DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-09-04 23:47:40 +00:00
parent b479f09b97
commit a03213218f
58 changed files with 2308 additions and 376 deletions
Download patch file Download diff file Expand all files Collapse all files

12
user-guide/cli-arguments/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

12
user-guide/custom-errors/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

12
user-guide/default-backend/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

13
user-guide/exposing-tcp-udp-services/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1062,7 +1074,6 @@ Adding <code class="codehilite">PROXY</code> in either or both of the two last f
<span class="l l-Scalar l-Scalar-Plain">9000</span><span class="p p-Indicator">:</span> <span class="s">&quot;default/example-go:8080&quot;</span>
</pre></div>
<p>Since 1.9.13 NGINX provides <a href="https://www.nginx.com/blog/announcing-udp-load-balancing/">UDP Load Balancing</a>.
The next example shows how to expose the service <code class="codehilite">kube-dns</code> running in the namespace <code class="codehilite">kube-system</code> in the port <code class="codehilite">53</code> using the port <code class="codehilite">53</code></p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>

12
user-guide/external-articles/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

12
user-guide/miscellaneous/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

19
user-guide/monitoring/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1163,7 +1175,6 @@
<span class="go">configmap &quot;prometheus-configuration&quot; created</span>
</pre></div>
<p>Running the following command deploys prometheus in Kubernetes:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/prometheus.yaml</span>
<span class="go">clusterrole &quot;prometheus-server&quot; created</span>
@ -1173,7 +1184,6 @@
<span class="go">service &quot;prometheus-service&quot; created</span>
</pre></div>
<h3 id="prometheus-dashboard">Prometheus Dashboard<a class="headerlink" href="#prometheus-dashboard" title="Permanent link">&para;</a></h3>
<p>Open Prometheus dashboard in a web browser:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
@ -1183,18 +1193,15 @@
<span class="go">prometheus NodePort 10.98.233.86 &lt;none&gt; 9090:32630/TCP 1m</span>
</pre></div>
<p>Obtain the IP address of the nodes in the running cluster:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get nodes -o wide</span>
</pre></div>
<p>In some cases where the node only have internal IP adresses we need to execute:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get nodes --selector=kubernetes.io/role!=master -o jsonpath={.items[*].status.addresses[?\(@.type==\&quot;InternalIP\&quot;\)].address}</span>
<span class="go">10.192.0.2 10.192.0.3 10.192.0.4</span>
</pre></div>
<p>Open your browser and visit the following URL: <em>http://{node IP address}:{prometheus-svc-nodeport}</em> to load the Prometheus Dashboard.</p>
<p>According to the above example, this URL will be http://10.192.0.3:32630</p>
<p><img alt="Dashboard" src="../../images/prometheus-dashboard.png" /></p>
@ -1202,7 +1209,6 @@
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/grafana.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
<span class="go">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">default-http-backend ClusterIP 10.103.59.201 &lt;none&gt; 80/TCP 3d</span>
@ -1211,7 +1217,6 @@
<span class="go">grafana NodePort 10.98.233.86 &lt;none&gt; 9090:31086/TCP 10m</span>
</pre></div>
<p>Open your browser and visit the following URL: <em>http://{node IP address}:{grafana-svc-nodeport}</em> to load the Grafana Dashboard.
According to the above example, this URL will be http://10.192.0.3:31086</p>
<p>The username and password is <code class="codehilite">admin</code></p>

15
user-guide/multiple-ingress/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1102,7 +1114,6 @@ you need to specify the annotation <code class="codehilite">kubernetes.io/ingres
<span class="l l-Scalar l-Scalar-Plain">kubernetes.io/ingress.class</span><span class="p p-Indicator">:</span> <span class="s">&quot;gce&quot;</span>
</pre></div>
<p>will target the GCE controller, forcing the nginx controller to ignore it, while an annotation like</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">foo</span>
@ -1110,7 +1121,6 @@ you need to specify the annotation <code class="codehilite">kubernetes.io/ingres
<span class="l l-Scalar l-Scalar-Plain">kubernetes.io/ingress.class</span><span class="p p-Indicator">:</span> <span class="s">&quot;nginx&quot;</span>
</pre></div>
<p>will target the nginx controller, forcing the GCE controller to ignore it.</p>
<p>To reiterate, setting the annotation to any value which does not match a valid ingress class will force the NGINX Ingress controller to ignore your Ingress.
If you are only running a single NGINX ingress controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string.</p>
@ -1132,7 +1142,6 @@ Here is a partial example:</p>
<span class="p p-Indicator">-</span> <span class="s">&#39;--configmap=ingress/nginx-ingress-internal-controller&#39;</span>
</pre></div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>Deploying multiple Ingress controllers, of different types (e.g., <code class="codehilite">ingress-nginx</code> &amp; <code class="codehilite">gce</code>), and not specifying a class annotation will

