Merge branch 'master' of https://github.com/kubernetes/ingress-nginx into proxyssl

docs/user-guide/nginx-configuration/annotations.md

@@ -112,6 +112,8 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/enable-owasp-core-rules](#modsecurity)|bool|
 |[nginx.ingress.kubernetes.io/modsecurity-transaction-id](#modsecurity)|string|
 |[nginx.ingress.kubernetes.io/modsecurity-snippet](#modsecurity)|string|
+|[nginx.ingress.kubernetes.io/mirror-uri](#mirror)|string|
+|[nginx.ingress.kubernetes.io/mirror-request-body](#mirror)|string|
 
 ### Canary
 
@@ -817,3 +819,34 @@ By default, a request would need to satisfy all authentication requirements in o
 ```yaml
 nginx.ingress.kubernetes.io/satisfy: "any"
 ```
+
+### Mirror
+
+Enables a request to be mirrored to a mirror backend. Responses by mirror backends are ignored. This feature is useful, to see how requests will react in "test" backends.
+
+You can mirror a request to the `/mirror` path on your ingress, by applying the below:
+
+```yaml
+nginx.ingress.kubernetes.io/mirror-uri: "/mirror"
+```
+
+The mirror path can be defined as a separate ingress resource:
+
+```
+location = /mirror {
+    internal;
+    proxy_pass http://test_backend;
+}
+```
+
+By default the request-body is sent to the mirror backend, but can be turned off by applying:
+
+```yaml
+nginx.ingress.kubernetes.io/mirror-request-body: "off"
+```
+
+**Note:** The mirror directive will be applied to all paths within the ingress resource.
+
+The request sent to the mirror is linked to the orignial request. If you have a slow mirror backend, then the orignial request will throttle.
+
+For more information on the mirror module see https://nginx.org/en/docs/http/ngx_http_mirror_module.html

docs/user-guide/nginx-configuration/configmap.md

@@ -34,7 +34,6 @@ The following table shows a configuration option's name, type, and the default v
 |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"|
 |[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"|
 |[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"|
-|[enable-dynamic-tls-records](#enable-dynamic-tls-records)|bool|"true"|
 |[enable-modsecurity](#enable-modsecurity)|bool|"false"|
 |[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"|
 |[client-header-buffer-size](#client-header-buffer-size)|string|"1k"|
@@ -149,6 +148,7 @@ The following table shows a configuration option's name, type, and the default v
 |[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}|
 |[limit-rate](#limit-rate)|int|0|
 |[limit-rate-after](#limit-rate-after)|int|0|
+|[lua-shared-dicts](#lua-shared-dicts)|string|""|
 |[http-redirect-code](#http-redirect-code)|int|308|
 |[proxy-buffering](#proxy-buffering)|string|"off"|
 |[limit-req-status-code](#limit-req-status-code)|int|503|
@@ -209,13 +209,6 @@ __Note:__ the file `/var/log/nginx/error.log` is a symlink to `/dev/stderr`
 _References:_
 [http://nginx.org/en/docs/ngx_core_module.html#error_log](http://nginx.org/en/docs/ngx_core_module.html#error_log)
 
-## enable-dynamic-tls-records
-
-Enables dynamically sized TLS records to improve time-to-first-byte. _**default:**_ is enabled
-
-_References:_
-[https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency)
-
 ## enable-modsecurity
 
 Enables the modsecurity module for NGINX. _**default:**_ is disabled
@@ -488,6 +481,14 @@ Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#
 
 Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`.
 
+## ssl-early-data
+
+Enables or disables TLS 1.3 [early data](https://tools.ietf.org/html/rfc8446#section-2.3)
+
+This requires `ssl-protocols` to have `TLSv1.3` enabled.
+
+[ssl_early_data](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data). The default is: `false`.
+
 ## ssl-session-cache
 
 Enables or disables the use of shared [SSL cache](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache) among worker processes.
@@ -855,6 +856,21 @@ _References:_
 
 Sets the initial amount after which the further transmission of a response to a client will be rate limited.
 
+## lua-shared-dicts
+
+Customize default Lua shared dictionaries or define more. You can use the following syntax to do so:
+
+```
+lua-shared-dicts: "<my dict name>: <my dict size>, [<my dict name>: <my dict size>], ..."
+```
+
+For example following will set default `certificate_data` dictionary to `100M` and will introduce a new dictionary called
+`my_custom_plugin`:
+
+```
+lua-shared-dicts: "certificate_data: 100, my_custom_plugin: 5"
+```
+
 _References:_
 [http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after](http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after)
 

docs/user-guide/nginx-configuration/custom-template.md

@@ -30,6 +30,7 @@ In addition to the built-in functions provided by the Go package the following f
 - hasSuffix: [strings.HasSuffix](https://golang.org/pkg/strings/#HasSuffix)
 - toUpper: [strings.ToUpper](https://golang.org/pkg/strings/#ToUpper)
 - toLower: [strings.ToLower](https://golang.org/pkg/strings/#ToLower)
+- quote: wraps a string in double quotes
 - buildLocation: helps to build the NGINX Location section in each server
 - buildProxyPass: builds the reverse proxy configuration
 - buildRateLimit: helps to build a limit zone inside a location if contains a rate limit annotation

docs/user-guide/nginx-configuration/log-format.md

@@ -7,7 +7,7 @@ log_format upstreaminfo
     '{{ if $cfg.useProxyProtocol }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - '
     '[$the_real_ip] - $remote_user [$time_local] "$request" '
     '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
-    '$request_length $request_time [$proxy_upstream_name] $upstream_addr '
+    '$request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr '
     '$upstream_response_length $upstream_response_time $upstream_status $req_id';
 ```
 
@@ -26,6 +26,7 @@ log_format upstreaminfo
 | `$request_length` | request length (including request line, header, and request body) |
 | `$request_time` | time elapsed since the first bytes were read from the client |
 | `$proxy_upstream_name` | name of the upstream. The format is `upstream-<namespace>-<service name>-<service port>` |
+| `$proxy_alternative_upstream_name` | name of the alternative upstream. The format is `upstream-<namespace>-<service name>-<service port>` |
 | `$upstream_addr` | the IP address and port (or the path to the domain socket) of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. |
 | `$upstream_response_length` | the length of the response obtained from the upstream server |
 | `$upstream_response_time` | time spent on receiving the response from the upstream server as seconds with millisecond resolution |
@@ -45,4 +46,4 @@ Additional available variables:
 Sources:
 
 - [Upstream variables](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#variables)
-- [Embedded variables](http://nginx.org/en/docs/http/ngx_http_core_module.html#variables)
+- [Embedded variables](http://nginx.org/en/docs/http/ngx_http_core_module.html#variables)