DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2020-02-09 23:53:05 +00:00
parent ec2af1dbc3
commit 006cda8fee
62 changed files with 1885 additions and 1843 deletions
Download patch file Download diff file Expand all files Collapse all files

39
user-guide/miscellaneous/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#miscellaneous" tabindex="1" class="md-skip">
<a href="#miscellaneous" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1279,38 +1279,39 @@
<h1 id="miscellaneous">Miscellaneous<a class="headerlink" href="#miscellaneous" title="Permanent link"></a></h1>
<h2 id="source-ip-address">Source IP address<a class="headerlink" href="#source-ip-address" title="Permanent link"></a></h2>
<p>By default NGINX uses the content of the header <code class="codehilite">X-Forwarded-For</code> as the source of truth to get information about the client IP address. This works without issues in L7 <strong>if we configure the setting <code class="codehilite">proxy-real-ip-cidr</code></strong> with the correct information of the IP/network address of trusted external load balancer.</p>
<p>By default NGINX uses the content of the header <code class="codehilite"><span class="err">X-Forwarded-For</span></code> as the source of truth to get information about the client IP address. This works without issues in L7 <strong>if we configure the setting <code class="codehilite"><span class="err">proxy-real-ip-cidr</span></code></strong> with the correct information of the IP/network address of trusted external load balancer.</p>
<p>If the ingress controller is running in AWS we need to use the VPC IPv4 CIDR.</p>
<p>Another option is to enable proxy protocol using <code class="codehilite">use-proxy-protocol: &quot;true&quot;</code>.</p>
<p>Another option is to enable proxy protocol using <code class="codehilite"><span class="c">use-proxy-protocol: &quot;true&quot;</span></code>.</p>
<p>In this mode NGINX does not use the content of the header to get the source IP address of the connection.</p>
<h2 id="proxy-protocol">Proxy Protocol<a class="headerlink" href="#proxy-protocol" title="Permanent link"></a></h2>
<p>If you are using a L4 proxy to forward the traffic to the NGINX pods and terminate HTTP/HTTPS there, you will lose the remote endpoint's IP address. To prevent this you could use the <a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">Proxy Protocol</a> for forwarding traffic, this will send the connection details before forwarding the actual TCP connection itself.</p>
<p>Amongst others <a href="http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html">ELBs in AWS</a> and <a href="http://www.haproxy.org/">HAProxy</a> support Proxy Protocol.</p>
<h2 id="websockets">Websockets<a class="headerlink" href="#websockets" title="Permanent link"></a></h2>
<p>Support for websockets is provided by NGINX out of the box. No special configuration required.</p>
<p>The only requirement to avoid the close of connections is the increase of the values of <code class="codehilite">proxy-read-timeout</code> and <code class="codehilite">proxy-send-timeout</code>.</p>
<p>The default value of this settings is <code class="codehilite">60 seconds</code>.</p>
<p>A more adequate value to support websockets is a value higher than one hour (<code class="codehilite">3600</code>).</p>
<p>The only requirement to avoid the close of connections is the increase of the values of <code class="codehilite"><span class="err">proxy-read-timeout</span></code> and <code class="codehilite"><span class="err">proxy-send-timeout</span></code>.</p>
<p>The default value of this settings is <code class="codehilite"><span class="err">60 seconds</span></code>.</p>
<p>A more adequate value to support websockets is a value higher than one hour (<code class="codehilite"><span class="err">3600</span></code>).</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>If the NGINX ingress controller is exposed with a service <code class="codehilite">type=LoadBalancer</code> make sure the protocol between the loadbalancer and NGINX is TCP.</p>
<p>If the NGINX ingress controller is exposed with a service <code class="codehilite"><span class="err">type=LoadBalancer</span></code> make sure the protocol between the loadbalancer and NGINX is TCP.</p>
</div>
<h2 id="optimizing-tls-time-to-first-byte-tttfb">Optimizing TLS Time To First Byte (TTTFB)<a class="headerlink" href="#optimizing-tls-time-to-first-byte-tttfb" title="Permanent link"></a></h2>
<p>NGINX provides the configuration option <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size">ssl_buffer_size</a> to allow the optimization of the TLS record size.</p>
<p>This improves the <a href="https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/">TLS Time To First Byte</a> (TTTFB).
The default value in the Ingress controller is <code class="codehilite">4k</code> (NGINX default is <code class="codehilite">16k</code>).</p>
The default value in the Ingress controller is <code class="codehilite"><span class="err">4k</span></code> (NGINX default is <code class="codehilite"><span class="err">16k</span></code>).</p>
<h2 id="retries-in-non-idempotent-methods">Retries in non-idempotent methods<a class="headerlink" href="#retries-in-non-idempotent-methods" title="Permanent link"></a></h2>
<p>Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error.
The previous behavior can be restored using <code class="codehilite">retry-non-idempotent=true</code> in the configuration ConfigMap.</p>
The previous behavior can be restored using <code class="codehilite"><span class="err">retry-non-idempotent=true</span></code> in the configuration ConfigMap.</p>
<h2 id="limitations">Limitations<a class="headerlink" href="#limitations" title="Permanent link"></a></h2>
<ul>
<li>Ingress rules for TLS require the definition of the field <code class="codehilite">host</code></li>
<li>Ingress rules for TLS require the definition of the field <code class="codehilite"><span class="err">host</span></code></li>
</ul>
<h2 id="why-endpoints-and-not-services">Why endpoints and not services<a class="headerlink" href="#why-endpoints-and-not-services" title="Permanent link"></a></h2>
<p>The NGINX ingress controller does not use <a href="http://kubernetes.io/docs/user-guide/services">Services</a> to route traffic to the pods. Instead it uses the Endpoints API in order to bypass <a href="http://kubernetes.io/docs/admin/kube-proxy/">kube-proxy</a> to allow NGINX features like session affinity and custom load balancing algorithms. It also removes some overhead, such as conntrack entries for iptables DNAT.</p>
@ -1365,9 +1366,9 @@ The previous behavior can be restored using <code class="codehilite">retry-non-i
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1377,7 +1378,7 @@ The previous behavior can be restored using <code class="codehilite">retry-non-i
</div>
<script src="../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>