all public IP addresses to access the component. In the `qa` environment, `allow` is configured with a new list if IP addresses. These will be used instead of the IP addresses configured on the component level. The `environmentConfig` for `prod` does not specify `allow`, which means that the configuration from the component level will be used.
- `allow`: Defines a list of public IP addresses or CIDRs allowed to access the component's public endpoints. Setting `allow` to an empty list allows access from all public IP addresses.
**Note**: When `allow` is configured in `environmentConfig`, it will _overwrite_ any values defined on component level.
- `proxyBodySize`: Sets the maximum allowed size of the client request body. Sizes can be specified in bytes, kilobytes (suffixes k and K), megabytes (suffixes m and M), or gigabytes (suffixes g and G), for example "1024", "64k", "32m" or "2g". If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. Setting this value to "0" disables checking of client request body size. The default is 100m.
- `proxyReadTimeout`: Defines a timeout, in seconds, for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed. The default is 60 seconds.
- `proxySendTimeout`: Defines a timeout, in seconds, for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. The default is 60 seconds.

:::warning Caution
Setting `proxyBodySize` to "0", or an unneccessary high value, can lead to instability/denial of service or increased cost, depending on how the request body is processed by the backend, e.g. when buffering to memory or storing the content to disk, either locally or remotly. Never set the value to "0" unless the backend component is configured to enforce a limit.
:::

## `jobs`

Expand Down
6 changes: 5 additions & 1 deletion public-site/proxy/securityheaders
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
set $script_src_dev_sha "'sha256-PE/7QjqXXKVhTWba7f6GhIv05JWyUEggAwueH3hMSXI='";
set $script_src_prod_sha "'sha256-pBkmluod9Ko4GzDfbWgKM/wxzujFXUdGVOePkwOQT+c='";
set $script_src_sha "$script_src_dev_sha $script_src_prod_sha";

add_header X-Frame-Options deny always;
add_header X-Content-Type-Options nosniff always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://cdn.eds.equinor.com/font/; font-src 'self' https://cdn.eds.equinor.com/font/; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' $script_src_sha; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://cdn.eds.equinor.com/font/; font-src 'self' https://cdn.eds.equinor.com/font/; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" always;
add_header Cross-Origin-Resource-Policy same-origin always;
add_header Permissions-Policy "camera=(),display-capture=(),fullscreen=(),geolocation=(),microphone=()" always;
add_header Referrer-Policy no-referrer always;