mirror of https://github.com/linkerd/linkerd2.git
bd8d47226d
* DNS rebinding protection for the dashboard Fixes #3083 and replacement for #3629 This adds a new parameter to the `linkerd-web` container `enforcedHost` that establishes the regexp that the Host header must enforce, otherwise it returns an error. This parameter will be hard-coded for now, in `linkerd-web`'s deployment yaml. Note this also protects the dashboard because that's proxied from `linkerd-web`. Also note this means the usage of `linkerd dashboard --address` will require the user to change that parameter in the deployment yaml (or have Kustomize do it). How to test: - Run `linkerd dashboard` - Go to http://rebind.it:8080/manager.html and change the target port to 50750 - Click on “Start Attack” and wait for a minute. - The response from the dashboard will be returned, showing an 'Invalid Host header' message returned by the dashboard. If the attack would have succeeded then the dashboard's html would be shown instead. Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io> |
||
|---|---|---|
| .. | ||
| linkerd2 | ||
| partials | ||
| patch | ||