Hello,
I've setup several ingress routes as follows:
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: >-
Host(`myhost1.domain.com`)
middlewares:
- name: authentication-service
services:
- kind: Service
name: myservice
port: 80
- kind: Rule
match: >-
Host(`myotherhost2.domain.com`)
middlewares:
- name: second-authentication-service
services:
- kind: Service
name: myotherservice
port: 80
Since the Host-Match predicate reads the host header of the request, the whole ingress route is susceptible to host header injection, meaning the client can just set the host header independent from the actual host in the request URL.
Is there a way to get the actual request host and setup the ingress routes accordingly so that a client-side host header is overriden or never even considered?