82
user-guide/nginx-configuration/annotations/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -2003,22 +2015,18 @@ So, at reload, if upstream servers have changed, index values are not guaranteed
<p>In NGINX this feature is implemented by the third party module <a href="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng">nginx-sticky-module-ng</a>. The workflow used to define which upstream server will be used is explained <a href="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/raw/08a395c66e425540982c00482f55034e1fee67b6/docs/sticky.pdf">here</a></p>
<h3 id="authentication">Authentication<a class="headerlink" href="#authentication" title="Permanent link">&para;</a></h3>
<p>Is possible to add authentication adding additional annotations in the Ingress rule. The source of the authentication is a secret that contains usernames and passwords inside the key <code class="codehilite">auth</code>.</p>
<p>The annotations are:</p>
<p>The annotations are:
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-type: [basic|digest]
</pre></div>
</pre></div></p>
<p>Indicates the <a href="https://tools.ietf.org/html/rfc2617">HTTP Authentication Type: Basic or Digest Access Authentication</a>.</p>
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-secret: secretName
</pre></div>
<p>The name of the Secret that contains the usernames and passwords which are granted access to the <code class="codehilite">path</code>s defined in the Ingress rules.
This annotation also accepts the alternative form "namespace/secretName", in which case the Secret lookup is performed in the referenced namespace instead of the Ingress namespace.</p>
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-realm: &quot;realm string&quot;
</pre></div>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Please check the <a href="../../../examples/auth/basic/README/">auth</a> example.</p>
@ -2085,49 +2093,59 @@ Only one of the Ingress rules should define annotations to configure the upstrea
<span class="no">more_set_headers &quot;Request-Id: $req_id&quot;;</span>
</pre></div>
<h3 id="default-backend">Default Backend<a class="headerlink" href="#default-backend" title="Permanent link">&para;</a></h3>
<p>The ingress controller requires a <a href="../../default-backend/">default backend</a>.
This service handles the response when the service in the Ingress rule does not have endpoints.
This is a global configuration for the ingress controller. In some cases could be required to return a custom content or format. In this scenario we can use the annotation <code class="codehilite">nginx.ingress.kubernetes.io/default-backend: &lt;svc name&gt;</code> to specify a custom default backend.</p>
<h3 id="enable-cors">Enable CORS<a class="headerlink" href="#enable-cors" title="Permanent link">&para;</a></h3>
<p>To enable Cross-Origin Resource Sharing (CORS) in an Ingress rule,
add the annotation <code class="codehilite">nginx.ingress.kubernetes.io/enable-cors: &quot;true&quot;</code>.
This will add a section in the server location enabling this functionality.</p>
<p>To enable Cross-Origin Resource Sharing (CORS) in an Ingress rule, add the annotation
<code class="codehilite">nginx.ingress.kubernetes.io/enable-cors: &quot;true&quot;</code>. This will add a section in the server
location enabling this functionality.</p>
<p>CORS can be controlled with the following annotations:</p>
<ul>
<li><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods</code>
controls which methods are accepted. This is a multi-valued field, separated by ',' and
accepts only letters (upper and lower case).</li>
<li>Default: <code class="codehilite">GET, PUT, POST, DELETE, PATCH, OPTIONS</code></li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods</code>
controls which methods are accepted.
This is a multi-valued field, separated by ',' and accepts only letters (upper and lower case).
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods: &quot;PUT, GET, POST, OPTIONS&quot;</code></p>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods: &quot;PUT, GET, POST, OPTIONS&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-headers</code>
controls which headers are accepted.
This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -.
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-headers: &quot;X-Forwarded-For, X-app123-XPTO&quot;</code></p>
controls which headers are accepted. This is a multi-valued field, separated by ',' and accepts letters,
numbers, _ and -.</p>
</li>
<li>Default: <code class="codehilite">DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization</code></li>
<li>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-headers: &quot;X-Forwarded-For, X-app123-XPTO&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-origin</code>
controls what's the accepted Origin for CORS and defaults to '*'.
This is a single field value, with the following format: <code class="codehilite">http(s)://origin-site.com</code> or <code class="codehilite">http(s)://origin-site.com:port</code>
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-origin: &quot;https://origin-site.com:4443&quot;</code></p>
controls what's the accepted Origin for CORS.
This is a single field value, with the following format: <code class="codehilite">http(s)://origin-site.com</code> or <code class="codehilite">http(s)://origin-site.com:port</code></p>
</li>
<li>Default: <code class="codehilite">*</code></li>
<li>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-origin: &quot;https://origin-site.com:4443&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-credentials</code>
controls if credentials can be passed during CORS operations.
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-credentials: &quot;true&quot;</code></p>
controls if credentials can be passed during CORS operations.</p>
</li>
<li>Default: <code class="codehilite">true</code></li>
<li>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-credentials: &quot;false&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-max-age</code>
controls how long preflight requests can be cached.
Default: <code class="codehilite">1728000</code>
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-max-age: 600</code></p>
</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>For more information please see <a href="https://enable-cors.org/server_nginx.html">https://enable-cors.org</a></p>
<p>For more information please see <a href="https://enable-cors.org/server_nginx.html">https://enable-cors.org</a> </p>
</div>
<h3 id="server-alias">Server Alias<a class="headerlink" href="#server-alias" title="Permanent link">&para;</a></h3>
<p>To add Server Aliases to an Ingress rule add the annotation <code class="codehilite">nginx.ingress.kubernetes.io/server-alias: &quot;&lt;alias&gt;&quot;</code>.
@ -2157,7 +2175,6 @@ the new server configuration will take place over the alias configuration.</p>
<span class="err">}</span>
</pre></div>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This annotation can be used only once per host.</p>
@ -2187,7 +2204,6 @@ applied to each location provided in the ingress rule.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-url</span><span class="p p-Indicator">:</span> <span class="s">&quot;URL</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">authentication</span><span class="nv"> </span><span class="s">service&quot;</span>
</pre></div>
<p>Additionally it is possible to set:</p>
<ul>
<li><code class="codehilite">nginx.ingress.kubernetes.io/auth-method</code>:
@ -2299,7 +2315,6 @@ To use custom values in an Ingress rule define these annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">8m</span>
</pre></div>
<h3 id="proxy-cookie-domain">Proxy cookie domain<a class="headerlink" href="#proxy-cookie-domain" title="Permanent link">&para;</a></h3>
<p>Sets a text that <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain">should be changed in the domain attribute</a> of the "Set-Cookie" header fields of a proxied server response.</p>
