►
Description
[SIG-Network] Ingress NGINX Bi-Weekly Meeting for 20211026
A
Hello
folks
today
is
october
26
2021,
and
this
is
the
kubernetes
ingress
nginx
sub
network
meeting.
So
remember
this
is
a
cncf
project.
This
is
a
community
meeting
and
we
ask
that
you
comply
with
the
code
of
conduct,
which
is
basically
be
excellent
with
each
other.
There
are
any
violations,
they
should
be
reported
to
the
sig
chairs
or
the
one
running
the
meeting.
So
that's
myself
or
ricardo.
A
Thank
you
all
right
going
to
scroll
down
to
today's
topic,
so
we'll
go
ahead
and
we
generally
start
with
welcoming
new
members.
So
if
there's
anybody
on
the
line,
I
know
there
is
a
lot
of
folks
here
today
to
discuss
the
cve.
So
if
you
are
interested
introducing
yourself
how
you're
using
the
project
and
what
you'd
like
to
see,
discussed
or
worked
on
in
the
future
for
the
project
go
ahead
and
give
your
golf
mute
and
give
yourself
an
introduction.
D
D
D
I
found
the
cloud
native
technology
a
little
curious,
so
I
ended
in
the
kubernetes
community
from
the
technology
I
am
trained
in,
and
development
means
tag,
development
and
little
basic
knowledge
of
machine
learning
using
python
and
an
oracle
java
certification.
E
Hey
hi,
so
I'm
akash
chadhari.
So
this
is
my
first
lecture
frankly
speaking
and
sorry,
not
first
lecture.
So
this
is
my
first
day
I
joined
the
call,
so
I
am
from
india
and
I
have
experience
on
docker
how
to
make
docker
files
little
bit
on
kubernetes
also,
so
I
have
done
the
whole
course
from
udemy
muhammad's,
one
and
yeah,
and
I
want
to
contribute-
and
I
also
know
python
good
good
level
python.
E
B
All
right
I'll
just
jump
in
I'm
per
hayes,
I'm
not
developer.
We
use
nginx
extensively
throughout
our
kubernetes
infrastructure,
as
well
as
on
virtual
machines,
etc.
Here
to
talk
or
hopefully
talk
about,
maybe
a
bug
that
I
submitted
as
well
as
the
triage
which
is
related
to
the
bug.
So
thank
you
all
for
your
continued
work,
love
the
product
and,
I
think,
you're
doing
a
great
job.
Thank
you.
C
Hi,
I'm
mary,
I'm
here
with
kurt
we're
on
essentially
sister
teams
just
here
to
because
our
use
case
for
nginx
is
exactly
that.
Multi-Tenancy
situation,
nice
to
meet
everybody.
F
Hey
everyone:
my
name
is
david
workingtile,
I'm
already
on
the
list
over
there,
I'm
from
we,
I
work
in
a
company
we're
developing
right
now,
cubescape,
I
don't
know
if
some
of
you
are
familiar
with
that
we
scan
we
scan
kubernetes
clusters
for
vulnerabilities
and
we
the
minutes.
We
saw
this
this
vulnerability.
We
we
went
ahead
and
developed
a
control
testing
it,
and
it's
very
interesting
to
to
hear
about
this
more
about
this
vulnerability.
A
That's
very
interesting
david,
so
thank
you
guys
for
your
your
company
for
developing
that
that's
something!
That's
definitely
going
to
be
helpful
for
people
to
see
if
they're
vulnerable
to
this
one.
So
thank
you
up
more
folks.
If
not,
we
can
go
ahead
and
get
started.
A
No
okay
awesome!
Oh
with
that,
I
posted
the
link
to
our
meeting
notes
into
the
zoom
chat,
so
you
folks
can
see
that
it
should
be
linked
into
the
both
of
the
ingress
channels.
So
if
not,
we
try
to
keep
track
of
everything.
That's
happening.
What
we're
working
on
through
here!
So
all
right
with
that
we're
going
to
go
ahead
and
skip
over
the
issue
triage
to
give
a
little
bit
more
precedence
to
ricardo
and
his
presentation.
A
G
Away
yeah
yeah,
I
would.
I
would
ask
you
just
to
allow
me
to
share
my
screen,
so
I
can
at
least
show
in
the
code
what's
going
on,
and
while
I
get
this
permission,
I
would
like
to
thank
you,
everybody
for
attending
and
also
feel
free
to
join
us
on
other
meetings.
We
need
people
using
providing
us
some
feedbacks
and
as
well
contributing
with
us
like
in
coding,
documentation
and
etc
and
proposing
security
improvements
as
well.
