custom-error-pages example image fails to return the correct Content-Type header in its response #4039
Comments
juliohm1978
changed the title
custom-error-pages example image fails to return the correct Content-Type header its response
|
PR is very simple and is on the way |
juliohm1978
changed the title
schaze
pushed a commit
to schaze/ingress-nginx
that referenced
this issue
May 30, 2019
This should fix issue [4039](kubernetes#4039). This default backend fails to send the correct `Content-Type` header when it fails to decode the `Accept` request header. This patch simply forces `text/html` in that specific scenario.
morganwu277
added a commit
to morganwu277/ingress-nginx
that referenced
this issue
Jun 20, 2019
* update GKE header to match link in contents * extract common logic into a helper * do not repeat cert verification against root ca * clean up certificate processing * adjust unit tests * bugfix: when secret includes ca.crt store it on disk even in dynamic cert mode * fix function comment * Allow the use of a secret located in a different namespace * Refactor status update * Fix status tests * Add promehteus metric about leader election status * Use full election leader ID * Fix documentation * Remove useless nodeip call and deprecate --force-namespace-isolation * Improve text, error level, tests... * Only the leader updates metrics for SSL certificate expiration * Force travis rebuild * Improve kubectl plugin * Separate out annotation assignment logic * Make sure cli-arguments doc is in alphabetical order * Remove sort-backends flag from cli docs * Correctly format ipv6 resolver config for lua Fixes kubernetes#3881 * enable dynamic SSL mode by default * Improve "Sticky sessions" documentation page * Remove unnecessary copy of GeoIP databases * Update nginx image * Migrate e2e cluster to kind * Add support for IPV6 resolvers * Set `X-Request-ID` for the `default-backend`, too. * Aligned to `golint` * Add lint subcommand * Update apiVersion to apps/v1, drop duplicate line * Update nginx to 1.15.10 * Update nginx image * Fix dynamic SSL certificate for aliases and redirect-from-to-www * Update dependencies client-go to release-11.0 and kubernetes-1.14.0 * Update go dependencies * fix typo: delete '`' fix typo: delete '`' * Adds a log warning when falling back to default fake cert * Simplify x-forwarded-prefix annotation * Fix e2e-tests * Add plugin lint for this change * replace some of the Nginx configuration to Lua code * properly parse x-forwarded-host * Fix load-balance configmap value * Plugin select deployment using replicaset name * Fix segfault on reference to nonexistent configmap * Refactor equals * lua plugin system * Proper use of quotes for running the command $1 on a shell has a special meaning and inside of double quotes (") it will be expaned to an empty string. Using single quotes fixes the issue. * Update nginx image (kubernetes#3968) * Update nginx image to 0.84 (kubernetes#3969) * Release 0.24.0 * Update yaml files to 0.24.0 [skip-ci] (kubernetes#3975) * Fix CA certificate example docs * Refactor isIterable * Add missing PR in changelog [skip ci] (kubernetes#3981) * Add kubectl plugin docs * Link to kubectl plugin docs in nav * fix custom default backend test title * regression test for dynamic cert related default-certificate issue * fix dynamic cert bug * Update README.md * Remove valgrind * better logging in certificate.lua * properly handle default and custom default certs in dynamic ssl mode * handle default certificate correctly in Lua * better certificate lua unit tests * adjust default ssl cert e2e test * fix luacheck warning * do not create empty access_by_lua_block * make sure unit test create fakecertificate * Release 0.24.1 * refactor GetFakeSSLCert * Switch to go modules * Support proxy_next_upstream_timeout * Add homepage and .exe to plugin * Update nginx to 1.15.12 * Update nginx image and Go to 1.12.4 (kubernetes#4010) * add e2e coverage for multi auth * Implement a validation webhook In case some ingress have a syntax error in the snippet configuration, the freshly generated configuration will not be reloaded to prevent tearing down existing rules. Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster. To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses. In case the generated configuration is not validated by nginx, deny the insertion of the ingress. In case certificates are mounted using kubernetes secrets, when those changes, keys are automatically updated in the container volume, and the controller reloads it using the filewatcher. Related changes: - Update vendors - Extract useful functions to check configuration with an additional ingress - Update documentation for validating webhook - Add validating webhook examples - Add a metric for each syntax check success and errors - Add more certificate generation examples * 🔧 fix navigation error in file baremetal.md Signed-off-by: William Zhang <zhang.wanmin@zte.com.cn> * Docs have incorrect command in baremetal.md The output shown is for `kubectl get node` and not `kubectl describe node`. I've updated the docs to use the correct command. * [doc] fixing regex in example of rewrite avoids /somethingfoo to be matched by regex Signed-off-by: Marcos Estevez <marcos.stvz@gmail.com> * Fix default Content-Type for custom-error-pages example This should fix issue [4039](kubernetes#4039). This default backend fails to send the correct `Content-Type` header when it fails to decode the `Accept` request header. This patch simply forces `text/html` in that specific scenario. * Release custom error pages image v0.4 [skip-ci] (kubernetes#4042) * Added Global External Authentication settings to configmap parameters incl. addons * Fixed typos * Update go to 1.12.5, kubectl to 1.14.1 and kind to 0.2.1 (kubernetes#4064) * Trim spaces from annotations that can contain multiple lines * fix e2e-test make target - explicitly wait for api token - only use posix shell conditionals * fix typo: deployement->deployment * Don't try to create e2e runner rbac resources twice * load modsecurity.conf on ModSecurity.Enable * Explain references in custom-headers documentation Augment description of custom-headers behavior. Explain the purpose of the two configmaps, making explicit that one cites the other by `namespace/name`. Link the two example yaml files, so they're more easily navigated to from a browser looking at https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers/ Campfire: grammar, standard