URL rewrite spoofable
I am considering using URL rewrites in kubernetes nginx proxy to publish selected context paths in microservices which are run in a cluster running internal services. For example
https://public.mycompany.com/microserviceone/api/v4/resource1
would be rewritten and routed to
http://microserviceone/public/api/v4/resource1
inside the k8s cluster. Webservices are generally REST based accepting get requests and post with application/json payloads.
This is the hypothetical ingress configuration in this case:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: microserviceone-public-ingress
namespace: default
labels:
app: microserviceone
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /public/
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: public.mycompany.com
http:
paths:
- path: /microserviceone
backend:
serviceName: microserviceone-service
servicePort: 80
tls:
- hosts:
- public.mycompany.com
secretName: microserviceone-cert
My question is this: Assuming that all resources within the /public/ URL context on a service are secure using appropriate methods such as certificates, API tokens or user authentication tokens, is there a known way for an attacker to circumvent the URL rewrite and request resources outside the /public/ context path?