<p>To configure this setting globally for all Ingress rules, the <code class="codehilite">proxy-cookie-domain</code> value may be set in the <a href="../configmap/">NGINX ConfigMap</a>.</p>
@ -2311,43 +2326,36 @@ To use custom values in an Ingress rule define these annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffering</span><span class="p p-Indicator">:</span> <span class="s">&quot;on&quot;</span>
</pre></div>
<h3 id="proxy-buffer-size">Proxy buffer size<a class="headerlink" href="#proxy-buffer-size" title="Permanent link">&para;</a></h3>
<p>Sets the size of the buffer <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size"><code class="codehilite">proxy_buffer_size</code></a> used for reading the first part of the response received from the proxied server.
By default proxy buffer size is set as "4k"</p>
<p>To configure this setting globally, set <code class="codehilite">proxy-buffer-size</code> in <a href="../configmap/">NGINX ConfigMap</a>. To use custom values in an Ingress rule, define this annotation:</p>
<p>To configure this setting globally, set <code class="codehilite">proxy-buffer-size</code> in <a href="../configmap/">NGINX ConfigMap</a>. To use custom values in an Ingress rule, define this annotation:
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffer-size</span><span class="p p-Indicator">:</span> <span class="s">&quot;8k&quot;</span>
</pre></div>
</pre></div></p>
<h3 id="ssl-ciphers">SSL ciphers<a class="headerlink" href="#ssl-ciphers" title="Permanent link">&para;</a></h3>
<p>Specifies the <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers">enabled ciphers</a>.</p>
<p>Using this annotation will set the <code class="codehilite">ssl_ciphers</code> directive at the server level. This configuration is active for all the paths in the host.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/ssl-ciphers</span><span class="p p-Indicator">:</span> <span class="s">&quot;ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP&quot;</span>
</pre></div>
<h3 id="connection-proxy-header">Connection proxy header<a class="headerlink" href="#connection-proxy-header" title="Permanent link">&para;</a></h3>
<p>Using this annotation will override the default connection header set by NGINX.
To use custom values in an Ingress rule, define the annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/connection-proxy-header</span><span class="p p-Indicator">:</span> <span class="s">&quot;keep-alive&quot;</span>
</pre></div>
<h3 id="enable-access-log">Enable Access Log<a class="headerlink" href="#enable-access-log" title="Permanent link">&para;</a></h3>
<p>Access logs are enabled by default, but in some scenarios access logs might be required to be disabled for a given
ingress. To do this, use the annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-access-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;false&quot;</span>
</pre></div>
<h3 id="enable-rewrite-log">Enable Rewrite Log<a class="headerlink" href="#enable-rewrite-log" title="Permanent link">&para;</a></h3>
<p>Rewrite logs are not enabled by default. In some scenarios it could be required to enable NGINX rewrite logs.
Note that rewrite logs are sent to the error_log file at the notice level. To enable this feature use the annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-rewrite-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
</pre></div>
<h3 id="lua-resty-waf">Lua Resty WAF<a class="headerlink" href="#lua-resty-waf" title="Permanent link">&para;</a></h3>
<p>Using <code class="codehilite">lua-resty-waf-*</code> annotations we can enable and control the <a href="https://github.com/p0pr0ck5/lua-resty-waf">lua-resty-waf</a>
Web Application Firewall per location.</p>
@ -2355,7 +2363,6 @@ Web Application Firewall per location.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf</span><span class="p p-Indicator">:</span> <span class="s">&quot;active&quot;</span>
</pre></div>
<p>In order to run it in debugging mode you can set <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-debug</code> to <code class="codehilite">&quot;true&quot;</code> in addition to the above configuration.
The other possible values for <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf</code> are <code class="codehilite">inactive</code> and <code class="codehilite">simulate</code>.
In <code class="codehilite">inactive</code> mode WAF won't do anything, whereas in <code class="codehilite">simulate</code> mode it will log a warning message if there's a matching WAF rule for given request. This is useful to debug a rule and eliminate possible false positives before fully deploying it.</p>
@ -2364,13 +2371,11 @@ You can use <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-i
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</span><span class="p p-Indicator">:</span> <span class="s">&quot;41000_sqli,</span><span class="nv"> </span><span class="s">42000_xss&quot;</span>
</pre></div>
<p>will ignore the two mentioned rulesets.</p>
<p>It is also possible to configure custom WAF rules per ingress using the <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</code> annotation. For an example the following snippet will configure a WAF rule to deny requests with query string value that contains word <code class="codehilite">foo</code>:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</span><span class="p p-Indicator">:</span> <span class="s">&#39;[=[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;access&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;actions&quot;:</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;disrupt&quot;</span><span class="nv"> </span><span class="s">:</span><span class="nv"> </span><span class="s">&quot;DENY&quot;</span><span class="nv"> </span><span class="s">},</span><span class="nv"> </span><span class="s">&quot;id&quot;:</span><span class="nv"> </span><span class="s">10001,</span><span class="nv"> </span><span class="s">&quot;msg&quot;:</span><span class="nv"> </span><span class="s">&quot;my</span><span class="nv"> </span><span class="s">custom</span><span class="nv"> </span><span class="s">rule&quot;,</span><span class="nv"> </span><span class="s">&quot;operator&quot;:</span><span class="nv"> </span><span class="s">&quot;STR_CONTAINS&quot;,</span><span class="nv"> </span><span class="s">&quot;pattern&quot;:</span><span class="nv"> </span><span class="s">&quot;foo&quot;,</span><span class="nv"> </span><span class="s">&quot;vars&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;parse&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">&quot;values&quot;,</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;type&quot;:</span><span class="nv"> </span><span class="s">&quot;REQUEST_ARGS&quot;</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;body_filter&quot;:</span><span class="nv"> </span><span class="s">[],</span><span class="nv"> </span><span class="s">&quot;header_filter&quot;:[]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]=]&#39;</span>
</pre></div>
<p>For details on how to write WAF rules, please refer to <a href="https://github.com/p0pr0ck5/lua-resty-waf">https://github.com/p0pr0ck5/lua-resty-waf</a>.</p>
<h3 id="grpc-backend-deprecated-since-0180">gRPC backend DEPRECATED (since 0.18.0)<a class="headerlink" href="#grpc-backend-deprecated-since-0180" title="Permanent link">&para;</a></h3>
<p>Please use <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPC&quot;</code> or <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPCS&quot;</code></p>
@ -2392,7 +2397,6 @@ using the <a href="https://github.com/influxdata/nginx-influxdb-module/">nginx-i
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/influxdb-server-name</span><span class="p p-Indicator">:</span> <span class="s">&quot;nginx-ingress&quot;</span>
</pre></div>
<p>For the <code class="codehilite">influxdb-host</code> parameter you have two options:</p>
<ul>
<li>Use an InfluxDB server configured with the <a href="https://docs.influxdata.com/influxdb/v1.5/supported_protocols/udp/">UDP protocol</a> enabled. </li>

