导语:ingress增加了Content-Security-Policy安全规则后前端报csp问题,部分图片没发访问
故障时增加的相关ingress配置如下
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 5000M
nginx.ingress.kubernetes.io/proxy-read-timeout: "21600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "21600"
nginx.ingress.kubernetes.io/server-snippet: |-
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1";
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies value;
add_header Set-Cookie "/; httponly; secure; SameSite=Lax";
add_header Content-Security-Policy "default-src *;style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src * data:;worker-src * blob:;font-src 'self' data:;";
name: xx-ingress
namespace: xx
...
修改Content-Security-Policy成如下之后恢复正常
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 5000M
nginx.ingress.kubernetes.io/proxy-read-timeout: "21600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "21600"
nginx.ingress.kubernetes.io/server-snippet: |-
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1";
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies value;
add_header Set-Cookie "/; httponly; secure; SameSite=Lax";
add_header Content-Security-Policy "default-src 'self' * 'unsafe-inline' 'unsafe-eval' blob: data: ;";
name: xx-ingress
namespace: xx
...
参考
https://juejin.cn/s/content-security-policy%20nginx%20ingress%20controller
https://cloud.tencent.com/developer/article/2281491?areaSource=102001.4&traceId=DzSiIvF7_rpdvmyBYKvUU