Skip to content

Added SNI support for JWT secrets retrieved from HTTPS URL #7500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Added SNI support for JWT secrets retrieved from HTTPS URL #7500

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
e83f76a
NGINX App Protect DoS references added
fabriziofiorucci Apr 29, 2024
280dedb
Merge branch 'nginxinc:main' into main
fabriziofiorucci May 24, 2024
f70bfe4
Added missing cd command
fabriziofiorucci May 24, 2024
1b867e3
Added SNI support for JWT secrets retrieved from HTTPS URL
fabriziofiorucci Mar 12, 2025
83ab922
Removed docs references
fabriziofiorucci May 2, 2025
211d861
Merge branch 'main' into ff20250312
fabriziofiorucci May 2, 2025
5cfc83f
Merge branch 'main' into ff20250312
jjngx May 27, 2025
f430a44
Merge branch 'main' into ff20250312
fabriziofiorucci May 29, 2025
d02dc74
branch updated
fabriziofiorucci May 29, 2025
470ece5
Merge branch 'main' into ff20250312
fabriziofiorucci May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions charts/tests/__snapshots__/helmunit_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -909,6 +911,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -1445,6 +1449,8 @@ spec:
- -weight-changes-dynamic-reload=false
- -agent=true
- -agent-instance-group=app-protect-waf-agentv2-nginx-ingress-controller

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -1959,6 +1965,7 @@ spec:
mountPath: /opt/app_protect/config
- name: app-protect-bundles
mountPath: /etc/app_protect/bundles
minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -2540,6 +2547,7 @@ spec:
mountPath: /opt/app_protect/config
- name: app-protect-bundles
mountPath: /etc/app_protect/bundles
minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -2953,6 +2961,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -3396,6 +3406,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -3839,6 +3851,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -4283,6 +4297,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -4747,6 +4763,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -5192,6 +5210,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -5652,6 +5672,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -6119,6 +6141,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -6596,6 +6620,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -7054,6 +7080,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -7512,6 +7540,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -7980,6 +8010,8 @@ spec:
- -ssl-dynamic-reload=true
- -enable-telemetry-reporting=true
- -weight-changes-dynamic-reload=false

minReadySeconds: 0
/-/-/-/
# Source: nginx-ingress/templates/controller-ingress-class.yaml
apiVersion: networking.k8s.io/v1
Expand Down
8 changes: 8 additions & 0 deletions internal/configs/version2/__snapshots__/templates_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1115,6 +1115,8 @@ server {
proxy_cache jwks_uri_cafe;
proxy_cache_valid 200 12h;
proxy_set_header Host idp.spec.example.com;
proxy_ssl_name idp.spec.example.com;
proxy_ssl_server_name on;
set $idp_backend idp.spec.example.com;
proxy_pass https://$idp_backend:443/spec-keys;
}
Expand All @@ -1125,6 +1127,8 @@ server {
proxy_cache jwks_uri_cafe;
proxy_cache_valid 200 12h;
proxy_set_header Host idp.route.example.com;
proxy_ssl_name idp.route.example.com;
proxy_ssl_server_name on;
set $idp_backend idp.route.example.com;
proxy_pass http://$idp_backend:80/route-keys;
}
Expand Down Expand Up @@ -1235,6 +1239,8 @@ server {
proxy_cache jwks_uri_cafe;
proxy_cache_valid 200 12h;
proxy_set_header Host idp.spec.example.com;
proxy_ssl_name idp.spec.example.com;
proxy_ssl_server_name on;
set $idp_backend idp.spec.example.com;
proxy_pass https://$idp_backend:443/spec-keys;
}
Expand All @@ -1245,6 +1251,8 @@ server {
proxy_cache jwks_uri_cafe;
proxy_cache_valid 200 12h;
proxy_set_header Host idp.route.example.com;
proxy_ssl_name idp.route.example.com;
proxy_ssl_server_name on;
set $idp_backend idp.route.example.com;
proxy_pass http://$idp_backend:80/route-keys;
}
Expand Down
2 changes: 2 additions & 0 deletions internal/configs/version2/nginx-plus.virtualserver.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,8 @@ server {
{{- end }}
{{- with .JwksURI }}
proxy_set_header Host {{ .JwksHost }};
proxy_ssl_name {{ .JwksHost }};
proxy_ssl_server_name on;
set $idp_backend {{ .JwksHost }};
proxy_pass {{ .JwksScheme}}://$idp_backend{{ if .JwksPort }}:{{ .JwksPort }}{{ end }}{{ .JwksPath }};
{{- end }}
Expand Down
Loading