36
user-guide/nginx-configuration/configmap/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -632,6 +644,13 @@
http2-max-header-size
</a>
</li>
<li class="md-nav__item">
<a href="#http2-max-requests" title="http2-max-requests" class="md-nav__link">
http2-max-requests
</a>
</li>
<li class="md-nav__item">
@ -2018,6 +2037,13 @@
http2-max-header-size
</a>
</li>
<li class="md-nav__item">
<a href="#http2-max-requests" title="http2-max-requests" class="md-nav__link">
http2-max-requests
</a>
</li>
<li class="md-nav__item">
@ -2701,7 +2727,6 @@ you can add key-value pairs to the data section of the config-map. For Example:<
<span class="l l-Scalar l-Scalar-Plain">ssl-protocols</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">SSLv2</span>
</pre></div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The key and values in a ConfigMap can only be strings.
@ -2826,6 +2851,11 @@ Same for numbers, like "100".</p>
<td align="left">"16k"</td>
</tr>
<tr>
<td align="left"><a href="#http2-max-requests">http2-max-requests</a></td>
<td align="left">int</td>
<td align="left">1000</td>
</tr>
<tr>
<td align="left"><a href="#hsts">hsts</a></td>
<td align="left">bool</td>
<td align="left">"true"</td>
@ -3370,6 +3400,10 @@ Same for numbers, like "100".</p>
<p>Limits the maximum size of the entire request header list after HPACK decompression.</p>
<p><em>References:</em>
<a href="https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size">https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size</a></p>
<h2 id="http2-max-requests">http2-max-requests<a class="headerlink" href="#http2-max-requests" title="Permanent link">&para;</a></h2>
<p>Sets the maximum number of requests (including push requests) that can be served through one HTTP/2 connection, after which the next client request will lead to connection closing and the need of establishing a new connection.</p>
<p><em>References:</em>
<a href="http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests">http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests</a></p>
<h2 id="hsts">hsts<a class="headerlink" href="#hsts" title="Permanent link">&para;</a></h2>
<p>Enables or disables the header HSTS in servers running SSL.
HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. It provides protection against protocol downgrade attacks and cookie theft.</p>