So
this
is
a
meeting
approach.
G
G
Probably
you
can
see
my
my
my
screen
right
and
okay
cool,
so
I
will
just
try
to
to
explain
to
you
what
happens
first
and
then
we
can
discuss
about
how
to
how
to
implement
counter
measures
for
for
that.
Okay,
so
probably
you
all
know
that
in
ingress
in
gynex
we
rely
on
actually
three
three
kind
of
softwares
right.
So
we
have
the
ingress
controller,
which
is
basically
written
in
golem,
and
its
function
is
actually
to
get
the
objects
from
the
kubernetes
cluster
and
reconcile
those
objects
into
an
nginx
configuration.
G
We
have
the
enginex
by
itself,
which
is
the
data
plane.
That's
the
part
that
gets
configured
and
and
receives
all
of
the
requests,
and
then
we
have
another
part
of
the
code
which
is
written
in
a
language
called
lua
right.
So
we
rely
on
on
nginx
in
tulua
for
the
dynamic
reload
stuff.
So
back
in
past
for
those
that
been
using
like
in
english
in
chinese
since
version
0
20
as
I
was
in
china,
increasing
china
x
didn't
had
hot
reloads.
G
So
when
you
create
something
new,
when
you
add
a
new
certificate
or
when
you
just
change
some
path
into
your
ingress
object,
the
whole
nginx
software
needed
to
be
reloaded,
which
was
bad
for
for
scenarios
like
web
sockets
and
some
other
users
with
slow
connections.
G
So
some
folks
from
the
community,
the
community
like
elvin
alejandro
and
others
they
they
have
decided
to
implement
some
sort
of
hot
reload
mechanism
based
on
lua
right.
So
now
we
have
not
only
the
golden
program
and
the
in
gynex
by
itself,
but
nginx
calls
a
bunch
of
scripts
in
lua
which
are
responsible
for
for
this
hot
reload
for
adding
some
servers
into
the
backend
and
to
somehow
building
the
configuration,
but
not
expecting
reloads
in
in
in
ninja
next
right.
G
So,
if
you
come
here
to
ttc
engine
x
gameplay,
you
are
going
to
see
a
bunch
of
directives
call
it.
This
is
the
template
that
go
the
go.
Fire
renders
and
you're
gonna
see
a
bunch
of
things
like
by
lua
by
lua
right.
So,
every
time
we
have
this
bailu
or
something
you
are
cutting
actually
a
program
in
lua
which
is
going
to
return
something
for
inginx
right.
So
you
may
have
like
a
different
certificate
being
returned.
G
You
may
have
a
different
balancer
being
returned,
so
it's
pretty
interesting
and
I
recommend
you
all
if
you
are
curious
about
reading
about
open
rest,
which
is
the
engine
behind
this
work.
So
here,
instead
of
getting
a
hard-coded
certificates
in
our
file
systems,
we
have
a
program
that
returns
the
certificate
config
for
for
the
the
host.
That's
been
called
and
same
thing
happens
for
like
balancers
and
other
stuff.
G
Okay,
so
what's
what
happens
here
is
actually
lua
is
a
dynamic
language.
So
it's
a
scripting
language
you
can
put
whatever
you
want
in
dua,
like
you
can
say:
okay,
you
can
say
hello
world.
You
can
say
something
whatever
you
want
and
lua
is
going.
It's
gonna
return.
G
Noah
is
gonna,
he's
gonna
return,
whatever
you
put
on
those
screens
right,
and
this
means
that
as
the
lua
directives,
they
are
not
restricted.
G
Someone
can,
for
example,
add
a
custom,
snippet
or
a
some
custom
configuration
part
and
call,
for
example,
a
lua
script
right,
and
this
is
the
base
of
the
cd.
So
you
can,
for
example,
say
hey
when
I
call
this
location.
G
I
want
this
snippet
that
does
a
cat,
something
and
exposes
any
file
in
the
file
system
from
from
the
inginx
container,
and
because
we
have
the
ingress
controller
running
there
to
get
all
of
the
ingresses
and
the
the
certificates
and
etc
to
reconcile
that
our
in
our
account
our
service
account
for
english
and
jynx.
It's
pretty
permissive
inside
the
cluster,
so
you
can
inside
inside
that
container.
G
You
have
mounted
the
service
account
the
token
that
you
can
query
the
kubernetes
cluster
and
that
that
that
specific
service
account
can
do
a
lot
of
stuff,
including
extracting
certificates,
extracting
namespaces
and
and
and
other
stuffs
right.
So
this
is
basically
what
happens
into
this
vulnerability
so
when,
when
we
say
actually
about
the
muted
tenancy
and
the
custom
snippet
and
being
really
really
clear
with
you
folks,
because
we
need
some
some
ideas
as
well.
G
In
my
opinion,
every
every
ingress
controller
in
china
executive,
proxy
contour,
whatever
they
they
need
to
be
made
to
operate
both
in
a
single
tenancy
and
in
a
multi-tenancy.
Because
sometimes
you
are
just
a
cloud
provider
and
you
want
to
scale
your
ingress
for
the
amount
of
users
that
you
that
you
have,
and
sometimes
you
have
a
specific
user
that
want
to
pay
for
their
own
ingress
controller
right.
G
So
when
you
allow
your
users
to
write
something
arbitrary
as
the
nginx
configuration
which
is
just
head,
which
is,
is
what
happens
when
you
allow
the
custom
snippets,
you
are
allowing
them
to
to
actually
execute
any
code
in
your
in
your
engine
x
in
your
gynex,
not
even
on
the
controller,
but
on
the
d
right.
So
the
controller
doesn't
synthesize
those
strings.
G
And
if
you
put
something
like
in
in
your
snippet
like
contain
lua
by
lua
and
write
a
script
that
that
allows
you
to
read
the
the
the
certificates,
the
secrets
from
kubernetes,
you
are
going
to
have
those
credentials.
G
So
the
first
approach
when,
when
we
received
this
this
cve
by
mitch,
which
we
are
really
thanks
for
reporting
for
for
doing
a
responsible,
reporting
and
reporting
to
security
here
at
kubernetes.io,
we
we
started
to
discuss
how
we
could
add
some
sort
of
work
around
for
the
cluster
admins
to
disable
that
behavior
and
not
impact
on
current
using
clusters.
So
we
know
that
it's
hard
just
to
say,
hey
now
we
don't
allow
custom
snippets
from
users
anymore
and
users
legitimate
users.
G
But
we
are
still
discussing
some
other
approaches
here,
because
we
need
to
actually
to
sabotage
all
of
our
users
inputs
not
only
on
on
the
crystal
snippets
but
other
directives
right.
So
some
someone
may
try
to
put
some
random
stuff
and
and
like
escape
some
some
specific
like
custom
header
directive
or
some
annotation,
some
some
cookie
affinity.
Direct
directive,
so
the
discussion
that
that
we've
been
doing
right
now
is
actually,
if
we
can
start
sanitizing
those
inputs
and
saying
hey.
G
If
someone
adds
something
like
underscore
by
lua
or
if
someone
adds
like
some
some
some
dangerous
character
like
quotes
or
something
like
that,
we
are
just
going
to
drop
that
annotation
right
and
say
hey.
This
annotation
is
not
valid.
We
are
not
going
to
edit
here
in
a
way
that
we
are
still
allowing
the
cluster
admins
to
add
snippets
and
whatever,
without
validation
into
the
config.net
from
jnx,
but
your
users
is
going
to
be.
G
They
are
going
to
have
some
hard
time
actually
trying
to
to
to
fix
that
to
to
add
some
some
malicious
scope.
Does
this
solve
all
of
the
problems?
No,
I
I
don't
think
so.
In
my
opinion,
security
will
be
also
someone
trying
to
break
and
someone
trying
to
fix
someone
trying
to
break
and
someone
trying
to
fix.
But
this
is
something
that
we
we've
seen
that
we
need
to
improve
in
our
in
our
software
right.
So
we
need
to
sanitize
user's
input.
G
We
need
to
make
some
proper
strings
escapes
and-
and
maybe
we've
been
also
discussing
about
splitting
the
controller
from
the
data
plane
from
egimex,
which
I
thought
was
going
to
be
easy.
But
it's
really
really
really
hard
to
do
that.
G
Then
I
will
open
some
thread
on
our
slack
channel
later,
getting
some
ideas
on
how
having
inverse
controller
in
one
container
and
that
ingress
controller
having
all
of
the
accounts
mounted
at
and
just
having
in
gynex
on
another
container
as
a
data
plane
and
just
having
the
nginx
config
and
jynx
software,
and
nothing
else
inside
that,
that's
it.
So
we
have
right
now
a
workaround
that
can
be
applied.
G
We
are
ongoing
on
some
string
sanitization
process
which
may
lead
to
some
impact
for
some
of
you
maybe
doing
some
valid
usage
of
custom
snippets
and
adding
by
lua
lua
directives,
or
maybe
using
some
some
specific
escape
character
for
some
valid
use
case,
and
we
need
your
feedback
on
that
as
well.
One
suggestion
that
was
made
by
one
of
the
developers,
one
of
the
maintainers
which
is
here,
was
that
we
should
probably
do
that
validation
as
well
on
admission
web
hook.
G
But,
to
be
honest-
and
this
is
my
my
own
position-
I
don't
think
that
everybody
have
admission
web
hook,
deploy
right
a
lot.
G
It
yeah,
so
we
can.
We
can't
just
rely
and
say
hey.
I
know
that
people
they
have
gatekeeper
or
people,
they
have
an
admission
controller
deployed
because
sometimes
people
they
just
follow
some
tutorial
on
the
internet
and
they
just
deploy
and
say,
hey.
Okay,
I
am,
I
will
expose
my
blog
or
something
like
that
and
they
they
may
end
being
vulnerable
if
they
share
their
cluster
with
other
folks
right.
G
So
let's
say
our
plan
is
actually
to
start
to
start
adding
some
validation,
some
sanitizations,
and
we
need
some
feedbacks
from
the
community
as
well.
G
So
please
keep
bringing
the
feedbacks
just
please
do
that
in
a
responsible
way,
if
you
find
some
vulnerability
or
something
like
that,
let
us
know
on
a
private
way
like
sending
to
security
at
kubernetes
or
reaching
me
or
james
in
slack,
because
sometimes,
if
you
find
a
vulnerability
and
you
expose
that
you
may
be
putting
some
other
companies
in
danger
before
we
have
some
time
to
fix
that
right.
So
this
is
that's
a
this.
Is
our
plan
right
now,
so
we
want
to
improve
all
of
the
validations.
G
We
are
going
to
disable
a
lot
of
directives
from
being
values,
valid
values
in
in
custom,
snippets
and
location
snippets.
So
if
something
breaks
for
you-
and
we
recommend
that
you
test
before-
let
us
know
because
sometimes
we
need
a
better
fix,
we
can
do.
We
always
can
do
better,
but
we
need.
We
need
your
feedback
on
that.
G
So
who
so
I
will
open.
I
have.
I
have
some.
I
have
10
15
more
minutes
before
I
need
to
jump
to
another
meeting.
G
I
will
be
still
there,
but
I
guess,
as
this
is
like
the
the
topic
of
this
meeting
today,
I
would
like
to
ask
people
what
questions
you
have,
what
suggestions
you
have
and
what
do
you
want
to
discuss
with
me,
james
gentao
and
the
other
maintainers,
so
we
can
actually
take
notes
and
think
better
about
that
for
the
next
releases,
probably
you
you
have
figured
out,
you
all
have
figured
out
that
we
have
sort
of
slowed
down
a
bit
all
of
the
features,
since
we
have
started
to
work
on
the
v1
release,
and
this
was
because
we
figured
out
that
we
had
a
lot
of
bugs
that
we
needed
to
fix
before
just
adding
just
adding
new
features.
G
So
we've
been
planning
to
add
new
features
right
now
on
the
next
releases,
but
still
we
are
gonna,
probably
just
take
some
fine
fix
all
of
the
books,
try
to
take
a
look
into
the
security
perspective,
the
thing
paid
generation
and
other
stuff
and
then
move
forward
so
bringing
on
all
of
the
questions.
Folks,
please
and
and
and
suggestions
as
well.
Thank
you.
F
H
G
Pcb
is
actually
a
priority
for
us.
So
to
be
honest
I
have
received
this
was
on
a
friday
night.
I
guess
right
james
yeah.
It
was.
I
G
G
So
my
company,
for
example,
may
use
english
and
jynx
in
some
parts
or
not
right,
but
we
we
we
need
a
plan
not
for
only
a
short
path
fix
because,
as
you
as
you
all
have
said,
like
disabling
snippet
may
not
be
the
best
approach
for
all
of
the
users.
So
we
have
discussed
hey.
H
Yeah,
okay,
good
to
know
because,
for
example,
in
our
case,
we
we
do
rely
on
on
the
custom
snippets
and
it's
simply
not
a
solution
to
disable
right.
Yeah.
H
Now,
in
in
actually
scanning
what
people
are
putting
there,
so
we
can
prevent
any
malicious
interest,
potentially.
G
So
the
first
thing
that
I
would
ask
for
you,
folks,
but
just
offline-
is
that
you
provide
for
us
the
way
that
you
use
session
snippets,
because
this
is
going
to
help
us
guide.
How
and
what
we
are
going
to
disable
do
do
during
this
imitization
right.
So
I
think
that
having
users
allowing
users
to
use
any
by
blue
directive
for
the
open
rest
is
really
really
really
dangerous,
because
you
are
allowing
your
users
to
run
any
script
in
your
engine
accent.
G
This
is
how
this
vulnerability
is
arriving,
but
someone
may
say:
hey.
I
need
that
and
I
trust
my
users.
So
can
you
please
leave
some
some
some
way?
Can
you
just
leave
that
a
way
to
enable
that
and
put
a
directive
like
hey?
I
really
really
really
know
what
I
am
doing,
and
this
is
the
feedback
that
we
need
right,
because
this
is
going
to
be
the
effort
to
develop.
So
I
can
just
disable
all
of
that
or
I
can
say
hey.
H
Yeah,
so
so
sorry
for
for
our
use
case,
for
example,
more
annotations
that
do
stuff
that
we
are
currently
putting
as
a
custom
snippets
would
help
I'll
just
give
you
a
basic
example.
Is
several
tokens
off,
so
you
don't
actually
see
the
version
of
nginx
when
you
access
any
web
page
they're,
just
a
basic
example,
so
one
annotations
that
do
one
specific
thing
would
be
already
upgrading
right,
depending
of
course
of
what
you
want
to
do.
H
G
G
So
please
add
all
of
the
suggestions
in
some
document
that
I
can
read
later
me,
james
and
others,
because
I
am
like
really
bad
at
memory
and
putting
them
on
chat
here.
I'm
gonna
probably
lose
all
of
them
and
I
don't
know.
A
I'll
make
sure
that
we
take
the
notes
from
the
slack
from
from
this
messaging
that
it's
also
copied
into
the
doc,
but
everyone
should
have
access
to
the
the
ingress
meeting
notes.
So
if
you
want
just
if
you're
not
comfortable,
talking
right
now
go
ahead
and
just
put
the
notes
in
there
and
then
we
can
correlate
them
all
yeah.
A
I
think
it's
going
to
have
to
be
a
multi-pronged
approach,
bro,
both
from
our
perspective
as
maintainers
of
being
able
to
disable
this,
but
also
putting
in
just
like
any
time,
there's
any
kind
of
vulnerability,
putting
in
an
alerts,
something
like
gatekeeper
and
being
able
to
alert
when
this
does
happen,
even
if
it
isn't
caught.
So,
if
you're
using
older
versions,
you
can
at
least
mitigate
this
before
you
can
do
upgrades,
because
we
know
that
upgrades
take
a
while
in
any
environment
so
being
able
to
be
alerted
and
know
that
you're
having
this
issue.
A
G
Yeah
so
folks,
you
are
just
suggesting
some
directives
like
location
and
hood,
and
I
really
I
am
really
loving
all
of
your
feedback.
So
what
I
am
going
to
do
right
now
I
am
going
to
put
for
you.
I
think
that's
that's!
Okay,
right
james,
you
put
the
the
dpr
that
we
are
just
working
for
the
sanitization
right
now.
G
And
maybe
maybe
I'm
gonna
open
the
pr
and
based
on
that
pr,
we,
you
can
just
provide
me
some
feedbacks
about
like
bad
words
that
you
would
add
into
that.
So
let
me
just
send
to
you
this
just
don't
use
that
for
the
evil.
Please.
A
I
think
to
answer
your
question:
a
little
more
directly
is
probably
be
looking
at
the
engine
x
logs
and
seeing
and
the
the
ingress
objects
that
are
being
deployed.
So
if
you
see
folks
deploying
ingress
objects
with
custom
lewis
snippets,
then
I
would
be
inspecting
those
a
lot
more.
So
even
at
the
ci
cd
level,
when
deploying
these
or
deploy
times,
you
should
probably
be
having
people
review.
What
folks
are
deploying
into
the
environments.
B
Yeah,
well,
I
guess
specifically,
my
question
is,
is
you
know
is?
Is
there
something
I
can
search
for
in
my
logs?
You
know,
like
you
know,
someone
thought
that
you
know.
If
the
token
was
in
there,
then
we
you
know,
we
would
see,
you
know
it
attempted
to
be
used,
or
you
know
what.
B
Yeah
because,
obviously
like,
like
many
other
people,
were
a
little,
you
know
we
have.
We
have
some
business
functionality
we're
dependent
upon
for
those
snippets
so
disabling.
It
is
a
challenge,
but
if
we
have
to
to
shut
this
down,
we're
just
gonna
have
to
do
it.
So.
G
G
I
like
it,
but
it
is
actually
enabled
by
default,
but
sometimes
people
they
don't.
G
They
may
just
disable
that
because
they
think
that
validation
like
who
had
some
performance
issues
and
it
does
we've
we
we
are
actually
taking
a
look
into
that
as
well,
but
validation
web
hooks
takes
all
of
the
objects
and
tries
to
check
if
you
have
conflicts,
and
so
if
you
have
something
like
600
or
700
ingress
objects,
you
may
have
some
performance
issues,
and
this
is
why
sometimes
people
they
disable,
and
so
we
shall
ask
if
there
are
a
full
list
of
keywords
that
can
be
avoided.
G
I
I
have
I've
put
my
pr
that
I've
been
working
right
now
and
I
will
keep
updating
on
that,
but
maybe
we
may
have.
If,
if
you
folks
think
that's
possible,
I
would
love
to
have
some
somehow
of
documentation,
improvement
as
well.
So
hey.
G
There
is
a
way
to
protect
your
ingress,
which
is
using
gatekeeper
and
like
adding
that
as
a
tutorial
in
our
documentation.
It
would
be
really
amazing
and
saying
this
is
what
we
recommend
to
you
to
have
like
a
high
security
validation,
at
least
so
please
feel
free,
and
I
am
not
just
my
best,
and
that
is
that's
just
I
have.
G
I
don't
have
enough
time
to
write
that
and
add
that
on
our
documentations,
I
am
really
really
sorry
about
that,
but
I
know
that
other
folks
that
are
on
this
this
meeting
they
they
may
receive
that,
and
probably
most
probably
also
reveal
that.
G
So
I
will
do
some
review
on
that
james
as
well
along
as
well
so,
but
we
need
some
contributions
on
that
and
okay,
some
suggestions
about
disabled
disabling
root
and
location
and
using
headers
for
e3,
open
tracing,
okay,
cool
all
right,
all
right,
all
right,
all
right,
so
adding
some
heaters
as
well.
G
Maybe
maybe
we
should
have
some
new,
I
I'm
I'm
gonna
say
probably
I'm
gonna
have
some
regrets
out
of
that,
because
that's
gonna
be
something
that
I
wanted
to
implement,
but
some
directive
that
allows
you
to
add
some
more
heaters
like
hey.
I
want
this
heater
1,
heater,
2
or
heater
3.
Instead
of
relying
on
custom
snippets
like
a
common
header
for
all
of
the
ingresses,
but
right
now,
I'm
not
thinking
about
that.
G
Okay,
and
there
is
some
case
where
location
and
php
php
and
namespace
owner
can
set
that.
So
I
have
no
no
good
suggestion
for
that
for
nema
and
if
it's
the
namespace
owner,
that
adds
that
probably
it
would
demand
some
more
work
because
we
are
already
blocking
location
and
also
the
open
brackets
and
close
brackets
as
some
sort
of
approach
right.
So
probably
we
need
to
think
better
about
that.
G
Okay
piping
asked
me
how
this
affects
kong.
G
To
be
honest,
I
don't
know
I
am
not
aware
of
how
concord
base
works,
so
I
would
probably
go
directly
to
them
and
ask
because
I'm
not
even
sure
they
use
ingress
and
giant
x
as
a
base
for
kong,
but
they
may
have.
I
don't
think
so,
but
they
may
have
this
vulnerability
if
they
have
custom
snippets
as
well
into
cone
implementation.
G
Okay,
okay,
kurt!
I
need
to
check
that
things
to
start
up,
even
if
they
have
it
in
the
last
configuration
annotation.
Okay,
oh
all
right
yeah
can
probably
we
need
to
sync
that
offline.
So,
if
you
can
call
me
on
go
ahead
and.
A
G
I'll
go
find
it
put
in
chat
all
right.
Thank
you,
yeah,
so
folks,
I
I
will
keep
here
on
this
meeting,
but
I
need
to
jump
to
another
one
so
I'll
be
on
both
of
them
and
I
won't
be
paying
attention
to
the
last
of
the
meeting
for
you
that
are
joining
joining
us
for
today.
We
just
saved
some
time
to
discuss
about
the
cde,
but
we
have
another
another
things
in
the
meeting
and
those
meetings.
G
Usually,
we
discuss
also
the
roadmap
of
english
in
chinax,
some
bugs
that
are
stuck
and
etc
so
just
feel
free
to
keep
here
and
listen
and
maybe
to
contribute
with
us,
because
we
need
people
contributing
and
not
just
only
with
coding,
but
with
documentation
with
ideas,
feedbacks
and
helping
other
users
as
well.
Okay-
and
thank
you
all
for
attending
today
and
I'm
gonna
return
the
control
to
james
so
go
ahead.
James.
A
Awesome
thanks
for
that
ricardo,
as
as
he
said,
if
you
have
any
suggestions,
any
other
issues
go
ahead.
Please
open
up
an
issue
and
make
sure
to
comment
on
that.
The
you
think
it's
related
to
the
cve
or
the
upgrade,
and
let
us
know
either
in
the
nginx
users
or
the
nginx
dev
channel.
A
So
we
can
track
these
and
make
sure
that
we're
looking
into
these
as
much
as
possible
and
with
that
we're
going
to
go
ahead
and
go
into
one
of
the
issues
that
are
open.
Actually,
brian.
I
was
going
to
put
you
on
the
spot
and
ask
if
you've
got
any
of
the
nginx
engineers
on,
because
we
wanted
to
talk
about
this
app
redirect
with
the
https
issue.
A
I
did
a
little
bit
of
research.
I
know
ricardo's
asked
but
wanted
to
see
if
we
could
have
that
conversation
and
work
through
that
issue.
I
I
don't
have
anybody
specifically
on
the
call
with
me
today,
if
we,
if
we
need,
if
we
need
to
get
somebody,
then
what
issue
is
this
6340.
A
Well,
it
looks
like
what
we
were
previously.
We
were
doing
the
redirect
properly,
so
there's
an
https
upgrade
in
a
redirect
and
we
were
doing
the
redirect
before
we
do
the
ssl
upgrade,
and
so
now
someone's
opened
an
issue
with
it.
It
looks
like
it's
been
open
for
a
little
while
and
we
have
we're
trying
to
ascertain
what
we
should
be
doing
from
that
respect.
A
Okay,
so
we
can.
We
can
follow
up
and
probably
do
this
on
a
separate
session.
Then
we
can
get
ricardo's
attention,
maybe
coordinate
something
with
you.
Brian.
G
A
G
Yeah,
but
this
is
like
something
I
want
some
some
of
jintao
and
alvin
view.
What
happens
here
I
try
to
explain
really
fast
here
is
that
we
have
the
lua
block
and
we
have
the
return
block
and
we
have
the
the
other,
the
uproot
block
and
they
bypass
one
or
the
other
right.
So,
on
the
past
the
directives
they
were
read
by
the
order
they
were
written,
but
as
soon
as
that
was
migrated
to
to
lua,
some
parts
were
migrated
to
lua.
G
We
don't
have
that
ordering
control
anymore.
So
what
what
I
was
questioning,
alvin
and
and
gentile-
is
if
and
what's
the
impact
of
migrating
that
block
of
the
code
to
lua
or
at
least
checking
why
we
use
that
as
lua
or
something
like
that.
G
A
Okay,
well,
I
don't
think
gentile's
on
because
I
know
it's
a
little
late
there
for
him
and
we
haven't
heard
back
from
alvin.
So,
okay
I'll
go
ahead
and
move
on.
We
can
just
work
through
the
the
triaging,
but
I
don't
care
now.
I'm
going
to.
A
A
Now
I
haven't
had
a
chance
to
read
these
this
one's
actually
relatively
new,
because
we're
sorting
from
the
top
path
matching
projects
whatever
if
there
are
any
issues
or
anything
that
specifically
that
folks
want
make
sure
that
we
bring
up
that
are
on
the
call,
go
ahead
and
drop
those
and
we
can
pull
those
up
as
well
as
of
right
now
we're
just
working
through
the
issue
triggering
so
one
of
the
things
that
we
work
to
help
make
things
a
little
bit
more
clear
on
is
how
we
are
looking
at
issues,
how
we're
going
to
try
to
work
and
triage
them
and
get
them
prioritized.
J
Hi
yeah,
so
this
one
about
the
cause.
I
don't
know
if
we
concluded
on
that,
but
I
think
even
there
ricardo
has
been
commenting,
but
that
seems
like
a
lot
of
updates
are
coming
in.
But
it's
not
we're
not
we're
not
concluding
on
that,
on
which
one
I'll
give
you
the
number
just
search,
for
course,.
A
J
About-
and
it
also
looks
like
there
are
two
of
them,
not
just
one,
so
I
didn't
review
what
if
they
are
the
same,
if
it
is
the
same
issue
they're
talking
about
or
is
it
two
different
issues
that
happened.
J
Yeah,
so
the
last
comment
I
read
on
this
was
that
when
one
user
is
saying
it's
working,
the
new
pr
commits
are,
as
per
the
spec
and
the
other
user
is
probably
hinting
that
not
exactly
as
per
spec.
So
I
think
there's
some
confusion
there.
So
I
think
ricardo
needs
to
recorder
also
has
been
commenting
here,
but
this
needs
to
conclude,
because
I
think
this
is
important
in
the
sense
that
there
is
no
very
clear,
authoritative
answer
or
comment
on
whether
or
not
the
changes
being
suggested
are
secure
or
not.
Secure.
A
J
I
think
it's
available
will
not
search
be
easy.
The
whole
problem,
I
think
I
think
the
whole
problem
I
am
seeing-
is
that
there
is
no
authoritative
comment
on
the
comments.
J
Yeah
yeah
and
that's
that's
once
we
once
we
know
that
I
think
we
can
deal
with
it,
but
there
is
no
authority
to
comment
there.
I
think
brian,
if
you
have
any
thoughts
on
this,
it
would
help
a
lot.
J
H
J
Across
traffic,
for
only
one,
but
I
think
the
user
has
a
use
case
where
he
says
his
application,
you
know
run
actually
asks
for
more
than
one
and
returns
and
the.
J
Making
you
say:
okay
he's
going
to
change
the
controller
in
such
a
way
that
he
can
query,
make
him
make
a
request.
Multiple
domains
can
ask
for
it,
but
then
only
the
valid
return
will
be
returned.
But
that's
where
the
confusion
is
I
mean
I
think
he
knows
what
he's
talking
about.
I'm
not
a
developer.
I
don't
know
what
I
you
know
how
to,
but
my
assessment
right
now
is.
There
is
no
authoritative
comment
coming
on
this.
A
I
I
You
get
requests
like
that,
all
the
time
I'm
assuming
yeah
this
is
this
is
something
we're
we're
looking
at
our
ourselves
with
with
our
with
our
own
project
right
now,
so
there
are
legitimate
cases
where
customers
have
multiple
domains.
I
Right
I
mean
that's
a
lot
of
this
comes
in
with
with
legitimate
ad
serving
cases
and
and
whatnot
traditionally,
historically,
we've
kind
of
taken
the
aspect
that
the
customer
can
dictate
the
domain
and
that's
and
that's
kind
of
and
that's
kind
of
in
their
control,
so
they
have
to
set
up
the
say
they
have
to
set
up
the
safety
net
that
way
or
domain
and
path.
I
But
as
far
as
what
the
what
the
project
wants
to
reinforce.
That's
a
that's
a
that's,
usually
a
different
situation
that
we
went
into,
but
we
usually
follow
what
we
generally
do
is
we'll
implement
the
standard
first
and
then
we'll
get
into
the
cases
of
where
that
deviates.
I
A
J
Well
again,
I've
just
to
comment
on
that
spot.
I
it's
not.
We
have
a
trash
enough
to
know
if
it
is
just
this
one
user
who's
been
making
these
requests
and
comments,
or
is
it
a
lot
of
users
who
require
this
functionality?
We
don't
know
that
yet.
A
A
I
have
no
other
way
for
us
to
gauge
interest
in
a
feature
request
other
than
that,
so
I
I
would
say
that
they're
definitely
asking
for
it.
I
It
kind
of
comes
to
where
customers
are
with
implementations
right
now
and
how
far
they're,
how
far
they're
kind
of
shifting
what
they
would
normally
do
at
the
edge
kind
of
left
left
and
trying
to
shift
that
into
ingress
is
general
is
generally
what
we're
getting
into
here,
and
that's
that's!
That's
where
that's
where
the
patterns
coming
from
is
they
would
most
customers
would
implement
something
like
this
is
the
edge
for
the
safety
net.
Now
a
lot
of
people
are
trying
to
shift
that.
I
A
Gotcha,
okay,
all
right!
Oh
okay,
long,
that's
a
little
loud
there!
You
go
sorry
about
that
long!
That
was
a
little
loud
okay!
Well,
I
I
know
ricardo's
busy
and
we've,
I
know
he's
got
questions
for
us-
wants
to
talk
that
so
I'll.
Make
sure
that
we
just
follow
up
on
a
separate,
separate
call
with
cardo,
so
we
can
have
his
full
focus.
A
Really,
I
guess
from
the
issue.
True,
I've
protected.
You
guys,
probably
don't
want
to
sit
and
watch
us
just
record
and
triage
the
rest
of
the
issues.
A
So
I'm
going
to
go
ahead
and
collect
all
of
the
notes
from
the
chat
make
sure
that
they're
in
the
ingress
meeting
notes
and,
of
course,
if
you
have
any
issues
with
the
disabling
snippets
or
if
there
are
snippets
that
we
any
other
suggestions
from
the
snippet
cve,
just
let
us
know
either
in
the
channels
or
individually
and
of
course,
if
you
think
that
you've
been
exploited
by
the
vulnerability,
please
let
the
security
teams
know
with
that.
I
don't
think
I
have
anything
else
for
us
to
discuss,
so
we
can
go
ahead
and
break
everyone.