DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Separate third party NGINX configuration (#10470)

Browse source 
* Document container separation

* Separate configurations
This commit is contained in:
Ricardo Katz 2023-11-03 10:46:32 -03:00 committed by GitHub
parent d6a0f46c32
commit 9ed0d7f7af
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 158 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

3
rootfs/Dockerfile
View file

@ -49,9 +49,10 @@ COPY --chown=www-data:www-data bin/${TARGETARCH}/wait-shutdown /
# with volumes (custom templates)
RUN bash -xeu -c ' \
writeDirs=( \
/etc/ingress-controller \
/etc/ingress-controller/ssl \
/etc/ingress-controller/auth \
/etc/ingress-controller/geoip \
/etc/ingress-controller/telemetry \
/var/log \
/var/log/nginx \
/tmp/nginx \

5
rootfs/chroot.sh
View file

@ -21,6 +21,8 @@ writeDirs=( \
/chroot/etc/ingress-controller \
/chroot/etc/ingress-controller/ssl \
/chroot/etc/ingress-controller/auth \
/chroot/etc/ingress-controller/telemetry \
/chroot/etc/ingress-controller/geoip \
/chroot/opt/modsecurity/var/log \
/chroot/opt/modsecurity/var/upload \
/chroot/opt/modsecurity/var/audit \
@ -41,7 +43,8 @@ for dir in "${writeDirs[@]}"; do
done
mkdir -p /chroot/lib /chroot/proc /chroot/usr /chroot/bin /chroot/dev /chroot/run
cp /etc/passwd /etc/group /chroot/etc/
cp /etc/passwd /etc/group /etc/hosts /chroot/etc/
cp -a /usr/* /chroot/usr/
cp -a /etc/nginx/* /chroot/etc/nginx/
cp -a /etc/ingress-controller/* /chroot/etc/ingress-controller/
cp /lib/ld-musl-* /lib/libcrypto* /lib/libssl* /lib/libz* /chroot/lib/

20
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -175,7 +175,7 @@ http {
{{ range $index, $file := $all.MaxmindEditionFiles }}
{{ if eq $file "GeoLite2-Country.mmdb" }}
geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoLite2-Country.mmdb {
$geoip2_country_code source=$remote_addr country iso_code;
$geoip2_country_name source=$remote_addr country names en;
$geoip2_country_geoname_id source=$remote_addr country geoname_id;
@ -186,7 +186,7 @@ http {
{{ end }}
{{ if eq $file "GeoIP2-Country.mmdb" }}
geoip2 /etc/nginx/geoip/GeoIP2-Country.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoIP2-Country.mmdb {
$geoip2_country_code source=$remote_addr country iso_code;
$geoip2_country_name source=$remote_addr country names en;
$geoip2_country_geoname_id source=$remote_addr country geoname_id;
@ -197,7 +197,7 @@ http {
{{ end }}
{{ if eq $file "GeoLite2-City.mmdb" }}
geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoLite2-City.mmdb {
$geoip2_city_country_code source=$remote_addr country iso_code;
$geoip2_city_country_name source=$remote_addr country names en;
$geoip2_city_country_geoname_id source=$remote_addr country geoname_id;
@ -220,7 +220,7 @@ http {
{{ end }}
{{ if eq $file "GeoIP2-City.mmdb" }}
geoip2 /etc/nginx/geoip/GeoIP2-City.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoIP2-City.mmdb {
$geoip2_city_country_code source=$remote_addr country iso_code;
$geoip2_city_country_name source=$remote_addr country names en;
$geoip2_city_country_geoname_id source=$remote_addr country geoname_id;
@ -243,21 +243,21 @@ http {
{{ end }}
{{ if eq $file "GeoLite2-ASN.mmdb" }}
geoip2 /etc/nginx/geoip/GeoLite2-ASN.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoLite2-ASN.mmdb {
$geoip2_asn source=$remote_addr autonomous_system_number;
$geoip2_org source=$remote_addr autonomous_system_organization;
}
{{ end }}
{{ if eq $file "GeoIP2-ASN.mmdb" }}
geoip2 /etc/nginx/geoip/GeoIP2-ASN.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoIP2-ASN.mmdb {
$geoip2_asn source=$remote_addr autonomous_system_number;
$geoip2_org source=$remote_addr autonomous_system_organization;
}
{{ end }}
{{ if eq $file "GeoIP2-ISP.mmdb" }}
geoip2 /etc/nginx/geoip/GeoIP2-ISP.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoIP2-ISP.mmdb {
$geoip2_isp source=$remote_addr isp;
$geoip2_isp_org source=$remote_addr organization;
$geoip2_asn source=$remote_addr default=0 autonomous_system_number;
@ -265,13 +265,13 @@ http {
{{ end }}
{{ if eq $file "GeoIP2-Connection-Type.mmdb" }}
geoip2 /etc/nginx/geoip/GeoIP2-Connection-Type.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoIP2-Connection-Type.mmdb {
$geoip2_connection_type connection_type;
}
{{ end }}
{{ if eq $file "GeoIP2-Anonymous-IP.mmdb" }}
geoip2 /etc/nginx/geoip/GeoIP2-Anonymous-IP.mmdb {
geoip2 /etc/ingress-controller/geoip/GeoIP2-Anonymous-IP.mmdb {
$geoip2_is_anon source=$remote_addr is_anonymous;
$geoip2_is_anonymous source=$remote_addr default=0 is_anonymous;
$geoip2_is_anonymous_vpn source=$remote_addr default=0 is_anonymous_vpn;
@ -469,7 +469,7 @@ http {
ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
{{ if not (empty $cfg.SSLSessionTicketKey ) }}
ssl_session_ticket_key /etc/nginx/tickets.key;
ssl_session_ticket_key /etc/ingress-controller/tickets.key;
{{ end }}
# slightly reduce the time-to-first-byte