installation is in the `ingress-nginx` namespace. * Add image for prow jobs * Run tests with only one worker * Add option to run scripts in debug mode * Refactor scripts to run e2e tests * Update generated code * Add dependencies for code generator * Docs: configmap: use-gzip Move the "gzip-types" value default from the "use-gzip" to the "gzip-types" heading, and link to it from use-gzip. Document that the "use-gzip" default is "true", matching the style of other configmap items. * Cleanup * Add binaries required by kubernetes-sigs/testing_frameworks * Allow to use a custom k8s version in e2e tests * Update configmap about adding custom locations * Remove stop controller endpoint * Docs - Update capture group `placeholder` The current ingress example uses the `$2` capture group placeholder, however the description refers to the `$1` placeholder (this was previously correct, but was not updated when the ingress example changed from $1 to $2). * reduce memory footprint and cpu usage when modsecurity and owasp rules are enabled globally * Rearrange deployment files into kustomizations * UPT: Add variable to define custom sampler host and port, add commituser * UPT: Modify configmap to include jaeger sampler host and jaeger sampler port * UPT: Opentracing configmap documentation * Clear up some inconsistent / unclear wording IPv6 enabled/disabled working was confusing or contradicting itself. This updates the wording to what is expected, based on the default values in the table above, and the behaviour that I could find in code. * Refactor ListIngresses to add filters * Use a real apiserver to test the store * Update go dependencies * Add retry to LookupHost used to check the content of ExternalName * Update e2e images (kubernetes#4110) * Force GOOS to linux * log info when endpoints change for a balancer * updated nginx and some other modules * Update nginx image to 0.86 * use nkeys for counting lua table elements * Refactor whitelist from map to standard allow directives * Added support for annotation `session-cookie-change-on-failure` 1. Session cookie is updated on previous attempt failure when `session-cookie-change-on-failure = true` (default value is `false`). 2. Added tests to check both cases. 3. Updated docs. Co-Authored-By: Vladimir Grishin <yadolov@users.noreply.github.com> * Refactor e2e test * feature(collectors): Added services to collectorLabels and requests Countervec to capture the name of the kubernetes service used to serve the client request. * Update README.md for external-auth Test 4 Title for Test 4 should be `secure service with valid auth header`. The current one is the same as Test 3. * Use apps/v1 api group in e2e tests * Run PodSecurityPolicy E2E test in parallel Previously, this test modified a ClusterRole used by _every_ test. It had to be run serially, with a special teardown function that restored the state of the ClusterRole for any other serial tests. Now every test gets its own cluster role, which means this test can be safely run in parallel with all the others, without any special teardown. * update modsecurity to latest, libmodsecurity to v3.0.3 and owasp-scrs to v3.1.0 (kubernetes#4140) * Update nginx (kubernetes#4150) * Update nginx image * Fix IPV6 test issues in Prow * Add clarification on how to enable path matching The fact that you need to explicitly add the annotation is easy to miss. This makes this more explicit, while leaving the finer details to the linked annotations document. * Partially revert usage of kustomize for installation (kubernetes#4159) * SSL expiration metrics cannot be tied to dynamic updates * fix source file mods * Session Affinity ChangeOnFailure should be boolean * Add "text/javascript" to compressible MIME types Based on the HTML Standard, https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages, servers _should_ use `text/javascript`. * simplify sticky balancer * bugfix: check all previously failing upstreams, not just the last one * Add unit test case for balancer.route_to_alternative_balancer() * Add unit test case for canary by weight * Add unit test case for canary by cookie * Add unit test case for canary by header * Only load modsecurity_module when ModSec is active * increase lua_shared_dict config data * Fix: fillout missing health check timeout on health check. * Migrate to new networking.k8s.io/v1beta1 package * Update go dependencies * Add e2e test for service type=ExternalName
|
For anyone else finding this from Google, custom-error-pages-amd64 with tag 0.4 [1] has this update. [1] https://quay.io/repository/kubernetes-ingress-controller/custom-error-pages-amd64?tab=tags |
brianredbeard
pushed a commit
to brianredbeard/penalty-flag
that referenced
this issue
Feb 21, 2020
This should fix issue [4039](kubernetes/ingress-nginx#4039). This default backend fails to send the correct `Content-Type` header when it fails to decode the `Accept` request header. This patch simply forces `text/html` in that specific scenario.
|
@juliohm1978 |
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This refers to the example provided in custom-error-pages.
The code should return a default content-type header
text/html, but when it fails to decode theAcceptheader, it simply mirrors whatever came from the request into the response. Please refer to lines 108 and 114 from the original source code.The general behavior for most browsers is to include several mime types in the
Acceptheader. When it's unable to decode it, this default backend simply copies the contents ofAcceptinto the response'sContent-Type. This results in browsers not being able to decode theContent-Typein the response.Examples:
Firefox sends
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8and when it receives the same string back from the server, it fails to recognize the content as a simpletext/html.A worse scenario now appears in Google Chrome, starting with version 73. It now sends this type of header
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3, which includes a new Google Chrome feature called Signed HTTP Exchanges. Upon receiving a signed exchange response header, the browser will try to validate a signature that should be included in the response content.Users are faced with the error message:
ERR_INVALID_SIGNED_EXCHANGE.The expected behavior, in this case, is for the default backend use
Content-Type: text/htmlwhen it fails to decode theAcceptheader.The text was updated successfully, but these errors were encountered: