2017-08-03 10:51:39 -04:00
{{ $ all := . }}
2017-08-17 12:05:01 -05:00
{{ $ servers := .Servers }}
2017-04-28 13:41:53 -07:00
{{ $ cfg := .Cfg }}
2017-04-09 15:03:27 -03:00
{{ $ IsIPV6Enabled := .IsIPV6Enabled }}
2017-02-26 19:01:07 -03:00
{{ $ healthzURI := .HealthzURI }}
{{ $ backends := .Backends }}
{{ $ proxyHeaders := .ProxySetHeaders }}
2017-05-18 13:21:03 +03:00
{{ $ addHeaders := .AddHeaders }}
2017-10-08 11:52:02 -03:00
2018-06-10 22:30:37 -04:00
# setup custom paths that do not require root access
pid /tmp/nginx.pid;
2017-10-08 11:52:02 -03:00
{{ if $ cfg . EnableModsecurity }}
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
{{ end }}
2018-02-12 16:08:49 -08:00
{{ buildOpentracingLoad $ cfg }}
2018-01-17 19:28:59 -02:00
2016-02-21 16:13:08 -08:00
daemon off;
2016-11-16 15:24:26 -03:00
worker_processes {{ $ cfg . WorkerProcesses }};
2018-03-17 00:32:45 +08:00
{{ if gt (len $ cfg . WorkerCpuAffinity ) 0 }}
worker_cpu_affinity {{ $ cfg . WorkerCpuAffinity }};
{{ end }}
2017-01-18 23:31:33 -03:00
{{ if ne .MaxOpenFiles 0 }}
worker_rlimit_nofile {{ .MaxOpenFiles }};
2018-03-17 00:32:45 +08:00
{{ end }}
2016-02-21 16:13:08 -08:00
2017-08-08 14:17:49 -04:00
{{/* http://nginx.org/en/docs/ngx_core_module.html #worker _shutdown_timeout * / } }
{{/* avoid waiting too long during a reload */}}
2017-08-29 11:49:18 +02:00
worker_shutdown_timeout {{ $ cfg . WorkerShutdownTimeout }} ;
2017-08-08 14:17:49 -04:00
2016-02-21 16:13:08 -08:00
events {
2016-03-22 15:01:04 -03:00
multi_accept on;
2016-11-16 15:24:26 -03:00
worker_connections {{ $ cfg . MaxWorkerConnections }};
2017-03-03 12:44:45 +11:00
use epoll;
2016-02-21 16:13:08 -08:00
}
http {
2018-04-11 22:52:42 +08:00
{{ if not $ all . DisableLua }}
2018-06-04 18:15:59 -05:00
lua_package_cpath "/usr/local/lib/lua/?.so;/usr/lib/lua-platform-path/lua/5.1/?.so;;";
2018-03-18 09:13:41 -04:00
lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;/usr/local/lib/lua/?.lua;;";
2018-04-08 16:37:13 -04:00
{{ buildLuaSharedDictionaries $ servers $ all . DynamicConfigurationEnabled $ all . Cfg . DisableLuaRestyWAF }}
2018-03-18 09:13:41 -04:00
init_by_lua_block {
require("resty.core")
collectgarbage("collect")
2018-04-08 16:37:13 -04:00
local lua_resty_waf = require("resty.waf")
lua_resty_waf.init()
{{ if $ all . DynamicConfigurationEnabled }}
2018-03-18 09:13:41 -04:00
-- init modules
local ok, res
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
end
ok, res = pcall(require, "balancer")
if not ok then
error("require failed: " .. tostring(res))
else
balancer = res
end
2018-04-08 16:37:13 -04:00
{{ end }}
2018-06-13 22:54:09 -04:00
ok, res = pcall(require, "monitor")
if not ok then
error("require failed: " .. tostring(res))
else
monitor = res
end
2018-03-18 09:13:41 -04:00
}
2018-04-08 16:37:13 -04:00
{{ if $ all . DynamicConfigurationEnabled }}
2018-03-18 09:13:41 -04:00
init_worker_by_lua_block {
balancer.init_worker()
}
2018-03-29 20:36:00 +08:00
{{ end }}
2018-04-11 22:52:42 +08:00
{{ end }}
2016-06-17 18:26:08 -04:00
{{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
2016-11-16 15:24:26 -03:00
{{ if $ cfg . UseProxyProtocol }}
2016-07-05 12:37:54 -04:00
real_ip_header proxy_protocol;
{{ else }}
2017-09-07 18:11:23 -03:00
real_ip_header {{ $ cfg . ForwardedForHeader }};
2016-11-10 19:56:29 -03:00
{{ end }}
2017-03-03 12:44:45 +11:00
2016-06-17 18:26:08 -04:00
real_ip_recursive on;
2017-08-10 11:41:14 -04:00
{{ range $ trusted_ip := $ cfg . ProxyRealIPCIDR }}
set_real_ip_from {{ $ trusted_ip }};
{{ end }}
2016-06-17 18:26:08 -04:00
2018-03-19 00:30:05 +08:00
{{ if $ cfg . UseGeoIP }}
2016-05-30 14:44:02 -04:00
{{/* databases used to determine the country depending on the client IP address */}}
{{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
{{/* this is require to calculate traffic for individual country using GeoIP in the status page */}}
2018-02-17 20:24:50 +00:00
geoip_country /etc/nginx/geoip/GeoIP.dat;
geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
geoip_org /etc/nginx/geoip/GeoIPASNum.dat;
2016-06-17 18:26:08 -04:00
geoip_proxy_recursive on;
2018-03-19 00:30:05 +08:00
{{ end }}
2016-05-30 14:44:02 -04:00
2016-11-16 15:24:26 -03:00
{{ if $ cfg . EnableVtsStatus }}
vhost_traffic_status_zone shared:vhost_traffic_status:{{ $ cfg . VtsStatusZoneSize }};
2017-09-15 10:13:04 +02:00
vhost_traffic_status_filter_by_set_key {{ $ cfg . VtsDefaultFilterKey }};
2016-11-10 19:56:29 -03:00
{{ end }}
2016-02-21 16:13:08 -08:00
2016-03-22 15:01:04 -03:00
aio threads;
2017-09-07 13:40:10 -03:00
aio_write on;
2016-03-22 15:01:04 -03:00
tcp_nopush on;
tcp_nodelay on;
2017-03-03 12:44:45 +11:00
2016-03-22 15:01:04 -03:00
log_subrequest on;
reset_timedout_connection on;
2016-02-21 16:13:08 -08:00
2017-05-17 09:23:18 +03:00
keepalive_timeout {{ $ cfg . KeepAlive }}s;
keepalive_requests {{ $ cfg . KeepAliveRequests }};
2016-02-21 16:13:08 -08:00
2018-06-10 22:30:37 -04:00
client_body_temp_path /tmp/client-body;
fastcgi_temp_path /tmp/fastcgi-temp;
proxy_temp_path /tmp/proxy-temp;
2017-01-20 19:14:59 -03:00
client_header_buffer_size {{ $ cfg . ClientHeaderBufferSize }};
2017-08-24 09:30:12 -03:00
client_header_timeout {{ $ cfg . ClientHeaderTimeout }}s;
2017-01-20 19:14:59 -03:00
large_client_header_buffers {{ $ cfg . LargeClientHeaderBuffers }};
2017-05-17 09:23:18 +03:00
client_body_buffer_size {{ $ cfg . ClientBodyBufferSize }};
2017-08-24 09:30:12 -03:00
client_body_timeout {{ $ cfg . ClientBodyTimeout }}s;
2017-04-28 13:41:53 -07:00
2017-03-10 10:01:26 -03:00
http2_max_field_size {{ $ cfg . HTTP2MaxFieldSize }};
http2_max_header_size {{ $ cfg . HTTP2MaxHeaderSize }};
2017-01-20 19:14:59 -03:00
2016-11-10 19:56:29 -03:00
types_hash_max_size 2048;
2016-11-16 15:24:26 -03:00
server_names_hash_max_size {{ $ cfg . ServerNameHashMaxSize }};
server_names_hash_bucket_size {{ $ cfg . ServerNameHashBucketSize }};
map_hash_bucket_size {{ $ cfg . MapHashBucketSize }};
2016-02-21 16:13:08 -08:00
2017-07-13 13:45:02 +02:00
proxy_headers_hash_max_size {{ $ cfg . ProxyHeadersHashMaxSize }};
proxy_headers_hash_bucket_size {{ $ cfg . ProxyHeadersHashBucketSize }};
2017-05-28 16:05:49 -04:00
variables_hash_bucket_size {{ $ cfg . VariablesHashBucketSize }};
variables_hash_max_size {{ $ cfg . VariablesHashMaxSize }};
2017-05-24 00:25:42 -04:00
underscores_in_headers {{ if $ cfg . EnableUnderscoresInHeaders }}on{{ else }}off{{ end }};
ignore_invalid_headers {{ if $ cfg . IgnoreInvalidHeaders }}on{{ else }}off{{ end }};
2017-04-20 18:12:16 -03:00
2018-01-30 07:24:44 -06:00
limit_req_status {{ $ cfg . LimitReqStatusCode }};
2017-10-24 13:49:30 -07:00
{{ if $ cfg . EnableOpentracing }}
2017-09-17 18:44:01 -03:00
opentracing on;
2017-10-24 13:49:30 -07:00
{{ end }}
2018-03-18 21:44:59 +01:00
2018-02-12 16:08:49 -08:00
{{ buildOpentracing $ cfg }}
2017-09-17 18:44:01 -03:00
2016-02-21 16:13:08 -08:00
include /etc/nginx/mime.types;
2016-04-02 17:41:41 -03:00
default_type text/html;
2018-01-30 12:29:03 +08:00
2017-11-12 10:33:18 -03:00
{{ if $ cfg . EnableBrotli }}
2017-11-01 22:54:22 -03:00
brotli on;
brotli_comp_level {{ $ cfg . BrotliLevel }};
brotli_types {{ $ cfg . BrotliTypes }};
2017-10-30 17:32:47 -02:00
{{ end }}
2016-11-16 15:24:26 -03:00
{{ if $ cfg . UseGzip }}
2016-02-21 16:13:08 -08:00
gzip on;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_min_length 256;
2017-03-03 12:44:45 +11:00
gzip_types {{ $ cfg . GzipTypes }};
2016-02-21 16:13:08 -08:00
gzip_proxied any;
2017-10-29 20:54:25 +07:00
gzip_vary on;
2016-11-10 19:56:29 -03:00
{{ end }}
2016-02-21 16:13:08 -08:00
2017-05-18 13:21:03 +03:00
# Custom headers for response
{{ range $k, $v := $ addHeaders }}
add_header {{ $k }} "{{ $v }}";
{{ end }}
2017-02-27 11:00:31 +01:00
server_tokens {{ if $ cfg . ShowServerTokens }}on{{ else }}off{{ end }};
2018-01-17 10:26:53 -02:00
{{ if not $ cfg . ShowServerTokens }}
more_set_headers "Server: ";
{{ end }}
2016-02-21 16:13:08 -08:00
2017-05-11 15:04:19 -03:00
# disable warnings
uninitialized_variable_warn off;
2017-08-25 20:49:44 -03:00
# Additional available variables:
# $ namespace
# $ ingress_name
# $ service_name
2018-05-10 00:59:58 +03:00
# $ service_port
2017-06-14 23:05:04 -04:00
log_format upstreaminfo {{ if $ cfg . LogFormatEscapeJSON }}escape=json {{ end }}'{{ buildLogFormatUpstream $ cfg }}';
2016-02-21 16:13:08 -08:00
2016-06-18 18:04:07 -04:00
{{/* map urls that should not appear in access.log */}}
{{/* http://nginx.org/en/docs/http/ngx_http_log_module.html #access _log * / } }
2017-02-17 18:21:46 -03:00
map $ request_uri $ loggable {
2016-11-16 15:24:26 -03:00
{{ range $ reqUri := $ cfg . SkipAccessLogURLs }}
2016-06-18 18:04:07 -04:00
{{ $ reqUri }} 0;{{ end }}
default 1;
}
2017-02-09 21:20:12 -02:00
{{ if $ cfg . DisableAccessLog }}
access_log off;
{{ else }}
2018-02-25 12:47:14 -03:00
{{ if $ cfg . EnableSyslog }}
access_log syslog:server={{ $ cfg . SyslogHost }}:{{ $ cfg . SyslogPort }} upstreaminfo if= $ loggable ;
{{ else }}
2017-08-23 16:57:28 +02:00
access_log {{ $ cfg . AccessLogPath }} upstreaminfo if= $ loggable ;
2017-02-09 21:20:12 -02:00
{{ end }}
2018-02-25 12:47:14 -03:00
{{ end }}
{{ if $ cfg . EnableSyslog }}
error_log syslog:server={{ $ cfg . SyslogHost }}:{{ $ cfg . SyslogPort }} {{ $ cfg . ErrorLogLevel }};
{{ else }}
2017-08-23 16:57:28 +02:00
error_log {{ $ cfg . ErrorLogPath }} {{ $ cfg . ErrorLogLevel }};
2018-02-25 12:47:14 -03:00
{{ end }}
2016-02-21 16:13:08 -08:00
2018-02-02 14:53:28 -05:00
{{ buildResolvers $ cfg . Resolver $ cfg . DisableIpv6DNS }}
2016-02-21 16:13:08 -08:00
2016-09-29 15:42:46 -06:00
{{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}}
{{/* when making the target request. This means that you cannot simply use */}}
{{/* "proxy_set_header Connection $ http_connection " for WebSocket support because in this case, the */}}
{{/* "Connection" header would be set to "" whenever the original request did not have a "Connection" header, */}}
{{/* which would mean no "Connection" header would be in the target request. Since this would deviate from */}}
{{/* normal nginx behavior we have to use this approach. */}}
# Retain the default nginx handling of requests without a "Connection" header
2016-02-21 16:13:08 -08:00
map $ http_upgrade $ connection_upgrade {
2016-11-16 15:24:26 -03:00
default upgrade;
'' close;
2016-02-21 16:13:08 -08:00
}
2017-09-17 15:03:05 -03:00
map {{ buildForwardedFor $ cfg . ForwardedForHeader }} $ the_real_ip {
2017-10-05 22:55:10 -03:00
{{ if $ cfg . UseProxyProtocol }}
# Get IP address from Proxy Protocol
default $ proxy_protocol_addr ;
{{ else }}
default $ remote_addr ;
{{ end }}
2017-09-17 15:03:05 -03:00
}
2016-02-21 16:13:08 -08:00
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
2016-03-26 18:25:51 -03:00
map $ http_x_forwarded_proto $ pass_access_scheme {
2016-11-16 15:24:26 -03:00
default $ http_x_forwarded_proto ;
'' $ scheme ;
2016-02-21 16:13:08 -08:00
}
2017-12-21 12:44:08 -03:00
# validate $ pass_access_scheme and $ scheme are http to force a redirect
map " $ scheme : $ pass_access_scheme " $ redirect_to_https {
default 0;
"http:http" 1;
2018-01-24 14:28:34 -03:00
"https:http" 1;
2017-12-21 12:44:08 -03:00
}
2016-12-26 10:56:22 -03:00
map $ http_x_forwarded_port $ pass_server_port {
2017-09-17 15:03:05 -03:00
default $ http_x_forwarded_port ;
'' $ server_port ;
2016-12-26 10:56:22 -03:00
}
2017-08-20 22:34:31 -03:00
{{ if $ all . IsSSLPassthroughEnabled }}
2017-08-24 10:33:26 -03:00
# map port {{ $ all . ListenPorts . SSLProxy }} to 443 for header X-Forwarded-Port
2016-12-26 10:56:22 -03:00
map $ pass_server_port $ pass_port {
2017-08-24 10:33:26 -03:00
{{ $ all . ListenPorts . SSLProxy }} 443;
2016-12-26 10:56:22 -03:00
default $ pass_server_port ;
}
2017-08-20 22:34:31 -03:00
{{ else }}
map $ pass_server_port $ pass_port {
2018-01-02 14:48:42 -03:00
{{ $ all . ListenPorts . HTTPS }} 443;
2017-08-20 22:34:31 -03:00
default $ pass_server_port ;
}
{{ end }}
2016-12-26 10:56:22 -03:00
2018-02-06 13:59:59 -05:00
# Obtain best http host
map $ http_host $ this_host {
default $ http_host ;
'' $ host ;
}
map $ http_x_forwarded_host $ best_http_host {
default $ http_x_forwarded_host ;
'' $ this_host ;
}
2018-04-17 14:32:43 +02:00
# Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
# If no such header is provided, it can provide a random value.
2018-04-27 14:28:57 +02:00
map $ http_x_request_id $ req_id {
default $ http_x_request_id ;
2018-05-21 08:32:50 +01:00
{{ if $ cfg . GenerateRequestId }}
2018-04-27 14:28:57 +02:00
"" $ request_id ;
2018-05-21 08:32:50 +01:00
{{ end }}
2018-04-17 14:32:43 +02:00
}
2017-10-09 11:10:58 +02:00
{{ if $ cfg . ComputeFullForwardedFor }}
2017-10-06 14:52:26 +02:00
# We can't use $ proxy_add_x_forwarded_for because the realip module
2017-10-09 11:10:58 +02:00
# replaces the remote_addr too soon
map $ http_x_forwarded_for $ full_x_forwarded_for {
2017-10-28 17:02:16 +02:00
{{ if $ all . Cfg . UseProxyProtocol }}
default " $ http_x_forwarded_for , $ proxy_protocol_addr ";
'' " $ proxy_protocol_addr ";
{{ else }}
2017-10-06 14:52:26 +02:00
default " $ http_x_forwarded_for , $ realip_remote_addr ";
'' " $ realip_remote_addr ";
2017-10-28 17:02:16 +02:00
{{ end}}
2017-10-06 14:52:26 +02:00
}
2017-10-09 11:10:58 +02:00
{{ end }}
2017-10-06 14:52:26 +02:00
2016-02-21 16:13:08 -08:00
server_name_in_redirect off;
2016-11-16 15:24:26 -03:00
port_in_redirect off;
2016-02-21 16:13:08 -08:00
2016-11-16 15:24:26 -03:00
ssl_protocols {{ $ cfg . SSLProtocols }};
2016-02-21 16:13:08 -08:00
# turn on session caching to drastically improve performance
2016-11-16 15:24:26 -03:00
{{ if $ cfg . SSLSessionCache }}
ssl_session_cache builtin:1000 shared:SSL:{{ $ cfg . SSLSessionCacheSize }};
ssl_session_timeout {{ $ cfg . SSLSessionTimeout }};
2016-02-21 16:13:08 -08:00
{{ end }}
# allow configuring ssl session tickets
2016-11-16 15:24:26 -03:00
ssl_session_tickets {{ if $ cfg . SSLSessionTickets }}on{{ else }}off{{ end }};
2016-02-21 16:13:08 -08:00
2017-10-08 19:37:19 -03:00
{{ if not (empty $ cfg . SSLSessionTicketKey ) }}
ssl_session_ticket_key /etc/nginx/tickets.key;
{{ end }}
2016-02-21 16:13:08 -08:00
# slightly reduce the time-to-first-byte
2016-11-16 15:24:26 -03:00
ssl_buffer_size {{ $ cfg . SSLBufferSize }};
2016-02-21 16:13:08 -08:00
2016-11-16 15:24:26 -03:00
{{ if not (empty $ cfg . SSLCiphers ) }}
2016-02-21 16:13:08 -08:00
# allow configuring custom ssl ciphers
2016-11-16 15:24:26 -03:00
ssl_ciphers '{{ $ cfg . SSLCiphers }}';
2016-02-21 16:13:08 -08:00
ssl_prefer_server_ciphers on;
{{ end }}
2016-11-16 15:24:26 -03:00
{{ if not (empty $ cfg . SSLDHParam ) }}
2016-02-21 16:13:08 -08:00
# allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html #ssl _dhparam
2016-11-16 15:24:26 -03:00
ssl_dhparam {{ $ cfg . SSLDHParam }};
2016-02-21 16:13:08 -08:00
{{ end }}
2016-11-16 15:24:26 -03:00
{{ if not $ cfg . EnableDynamicTLSRecords }}
2016-06-18 17:03:27 -04:00
ssl_dyn_rec_size_lo 0;
{{ end }}
2017-03-30 23:23:14 -03:00
ssl_ecdh_curve {{ $ cfg . SSLECDHCurve }};
2016-11-16 15:24:26 -03:00
{{ if .CustomErrors }}
2016-03-15 12:31:39 -03:00
# Custom error pages
2016-02-21 16:13:08 -08:00
proxy_intercept_errors on;
2016-06-01 10:39:12 -04:00
{{ end }}
2016-02-21 16:13:08 -08:00
2016-11-16 15:24:26 -03:00
{{ range $ errCode := $ cfg . CustomHTTPErrors }}
2016-06-01 10:39:12 -04:00
error_page {{ $ errCode }} = @custom_{{ $ errCode }};{{ end }}
2016-02-21 16:13:08 -08:00
2017-04-24 22:14:38 -03:00
proxy_ssl_session_reuse on;
2017-05-28 17:40:25 -04:00
{{ if $ cfg . AllowBackendServerHeader }}
proxy_pass_header Server;
{{ end }}
2018-01-18 16:37:22 -02:00
{{ range $ header := $ cfg . HideHeaders }}proxy_hide_header {{ $ header }};
{{ end }}
2018-01-30 12:29:03 +08:00
2017-10-01 11:45:33 -03:00
{{ if not (empty $ cfg . HTTPSnippet ) }}
# Custom code snippet configured in the configuration configmap
2017-10-04 22:51:02 -03:00
{{ $ cfg . HTTPSnippet }}
2017-10-01 11:45:33 -03:00
{{ end }}
2018-03-18 09:13:41 -04:00
{{ if not $ all . DynamicConfigurationEnabled }}
2017-06-15 20:43:17 -04:00
{{ range $ name , $ upstream := $ backends }}
{{ if eq $ upstream . SessionAffinity . AffinityType "cookie" }}
upstream sticky-{{ $ upstream . Name }} {
sticky hash={{ $ upstream . SessionAffinity . CookieSessionAffinity . Hash }} name={{ $ upstream . SessionAffinity . CookieSessionAffinity . Name }} httponly;
{{ if (gt $ cfg . UpstreamKeepaliveConnections 0) }}
keepalive {{ $ cfg . UpstreamKeepaliveConnections }};
{{ end }}
{{ range $ server := $ upstream . Endpoints }}server {{ $ server . Address | formatIP }}:{{ $ server . Port }} max_fails={{ $ server . MaxFails }} fail_timeout={{ $ server . FailTimeout }};
{{ end }}
}
{{ end }}
upstream {{ $ upstream . Name }} {
2018-03-09 13:09:41 -08:00
{{ buildLoadBalancingConfig $ upstream $ cfg . LoadBalanceAlgorithm }}
2017-09-30 22:29:16 +01:00
2017-06-21 23:39:06 -04:00
{{ if (gt $ cfg . UpstreamKeepaliveConnections 0) }}
keepalive {{ $ cfg . UpstreamKeepaliveConnections }};
{{ end }}
2017-06-08 20:11:00 -07:00
{{ range $ server := $ upstream . Endpoints }}server {{ $ server . Address | formatIP }}:{{ $ server . Port }} max_fails={{ $ server . MaxFails }} fail_timeout={{ $ server . FailTimeout }};
2016-04-28 01:03:59 -03:00
{{ end }}
2016-03-15 12:31:39 -03:00
}
2016-05-16 17:29:33 -03:00
{{ end }}
2018-03-18 09:13:41 -04:00
{{ end }}
2018-03-29 20:36:00 +08:00
{{ if $ all . DynamicConfigurationEnabled }}
2018-03-18 09:13:41 -04:00
upstream upstream_balancer {
server 0.0.0.1; # placeholder
balancer_by_lua_block {
2018-05-25 21:25:41 -04:00
balancer.balance()
2018-03-18 09:13:41 -04:00
}
2018-03-20 23:42:22 -04:00
{{ if (gt $ cfg . UpstreamKeepaliveConnections 0) }}
keepalive {{ $ cfg . UpstreamKeepaliveConnections }};
{{ end }}
2018-03-18 09:13:41 -04:00
}
2018-03-29 20:36:00 +08:00
{{ end }}
2016-03-15 12:31:39 -03:00
2017-05-20 19:32:03 -04:00
{{/* build the maps that will be use to validate the Whitelist */}}
2017-08-17 12:05:01 -05:00
{{ range $ index , $ server := $ servers }}
2017-05-20 19:32:03 -04:00
{{ range $ location := $ server . Locations }}
{{ $ path := buildLocation $ location }}
{{ if isLocationAllowed $ location }}
{{ if gt (len $ location . Whitelist . CIDR ) 0 }}
2017-08-22 09:33:56 -03:00
# Deny for {{ print $ server . Hostname $ path }}
2017-06-01 23:30:22 -04:00
geo $ the_real_ip {{ buildDenyVariable (print $ server . Hostname "_" $ path ) }} {
2017-05-20 19:32:03 -04:00
default 1;
{{ range $ ip := $ location . Whitelist . CIDR }}
{{ $ ip }} 0;{{ end }}
}
{{ end }}
{{ end }}
2017-08-22 20:47:29 -04:00
{{ end }}
{{ end }}
2017-08-22 09:33:56 -03:00
2017-08-22 20:47:29 -04:00
{{ range $ rl := (filterRateLimits $ servers ) }}
# Ratelimit {{ $ rl . Name }}
2017-09-08 17:00:52 -04:00
geo $ the_real_ip $ whitelist_ {{ $ rl . ID }} {
2017-08-21 15:36:31 -04:00
default 0;
2017-08-22 20:47:29 -04:00
{{ range $ ip := $ rl . Whitelist }}
2017-08-21 15:36:31 -04:00
{{ $ ip }} 1;{{ end }}
}
2017-08-22 20:47:29 -04:00
# Ratelimit {{ $ rl . Name }}
map $ whitelist_ {{ $ rl . ID }} $ limit_ {{ $ rl . ID }} {
2017-08-21 15:36:31 -04:00
0 {{ $ cfg . LimitConnZoneVariable }};
1 "";
}
{{ end }}
2017-05-20 19:32:03 -04:00
2016-05-27 18:03:54 -03:00
{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
2017-08-21 15:36:31 -04:00
{{ range $ zone := (buildRateLimitZones $ servers ) }}
2016-05-27 18:03:54 -03:00
{{ $ zone }}
{{ end }}
2017-08-19 18:13:02 -03:00
{{/* Build server redirects (from/to www) */}}
{{ range $ hostname , $ to := .RedirectServers }}
server {
2017-08-25 10:24:32 +08:00
{{ range $ address := $ all . Cfg . BindAddressIpv4 }}
listen {{ $ address }}:{{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }};
listen {{ $ address }}:{{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol{{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} ssl;
{{ else }}
2017-08-24 10:33:26 -03:00
listen {{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }};
listen {{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol{{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} ssl;
2017-08-25 10:24:32 +08:00
{{ end }}
2017-08-19 18:13:02 -03:00
{{ if $ IsIPV6Enabled }}
2017-08-25 10:24:32 +08:00
{{ range $ address := $ all . Cfg . BindAddressIpv6 }}
listen {{ $ address }}:{{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }};
listen {{ $ address }}:{{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol{{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }};
{{ else }}
2017-08-24 10:33:26 -03:00
listen [::]:{{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }};
listen [::]:{{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol{{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }};
2017-08-20 22:34:31 -03:00
{{ end }}
2017-08-25 10:24:32 +08:00
{{ end }}
2017-08-19 18:13:02 -03:00
server_name {{ $ hostname }};
2017-11-29 17:16:45 -03:00
{{ if ne $ all . ListenPorts . HTTPS 443 }}
{{ $ redirect_port := (printf ":%v" $ all . ListenPorts . HTTPS ) }}
2017-11-30 11:59:39 -03:00
return {{ $ all . Cfg . HTTPRedirectCode }} $ scheme ://{{ $ to }}{{ $ redirect_port }} $ request_uri ;
2017-11-29 17:16:45 -03:00
{{ else }}
2017-11-30 11:59:39 -03:00
return {{ $ all . Cfg . HTTPRedirectCode }} $ scheme ://{{ $ to }} $ request_uri ;
2017-11-29 17:16:45 -03:00
{{ end }}
2017-08-19 18:13:02 -03:00
}
{{ end }}
2017-08-17 12:05:01 -05:00
{{ range $ index , $ server := $ servers }}
2017-09-18 20:53:26 -03:00
2017-11-12 13:52:55 -03:00
## start server {{ $server.Hostname }}
2016-03-14 23:29:13 -03:00
server {
2017-10-11 15:24:33 +02:00
server_name {{ $ server . Hostname }} {{ $ server . Alias }};
2017-08-15 01:23:19 -05:00
{{ template "SERVER" serverConfig $ all $ server }}
2017-08-25 20:49:44 -03:00
2017-10-01 11:45:33 -03:00
{{ if not (empty $ cfg . ServerSnippet ) }}
# Custom code snippet configured in the configuration configmap
2017-10-04 22:51:02 -03:00
{{ $ cfg . ServerSnippet }}
2017-10-01 11:45:33 -03:00
{{ end }}
2017-08-25 20:49:44 -03:00
2017-08-03 10:51:39 -04:00
{{ template "CUSTOM_ERRORS" $ all }}
2016-03-15 12:31:39 -03:00
}
2017-11-12 13:52:55 -03:00
## end server {{ $server.Hostname }}
2017-08-15 01:23:19 -05:00
{{ end }}
2017-03-03 12:44:45 +11:00
2016-07-21 11:40:47 -04:00
# default server, used for NGINX healthcheck and access to nginx stats
2016-02-21 16:13:08 -08:00
server {
2017-08-24 10:33:26 -03:00
# Use the port {{ $ all . ListenPorts . Status }} (random value just to avoid known ports) as default port for nginx.
2016-07-21 11:40:47 -04:00
# Changing this value requires a change in:
2017-10-13 10:55:03 -03:00
# https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go
2018-01-17 21:12:46 -02:00
listen {{ $ all . ListenPorts . Status }} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }};
{{ if $ IsIPV6Enabled }}listen [::]:{{ $ all . ListenPorts . Status }} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }};{{ end }}
2017-05-14 08:59:30 +08:00
set $ proxy_upstream_name "-";
2016-02-21 16:13:08 -08:00
2016-11-16 15:24:26 -03:00
location {{ $ healthzURI }} {
2018-04-08 15:24:37 -03:00
{{ if $ cfg . EnableOpentracing }}
opentracing off;
{{ end }}
2016-02-21 16:13:08 -08:00
access_log off;
return 200;
}
2018-04-11 22:52:42 +08:00
{{ if not $ all . DisableLua }}
2018-04-08 15:24:37 -03:00
location /is-dynamic-lb-initialized {
{{ if $ cfg . EnableOpentracing }}
opentracing off;
{{ end }}
access_log off;
content_by_lua_block {
local configuration = require("configuration")
local backend_data = configuration.get_backends_data()
if not backend_data then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
return
end
ngx.say("OK")
ngx.exit(ngx.HTTP_OK)
}
}
2018-04-11 22:52:42 +08:00
{{ end }}
2016-03-26 18:25:51 -03:00
location /nginx_status {
2017-03-12 12:27:05 -03:00
set $ proxy_upstream_name "internal";
2018-03-29 13:47:13 -03:00
{{ if $ cfg . EnableOpentracing }}
opentracing off;
{{ end }}
2017-03-12 12:27:05 -03:00
2016-11-16 15:24:26 -03:00
{{ if $ cfg . EnableVtsStatus }}
2016-03-26 18:25:51 -03:00
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
2018-04-16 18:38:43 -07:00
vhost_traffic_status_display_sum_key {{ $ cfg . VtsSumKey }};
2016-03-26 18:25:51 -03:00
{{ else }}
2016-03-22 15:01:04 -03:00
access_log off;
2016-02-21 16:13:08 -08:00
stub_status on;
2016-11-10 19:56:29 -03:00
{{ end }}
2016-02-21 16:13:08 -08:00
}
2018-03-29 20:36:00 +08:00
{{ if $ all . DynamicConfigurationEnabled }}
2018-03-18 09:13:41 -04:00
location /configuration {
2018-05-31 13:46:59 -04:00
access_log off;
2018-03-29 13:47:13 -03:00
{{ if $ cfg . EnableOpentracing }}
opentracing off;
{{ end }}
2018-03-18 09:13:41 -04:00
allow 127.0.0.1;
2018-03-19 12:32:55 -04:00
{{ if $ IsIPV6Enabled }}
allow ::1;
{{ end }}
2018-03-18 09:13:41 -04:00
deny all;
2018-04-27 14:28:57 +02:00
2018-04-08 15:47:49 -03:00
# this should be equals to configuration_data dict
client_max_body_size "10m";
proxy_buffering off;
2018-03-18 09:13:41 -04:00
content_by_lua_block {
configuration.call()
}
}
2018-03-29 20:36:00 +08:00
{{ end }}
2018-03-18 09:13:41 -04:00
2016-03-16 11:12:45 -03:00
location / {
2016-11-16 15:24:26 -03:00
{{ if .CustomErrors }}
2017-09-08 20:18:11 -03:00
proxy_set_header X-Code 404;
2016-05-23 20:15:13 -03:00
{{ end }}
2017-09-08 20:18:11 -03:00
set $ proxy_upstream_name "upstream-default-backend";
2018-03-18 09:13:41 -04:00
{{ if $ all . DynamicConfigurationEnabled }}
proxy_pass http://upstream_balancer;
{{ else }}
2017-09-08 20:18:11 -03:00
proxy_pass http://upstream-default-backend;
2018-03-18 09:13:41 -04:00
{{ end }}
2016-09-29 12:02:45 -03:00
}
2017-08-25 20:49:44 -03:00
{{ template "CUSTOM_ERRORS" $ all }}
2016-09-29 16:01:09 -03:00
}
2016-02-21 16:13:08 -08:00
}
stream {
2017-02-27 11:00:31 +01:00
log_format log_stream {{ $ cfg . LogFormatStream }};
2016-11-10 19:56:29 -03:00
2017-02-09 21:20:12 -02:00
{{ if $ cfg . DisableAccessLog }}
access_log off;
{{ else }}
2017-08-23 16:57:28 +02:00
access_log {{ $ cfg . AccessLogPath }} log_stream;
2017-02-09 21:20:12 -02:00
{{ end }}
2017-08-23 16:57:28 +02:00
error_log {{ $ cfg . ErrorLogPath }};
2016-11-10 19:56:29 -03:00
2017-03-03 12:44:45 +11:00
# TCP services
2017-01-08 21:31:16 -03:00
{{ range $i, $ tcpServer := .TCPBackends }}
2017-07-02 16:46:15 -04:00
upstream tcp-{{ $ tcpServer . Port }}-{{ $ tcpServer . Backend . Namespace }}-{{ $ tcpServer . Backend . Name }}-{{ $ tcpServer . Backend . Port }} {
2017-02-24 18:46:39 -03:00
{{ range $j, $ endpoint := $ tcpServer . Endpoints }}
server {{ $ endpoint . Address }}:{{ $ endpoint . Port }};
{{ end }}
}
server {
2017-08-25 10:24:32 +08:00
{{ range $ address := $ all . Cfg . BindAddressIpv4 }}
2017-09-27 16:10:16 +02:00
listen {{ $ address }}:{{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
2017-08-25 10:24:32 +08:00
{{ else }}
2017-09-27 16:10:16 +02:00
listen {{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
2017-08-25 10:24:32 +08:00
{{ end }}
{{ if $ IsIPV6Enabled }}
{{ range $ address := $ all . Cfg . BindAddressIpv6 }}
2017-09-27 16:10:16 +02:00
listen {{ $ address }}:{{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
2017-08-25 10:24:32 +08:00
{{ else }}
2017-09-27 16:10:16 +02:00
listen [::]:{{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
2017-08-25 10:24:32 +08:00
{{ end }}
{{ end }}
2017-08-20 22:34:31 -03:00
proxy_timeout {{ $ cfg . ProxyStreamTimeout }};
2017-07-02 16:46:15 -04:00
proxy_pass tcp-{{ $ tcpServer . Port }}-{{ $ tcpServer . Backend . Namespace }}-{{ $ tcpServer . Backend . Name }}-{{ $ tcpServer . Backend . Port }};
2017-09-27 16:10:16 +02:00
{{ if $ tcpServer . Backend . ProxyProtocol . Encode }}
proxy_protocol on;
{{ end }}
2017-02-24 18:46:39 -03:00
}
2017-07-02 16:46:15 -04:00
2017-01-08 21:31:16 -03:00
{{ end }}
2016-11-10 19:56:29 -03:00
2017-02-24 18:46:39 -03:00
# UDP services
{{ range $i, $ udpServer := .UDPBackends }}
2017-07-02 16:46:15 -04:00
upstream udp-{{ $ udpServer . Port }}-{{ $ udpServer . Backend . Namespace }}-{{ $ udpServer . Backend . Name }}-{{ $ udpServer . Backend . Port }} {
2017-02-24 18:46:39 -03:00
{{ range $j, $ endpoint := $ udpServer . Endpoints }}
server {{ $ endpoint . Address }}:{{ $ endpoint . Port }};
{{ end }}
}
2017-03-03 12:44:45 +11:00
2017-02-24 18:46:39 -03:00
server {
2017-08-25 10:24:32 +08:00
{{ range $ address := $ all . Cfg . BindAddressIpv4 }}
listen {{ $ address }}:{{ $ udpServer . Port }} udp;
{{ else }}
2017-03-15 20:45:21 +03:00
listen {{ $ udpServer . Port }} udp;
2017-08-25 10:24:32 +08:00
{{ end }}
{{ if $ IsIPV6Enabled }}
{{ range $ address := $ all . Cfg . BindAddressIpv6 }}
listen {{ $ address }}:{{ $ udpServer . Port }} udp;
{{ else }}
listen [::]:{{ $ udpServer . Port }} udp;
{{ end }}
{{ end }}
2017-11-30 17:53:23 -03:00
proxy_responses {{ $ cfg . ProxyStreamResponses }};
2017-08-20 22:34:31 -03:00
proxy_timeout {{ $ cfg . ProxyStreamTimeout }};
2017-07-02 16:46:15 -04:00
proxy_pass udp-{{ $ udpServer . Port }}-{{ $ udpServer . Backend . Namespace }}-{{ $ udpServer . Backend . Name }}-{{ $ udpServer . Backend . Port }};
2017-02-24 18:46:39 -03:00
}
2017-08-25 20:49:44 -03:00
2017-01-08 21:31:16 -03:00
{{ end }}
2016-02-21 16:13:08 -08:00
}
{{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }}
2018-03-19 12:55:17 -03:00
{{ $ dynamicConfig := .DynamicConfigurationEnabled}}
2017-09-08 20:18:11 -03:00
{{ $ proxySetHeaders := .ProxySetHeaders }}
2017-08-03 10:51:39 -04:00
{{ range $ errCode := .Cfg.CustomHTTPErrors }}
2016-05-23 20:15:13 -03:00
location @custom_{{ $ errCode }} {
2016-03-22 15:01:04 -03:00
internal;
2017-09-07 20:39:58 -03:00
2017-09-28 10:07:02 -03:00
proxy_intercept_errors off;
2017-09-08 20:18:11 -03:00
proxy_set_header X-Code {{ $ errCode }};
proxy_set_header X-Format $ http_accept ;
proxy_set_header X-Original-URI $ request_uri ;
proxy_set_header X-Namespace $ namespace ;
proxy_set_header X-Ingress-Name $ ingress_name ;
proxy_set_header X-Service-Name $ service_name ;
2018-05-10 00:59:58 +03:00
proxy_set_header X-Service-Port $ service_port ;
2017-09-07 20:39:58 -03:00
2017-09-28 10:07:02 -03:00
rewrite (.*) / break;
2018-03-18 09:13:41 -04:00
2018-03-19 12:55:17 -03:00
{{ if $ dynamicConfig }}
2018-03-18 09:13:41 -04:00
proxy_pass http://upstream_balancer;
{{ else }}
proxy_pass http://upstream-default-backend;
{{ end }}
2017-03-03 12:44:45 +11:00
}
2016-05-23 20:15:13 -03:00
{{ end }}
2016-02-21 16:13:08 -08:00
{{ end }}
2016-09-22 15:00:09 -03:00
{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}}
{{ define "CORS" }}
2017-10-19 18:03:02 -02:00
{{ $ cors := .CorsConfig }}
# Cors Preflight methods needs additional options and different Return Code
2016-09-22 15:00:09 -03:00
if ( $ request_method = 'OPTIONS') {
2018-02-24 17:52:23 -03:00
more_set_headers 'Access-Control-Allow-Origin: {{ $ cors . CorsAllowOrigin }}';
{{ if $ cors . CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $ cors . CorsAllowCredentials }}'; {{ end }}
more_set_headers 'Access-Control-Allow-Methods: {{ $ cors . CorsAllowMethods }}';
more_set_headers 'Access-Control-Allow-Headers: {{ $ cors . CorsAllowHeaders }}';
more_set_headers 'Access-Control-Max-Age: {{ $ cors . CorsMaxAge }}';
more_set_headers 'Content-Type: text/plain charset=UTF-8';
more_set_headers 'Content-Length: 0';
2016-09-22 15:00:09 -03:00
return 204;
}
2017-03-23 16:07:09 +01:00
2018-02-24 17:52:23 -03:00
more_set_headers 'Access-Control-Allow-Origin: {{ $ cors . CorsAllowOrigin }}';
{{ if $ cors . CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $ cors . CorsAllowCredentials }}'; {{ end }}
more_set_headers 'Access-Control-Allow-Methods: {{ $ cors . CorsAllowMethods }}';
more_set_headers 'Access-Control-Allow-Headers: {{ $ cors . CorsAllowHeaders }}';
2017-10-19 18:03:02 -02:00
2016-09-22 15:00:09 -03:00
{{ end }}
2017-08-15 01:23:19 -05:00
{{/* definition of server-template to avoid repetitions with server-alias */}}
{{ define "SERVER" }}
{{ $ all := .First }}
{{ $ server := .Second }}
2017-08-25 10:24:32 +08:00
{{ range $ address := $ all . Cfg . BindAddressIpv4 }}
2018-01-17 21:12:46 -02:00
listen {{ $ address }}:{{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{end}};
2017-08-25 10:24:32 +08:00
{{ else }}
2018-01-17 21:12:46 -02:00
listen {{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{end}};
2017-08-25 10:24:32 +08:00
{{ end }}
{{ if $ all . IsIPV6Enabled }}
{{ range $ address := $ all . Cfg . BindAddressIpv6 }}
2018-01-17 21:12:46 -02:00
listen {{ $ address }}:{{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{ end }};
2017-08-25 10:24:32 +08:00
{{ else }}
2018-01-17 21:12:46 -02:00
listen [::]:{{ $ all . ListenPorts . HTTP }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{ end }};
2017-08-25 10:24:32 +08:00
{{ end }}
{{ end }}
2017-08-15 01:23:19 -05:00
set $ proxy_upstream_name "-";
2017-08-24 10:33:26 -03:00
{{/* Listen on {{ $ all . ListenPorts . SSLProxy }} because port {{ $ all . ListenPorts . HTTPS }} is used in the TLS sni server */}}
2017-08-15 01:23:19 -05:00
{{/* This listener must always have proxy_protocol enabled, because the SNI listener forwards on source IP info in it. */}}
2017-08-25 10:24:32 +08:00
{{ if not (empty $ server . SSLCertificate ) }}
{{ range $ address := $ all . Cfg . BindAddressIpv4 }}
2018-01-17 21:12:46 -02:00
listen {{ $ address }}:{{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol {{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{end}} ssl {{ if $ all . Cfg . UseHTTP2 }}http2{{ end }};
2017-08-25 10:24:32 +08:00
{{ else }}
2018-01-17 21:12:46 -02:00
listen {{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol {{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{end}} ssl {{ if $ all . Cfg . UseHTTP2 }}http2{{ end }};
2017-08-25 10:24:32 +08:00
{{ end }}
{{ if $ all . IsIPV6Enabled }}
{{ range $ address := $ all . Cfg . BindAddressIpv6 }}
2018-01-17 21:12:46 -02:00
{{ if not (empty $ server . SSLCertificate ) }}listen {{ $ address }}:{{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol{{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{end}} ssl {{ if $ all . Cfg . UseHTTP2 }}http2{{ end }};
2017-08-25 10:24:32 +08:00
{{ else }}
2018-01-17 21:12:46 -02:00
{{ if not (empty $ server . SSLCertificate ) }}listen [::]:{{ if $ all . IsSSLPassthroughEnabled }}{{ $ all . ListenPorts . SSLProxy }} proxy_protocol{{ else }}{{ $ all . ListenPorts . HTTPS }}{{ if $ all . Cfg . UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $ server . Hostname "_"}} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }}{{end}} ssl {{ if $ all . Cfg . UseHTTP2 }}http2{{ end }};
2017-08-25 10:24:32 +08:00
{{ end }}
{{ end }}
2017-08-24 10:33:26 -03:00
{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
2017-08-15 01:23:19 -05:00
# PEM sha: {{ $ server . SSLPemChecksum }}
ssl_certificate {{ $ server . SSLCertificate }};
ssl_certificate_key {{ $ server . SSLCertificate }};
2017-10-04 17:11:03 -03:00
{{ if not (empty $ server . SSLFullChainCertificate )}}
2017-10-09 14:16:09 +02:00
ssl_trusted_certificate {{ $ server . SSLFullChainCertificate }};
2017-10-04 17:11:03 -03:00
ssl_stapling on;
ssl_stapling_verify on;
{{ end }}
2017-08-15 01:23:19 -05:00
{{ end }}
2018-02-25 17:20:14 -03:00
{{ if not (empty $ server . AuthTLSError ) }}
# {{ $ server . AuthTLSError }}
return 403;
{{ else }}
2017-08-22 17:16:59 -03:00
{{ if not (empty $ server . CertificateAuth . CAFileName ) }}
# PEM sha: {{ $ server . CertificateAuth . PemSHA }}
ssl_client_certificate {{ $ server . CertificateAuth . CAFileName }};
2017-10-05 13:26:07 +02:00
ssl_verify_client {{ $ server . CertificateAuth . VerifyClient }};
2017-08-22 17:16:59 -03:00
ssl_verify_depth {{ $ server . CertificateAuth . ValidationDepth }};
2017-09-03 17:12:03 -03:00
{{ if not (empty $ server . CertificateAuth . ErrorPage )}}
error_page 495 496 = {{ $ server . CertificateAuth . ErrorPage }};
{{ end }}
2017-08-22 17:16:59 -03:00
{{ end }}
2018-01-31 10:53:07 -06:00
{{ if not (empty $ server . SSLCiphers ) }}
ssl_ciphers {{ $ server . SSLCiphers }};
{{ end }}
2017-09-20 17:35:16 +08:00
{{ if not (empty $ server . ServerSnippet ) }}
{{ $ server . ServerSnippet }}
{{ end }}
2017-10-09 14:16:09 +02:00
2017-08-15 01:23:19 -05:00
{{ range $ location := $ server . Locations }}
{{ $ path := buildLocation $ location }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader := proxySetHeader $ location }}
2017-08-15 01:23:19 -05:00
{{ $ authPath := buildAuthLocation $ location }}
2017-08-19 18:13:02 -03:00
{{ if not (empty $ location . Rewrite . AppRoot )}}
2017-08-15 01:23:19 -05:00
if ( $ uri = /) {
2017-08-31 14:58:01 +08:00
return 302 {{ $ location . Rewrite . AppRoot }};
2017-08-15 01:23:19 -05:00
}
{{ end }}
2018-01-27 18:32:08 -06:00
{{ if $ authPath }}
2017-08-15 01:23:19 -05:00
location = {{ $ authPath }} {
2017-08-31 14:58:01 +08:00
internal;
2018-03-30 13:19:33 -04:00
# ngx_auth_request module overrides variables in the parent request,
# therefore we have to explicitly set this variable again so that when the parent request
# resumes it has the correct value set for this variable so that Lua can pick backend correctly
2018-04-12 15:43:13 -04:00
set $ proxy_upstream_name "{{ buildUpstreamName $ server . Hostname $ all . Backends $ location $ all . DynamicConfigurationEnabled }}";
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
proxy_pass_request_body off;
proxy_set_header Content-Length "";
2017-10-15 17:20:33 -03:00
2018-01-27 18:32:08 -06:00
{{ if $ location . ExternalAuth . Method }}
2017-08-31 14:58:01 +08:00
proxy_method {{ $ location . ExternalAuth . Method }};
2017-10-04 10:59:14 -03:00
proxy_set_header X-Original-URI $ request_uri ;
proxy_set_header X-Scheme $ pass_access_scheme ;
2017-08-31 14:58:01 +08:00
{{ end }}
2017-10-15 17:20:33 -03:00
2017-10-04 10:59:14 -03:00
proxy_set_header Host {{ $ location . ExternalAuth . Host }};
proxy_set_header X-Original-URL $ scheme :// $ http_host $ request_uri ;
2017-11-08 12:14:04 +01:00
proxy_set_header X-Original-Method $ request_method ;
2017-10-15 17:20:33 -03:00
proxy_set_header X-Sent-From "nginx-ingress-controller";
2017-08-15 01:23:19 -05:00
2018-01-27 18:32:08 -06:00
{{ if $ location . ExternalAuth . RequestRedirect }}
proxy_set_header X-Auth-Request-Redirect {{ $ location . ExternalAuth . RequestRedirect }};
{{ else }}
proxy_set_header X-Auth-Request-Redirect $ request_uri ;
{{ end }}
2018-04-26 16:04:12 +02:00
proxy_buffering "{{ $ location . Proxy . ProxyBuffering }}";
proxy_buffer_size "{{ $ location . Proxy . BufferSize }}";
proxy_buffers 4 "{{ $ location . Proxy . BufferSize }}";
proxy_request_buffering "{{ $ location . Proxy . RequestBuffering }}";
2017-12-02 17:05:13 +02:00
proxy_http_version 1.1;
2017-10-15 17:20:33 -03:00
proxy_ssl_server_name on;
proxy_pass_request_headers on;
2017-08-31 14:58:01 +08:00
client_max_body_size "{{ $ location . Proxy . BodySize }}";
{{ if isValidClientBodyBufferSize $ location . ClientBodyBufferSize }}
client_body_buffer_size {{ $ location . ClientBodyBufferSize }};
{{ end }}
2017-08-15 01:23:19 -05:00
2018-03-19 08:30:36 -04:00
# Pass the extracted client certificate to the auth provider
{{ if not (empty $ server . CertificateAuth . CAFileName ) }}
{{ if $ server . CertificateAuth . PassCertToUpstream }}
proxy_set_header ssl-client-cert $ ssl_client_escaped_cert ;
{{ end }}
proxy_set_header ssl-client-verify $ ssl_client_verify ;
2018-03-22 19:53:29 +08:00
proxy_set_header ssl-client-subject-dn $ ssl_client_s_dn ;
proxy_set_header ssl-client-issuer-dn $ ssl_client_i_dn ;
2018-03-19 08:30:36 -04:00
{{ end }}
2017-08-31 14:58:01 +08:00
set $ target {{ $ location . ExternalAuth . URL }};
proxy_pass $ target ;
2017-08-15 01:23:19 -05:00
}
{{ end }}
2017-10-15 17:20:33 -03:00
2017-10-05 22:55:10 -03:00
location {{ $ path }} {
2018-05-10 00:50:55 +03:00
{{ $ ing := (getIngressInformation $ location . Ingress $ location . Path ) }}
set $ namespace "{{ $ ing . Namespace }}";
set $ ingress_name "{{ $ ing . Rule }}";
set $ service_name "{{ $ ing . Service }}";
2018-05-10 00:59:58 +03:00
set $ service_port "{{ $ location . Port }}";
2018-05-10 01:07:42 +03:00
set $ location_path "{{ $ location . Path }}";
2018-05-10 00:50:55 +03:00
2018-04-11 22:52:42 +08:00
{{ if not $ all . DisableLua }}
2018-05-25 21:25:41 -04:00
rewrite_by_lua_block {
{{ if $ all . DynamicConfigurationEnabled }}
balancer.rewrite()
{{ end }}
}
2018-04-09 08:19:13 -04:00
{{ if shouldConfigureLuaRestyWAF $ all . Cfg . DisableLuaRestyWAF $ location . LuaRestyWAF . Mode }}
2018-04-08 16:37:13 -04:00
access_by_lua_block {
local lua_resty_waf = require("resty.waf")
local waf = lua_resty_waf:new()
2018-04-09 08:19:13 -04:00
waf:set_option("mode", "{{ $ location . LuaRestyWAF . Mode }}")
2018-04-08 16:37:13 -04:00
waf:set_option("storage_zone", "waf_storage")
waf:set_option("allowed_content_types", { "text/html", "text/json", "application/json" })
waf:set_option("event_log_level", ngx.WARN)
{{ if $ location . LuaRestyWAF . Debug }}
waf:set_option("debug", true)
waf:set_option("event_log_request_arguments", true)
waf:set_option("event_log_request_body", true)
waf:set_option("event_log_request_headers", true)
waf:set_option("req_tid_header", true)
waf:set_option("res_tid_header", true)
{{ end }}
2018-04-08 21:55:23 -04:00
{{ range $ ruleset := $ location . LuaRestyWAF . IgnoredRuleSets }}
waf:set_option("ignore_ruleset", "{{ $ ruleset }}")
{{ end }}
2018-04-09 06:14:30 -04:00
{{ if gt (len $ location . LuaRestyWAF . ExtraRulesetString ) 0 }}
waf:set_option("add_ruleset_string", "10000_extra_rules", {{ $ location . LuaRestyWAF . ExtraRulesetString }})
{{ end }}
2018-04-08 16:37:13 -04:00
waf:exec()
}
header_filter_by_lua_block {
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:exec()
}
body_filter_by_lua_block {
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:exec()
}
{{ end }}
log_by_lua_block {
2018-04-09 08:19:13 -04:00
{{ if shouldConfigureLuaRestyWAF $ all . Cfg . DisableLuaRestyWAF $ location . LuaRestyWAF . Mode }}
2018-04-08 16:37:13 -04:00
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:exec()
{{ end }}
{{ if $ all . DynamicConfigurationEnabled }}
2018-05-25 21:25:41 -04:00
balancer.log()
2018-04-08 16:37:13 -04:00
{{ end }}
2018-06-13 22:54:09 -04:00
ok, res = pcall(monitor.call)
if not ok then
ngx.log(ngx.ERR, "request_id failed: " .. tostring(res))
end
2018-04-08 16:37:13 -04:00
}
2018-04-11 22:52:42 +08:00
{{ end }}
2018-02-25 11:18:42 -03:00
{{ if (and (not (empty $ server . SSLCertificate )) $ all . Cfg . HSTS ) }}
if ( $ scheme = https) {
2018-04-04 23:17:51 -03:00
more_set_headers "Strict-Transport-Security: max-age={{ $ all . Cfg . HSTSMaxAge }}{{ if $ all . Cfg . HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $ all . Cfg . HSTSPreload }}; preload{{ end }}";
2018-02-25 11:18:42 -03:00
}
{{ end }}
2018-02-25 11:38:54 -03:00
{{ if not $ location . Logs . Access }}
access_log off;
{{ end }}
2018-04-27 14:28:57 +02:00
{{ if $ location . Logs . Rewrite }}
rewrite_log on;
{{ end }}
2018-01-02 14:48:42 -03:00
port_in_redirect {{ if $ location . UsePortInRedirects }}on{{ else }}off{{ end }};
2017-09-13 08:35:05 +02:00
{{ if $ all . Cfg . EnableVtsStatus }}{{ if $ location . VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $ location . VtsFilterKey }};{{ end }}{{ end }}
2018-04-12 14:01:46 -04:00
set $ proxy_upstream_name "{{ buildUpstreamName $ server . Hostname $ all . Backends $ location $ all . DynamicConfigurationEnabled }}";
2017-08-31 14:58:01 +08:00
2018-01-02 14:48:42 -03:00
{{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
2017-08-31 14:58:01 +08:00
{{ if (or $ location . Rewrite . ForceSSLRedirect (and (not (empty $ server . SSLCertificate )) $ location . Rewrite . SSLRedirect )) }}
2018-03-18 21:44:59 +01:00
{{ if not (isLocationInLocationList $ location $ all . Cfg . NoTLSRedirectLocations ) }}
2017-08-31 14:58:01 +08:00
# enforce ssl on server side
2018-01-30 12:29:03 +08:00
if ( $ redirect_to_https ) {
2018-01-02 14:48:42 -03:00
{{ if $ location . UsePortInRedirects }}
2018-01-17 10:20:41 -02:00
# using custom ports require a different rewrite directive
2018-01-30 12:29:03 +08:00
{{ $ redirect_port := (printf ":%v" $ all . ListenPorts . HTTPS ) }}
2018-01-18 14:51:58 -02:00
error_page 497 ={{ $ all . Cfg . HTTPRedirectCode }} https:// $ host {{ $ redirect_port }} $ request_uri ;
2018-01-17 10:20:41 -02:00
return 497;
2017-11-29 17:16:45 -03:00
{{ else }}
2018-02-06 13:59:59 -05:00
return {{ $ all . Cfg . HTTPRedirectCode }} https:// $ best_http_host $ request_uri ;
2017-11-29 17:16:45 -03:00
{{ end }}
2017-08-31 14:58:01 +08:00
}
{{ end }}
2018-03-18 21:44:59 +01:00
{{ end }}
2017-08-15 01:23:19 -05:00
2017-10-08 11:52:02 -03:00
{{ if $ all . Cfg . EnableModsecurity }}
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
{{ if $ all . Cfg . EnableOWASPCoreRules }}
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
{{ end }}
{{ end }}
2017-08-31 14:58:01 +08:00
{{ if isLocationAllowed $ location }}
{{ if gt (len $ location . Whitelist . CIDR ) 0 }}
if ({{ buildDenyVariable (print $ server . Hostname "_" $ path ) }}) {
return 403;
}
{{ end }}
2017-08-15 01:23:19 -05:00
2018-04-02 02:02:34 +02:00
{{ if not (isLocationInLocationList $ location $ all . Cfg . NoAuthLocations ) }}
2018-01-27 18:32:08 -06:00
{{ if $ authPath }}
2017-08-31 14:58:01 +08:00
# this location requires authentication
2017-10-04 10:59:14 -03:00
auth_request {{ $ authPath }};
auth_request_set $ auth_cookie $ upstream_http_set_cookie ;
add_header Set-Cookie $ auth_cookie ;
2017-08-31 14:58:01 +08:00
{{- range $ idx , $ line := buildAuthResponseHeaders $ location }}
{{ $ line }}
{{- end }}
{{ end }}
2017-08-15 01:23:19 -05:00
2018-01-27 18:32:08 -06:00
{{ if $ location . ExternalAuth . SigninURL }}
2017-10-05 01:55:42 -03:00
error_page 401 = {{ buildAuthSignURL $ location . ExternalAuth . SigninURL }};
2017-08-31 14:58:01 +08:00
{{ end }}
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
{{ if $ location . BasicDigestAuth . Secured }}
{{ if eq $ location . BasicDigestAuth . Type "basic" }}
auth_basic "{{ $ location . BasicDigestAuth . Realm }}";
auth_basic_user_file {{ $ location . BasicDigestAuth . File }};
{{ else }}
auth_digest "{{ $ location . BasicDigestAuth . Realm }}";
auth_digest_user_file {{ $ location . BasicDigestAuth . File }};
{{ end }}
proxy_set_header Authorization "";
{{ end }}
2018-04-02 02:02:34 +02:00
{{ end }}
{{/* if the location contains a rate limit annotation, create one */}}
{{ $ limits := buildRateLimit $ location }}
{{ range $ limit := $ limits }}
{{ $ limit }}{{ end }}
2017-08-15 01:23:19 -05:00
2017-10-19 18:03:02 -02:00
{{ if $ location . CorsConfig . CorsEnabled }}
{{ template "CORS" $ location }}
2017-08-31 14:58:01 +08:00
{{ end }}
2017-08-15 01:23:19 -05:00
2018-05-18 01:49:47 +02:00
{{ buildInfluxDB $ location . InfluxDB }}
2018-05-17 14:25:38 +02:00
2017-08-31 14:58:01 +08:00
{{ if not (empty $ location . Redirect . URL ) }}
if ( $ uri ~* {{ $ path }}) {
return {{ $ location . Redirect . Code }} {{ $ location . Redirect . URL }};
}
{{ end }}
2017-08-19 18:13:02 -03:00
2017-08-31 14:58:01 +08:00
client_max_body_size "{{ $ location . Proxy . BodySize }}";
{{ if isValidClientBodyBufferSize $ location . ClientBodyBufferSize }}
client_body_buffer_size {{ $ location . ClientBodyBufferSize }};
{{ end }}
2017-08-15 01:23:19 -05:00
2017-05-15 15:17:58 -04:00
{{/* By default use vhost as Host to upstream, but allow overrides */}}
{{ if not (empty $ location . UpstreamVhost ) }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} Host "{{ $ location . UpstreamVhost }}";
2017-05-15 15:17:58 -04:00
{{ else }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} Host $ best_http_host ;
2017-05-15 15:17:58 -04:00
{{ end }}
2017-08-31 14:58:01 +08:00
# Pass the extracted client certificate to the backend
{{ if not (empty $ server . CertificateAuth . CAFileName ) }}
2017-11-17 21:28:45 -03:00
{{ if $ server . CertificateAuth . PassCertToUpstream }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} ssl-client-cert $ ssl_client_escaped_cert ;
2017-11-17 21:28:45 -03:00
{{ end }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} ssl-client-verify $ ssl_client_verify ;
{{ $ proxySetHeader }} ssl-client-subject-dn $ ssl_client_s_dn ;
{{ $ proxySetHeader }} ssl-client-issuer-dn $ ssl_client_i_dn ;
2017-08-31 14:58:01 +08:00
{{ end }}
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
# Allow websocket connections
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} Upgrade $ http_upgrade ;
2018-01-30 12:29:03 +08:00
{{ if $ location . Connection . Enabled }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} Connection {{ $ location . Connection . Header }};
2018-01-30 12:29:03 +08:00
{{ else }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} Connection $ connection_upgrade ;
2018-01-30 12:29:03 +08:00
{{ end }}
2017-08-31 14:58:01 +08:00
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} X-Request-ID $ req_id ;
{{ $ proxySetHeader }} X-Real-IP $ the_real_ip ;
2017-10-09 11:10:58 +02:00
{{ if $ all . Cfg . ComputeFullForwardedFor }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} X-Forwarded-For $ full_x_forwarded_for ;
2017-10-09 11:10:58 +02:00
{{ else }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} X-Forwarded-For $ the_real_ip ;
2017-10-09 11:10:58 +02:00
{{ end }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} X-Forwarded-Host $ best_http_host ;
{{ $ proxySetHeader }} X-Forwarded-Port $ pass_port ;
{{ $ proxySetHeader }} X-Forwarded-Proto $ pass_access_scheme ;
2018-04-16 12:03:06 +02:00
{{ if $ all . Cfg . ProxyAddOriginalUriHeader }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} X-Original-URI $ request_uri ;
2018-04-16 12:03:06 +02:00
{{ end }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} X-Scheme $ pass_access_scheme ;
2017-08-31 14:58:01 +08:00
2017-10-05 22:55:10 -03:00
# Pass the original X-Forwarded-For
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} X-Original-Forwarded-For {{ buildForwardedFor $ all . Cfg . ForwardedForHeader }};
2017-10-05 22:55:10 -03:00
2017-08-31 14:58:01 +08:00
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} Proxy "";
2017-08-31 14:58:01 +08:00
# Custom headers to proxied server
{{ range $k, $v := $ all . ProxySetHeaders }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} {{ $k }} "{{ $v }}";
2017-08-31 14:58:01 +08:00
{{ end }}
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
proxy_connect_timeout {{ $ location . Proxy . ConnectTimeout }}s;
proxy_send_timeout {{ $ location . Proxy . SendTimeout }}s;
proxy_read_timeout {{ $ location . Proxy . ReadTimeout }}s;
2017-08-15 01:23:19 -05:00
2018-01-29 08:43:55 -06:00
proxy_buffering "{{ $ location . Proxy . ProxyBuffering }}";
2017-08-31 14:58:01 +08:00
proxy_buffer_size "{{ $ location . Proxy . BufferSize }}";
proxy_buffers 4 "{{ $ location . Proxy . BufferSize }}";
2017-09-01 17:43:11 +02:00
proxy_request_buffering "{{ $ location . Proxy . RequestBuffering }}";
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
proxy_http_version 1.1;
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
proxy_cookie_domain {{ $ location . Proxy . CookieDomain }};
proxy_cookie_path {{ $ location . Proxy . CookiePath }};
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
# In case of errors try the next upstream server before returning an error
2017-10-10 13:18:45 +03:00
proxy_next_upstream {{ buildNextUpstream $ location . Proxy . NextUpstream $ all . Cfg . RetryNonIdempotent }};
2018-03-22 12:12:36 +01:00
proxy_next_upstream_tries {{ $ location . Proxy . NextUpstreamTries }};
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
{{/* rewrite only works if the content is not compressed */}}
{{ if $ location . Rewrite . AddBaseURL }}
2018-05-17 08:35:11 -04:00
{{ $ proxySetHeader }} Accept-Encoding "";
2017-08-31 14:58:01 +08:00
{{ end }}
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
{{/* Add any additional configuration defined */}}
{{ $ location . ConfigurationSnippet }}
2017-08-15 01:23:19 -05:00
2017-10-01 11:45:33 -03:00
{{ if not (empty $ all . Cfg . LocationSnippet ) }}
# Custom code snippet configured in the configuration configmap
2017-10-04 22:51:02 -03:00
{{ $ all . Cfg . LocationSnippet }}
2017-10-01 11:45:33 -03:00
{{ end }}
2017-08-31 14:58:01 +08:00
{{/* if we are sending the request to a custom default backend, we add the required headers */}}
{{ if (hasPrefix $ location . Backend "custom-default-backend-") }}
proxy_set_header X-Code 503;
proxy_set_header X-Format $ http_accept ;
proxy_set_header X-Namespace $ namespace ;
proxy_set_header X-Ingress-Name $ ingress_name ;
proxy_set_header X-Service-Name $ service_name ;
2018-05-10 00:59:58 +03:00
proxy_set_header X-Service-Port $ service_port ;
2017-08-31 14:58:01 +08:00
{{ end }}
2017-08-25 20:49:44 -03:00
2017-10-09 14:16:09 +02:00
{{ if not (empty $ location . Backend ) }}
2018-03-18 09:13:41 -04:00
{{ buildProxyPass $ server . Hostname $ all . Backends $ location $ all . DynamicConfigurationEnabled }}
2018-01-02 19:34:20 +08:00
{{ if (or (eq $ location . Proxy . ProxyRedirectFrom "default") (eq $ location . Proxy . ProxyRedirectFrom "off")) }}
proxy_redirect {{ $ location . Proxy . ProxyRedirectFrom }};
2018-04-25 16:38:30 -05:00
{{ else if not (eq $ location . Proxy . ProxyRedirectTo "off") }}
2018-01-02 19:34:20 +08:00
proxy_redirect {{ $ location . Proxy . ProxyRedirectFrom }} {{ $ location . Proxy . ProxyRedirectTo }};
{{ end }}
2017-08-31 14:58:01 +08:00
{{ else }}
2017-10-09 14:16:09 +02:00
# No endpoints available for the request
return 503;
{{ end }}
{{ else }}
2017-08-31 14:58:01 +08:00
# Location denied. Reason: {{ $ location . Denied }}
return 503;
{{ end }}
2017-08-15 01:23:19 -05:00
}
2018-02-25 17:20:14 -03:00
{{ end }}
2017-08-15 01:23:19 -05:00
{{ end }}
{{ if eq $ server . Hostname "_" }}
2017-08-24 10:33:26 -03:00
# health checks in cloud providers require the use of port {{ $ all . ListenPorts . HTTP }}
2017-08-15 01:23:19 -05:00
location {{ $ all . HealthzURI }} {
2018-03-29 13:47:13 -03:00
{{ if $ all . Cfg . EnableOpentracing }}
opentracing off;
{{ end }}
2017-08-31 14:58:01 +08:00
access_log off;
return 200;
2017-08-15 01:23:19 -05:00
}
# this is required to avoid error if nginx is being monitored
# with an external software (like sysdig)
location /nginx_status {
2018-03-29 13:47:13 -03:00
{{ if $ all . Cfg . EnableOpentracing }}
opentracing off;
{{ end }}
2018-03-28 14:27:34 +02:00
{{ range $v := $ all . NginxStatusIpv4Whitelist }}
allow {{ $v }};
{{ end }}
{{ if $ all . IsIPV6Enabled -}}
{{ range $v := $ all . NginxStatusIpv6Whitelist }}
allow {{ $v }};
{{ end }}
{{ end -}}
2017-08-31 14:58:01 +08:00
deny all;
2017-08-15 01:23:19 -05:00
2017-08-31 14:58:01 +08:00
access_log off;
stub_status on;
2017-08-15 01:23:19 -05:00
}
{{ end }}
{{ end }}