13
user-guide/nginx-configuration/custom-template/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1066,7 +1078,6 @@ This includes using a <a href="https://kubernetes.io/docs/concepts/storage/volum
<span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx.tmpl</span>
</pre></div>
<p><strong>Please note the template is tied to the Go code. Do not change names in the variable <code class="codehilite">$cfg</code>.</strong></p>
<p>For more information about the template syntax please check the <a href="https://golang.org/pkg/text/template/">Go template package</a>.
In addition to the built-in functions provided by the Go package the following functions are also available:</p>

12
user-guide/nginx-configuration/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

13
user-guide/nginx-configuration/log-format/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1059,7 +1071,6 @@
<span class="x"> &#39;$upstream_response_length $upstream_response_time $upstream_status&#39;;</span>
</pre></div>
<table>
<thead>
<tr>

12
user-guide/third-party-addons/modsecurity/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

130
user-guide/third-party-addons/opentracing/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1153,21 +1165,18 @@
<p>Using the third party module <a href="https://github.com/opentracing-contrib/nginx-opentracing">opentracing-contrib/nginx-opentracing</a> the NGINX ingress controller can configure NGINX to enable <a href="http://opentracing.io">OpenTracing</a> instrumentation.
By default this feature is disabled.</p>
<h2 id="usage">Usage<a class="headerlink" href="#usage" title="Permanent link">&para;</a></h2>
<p>To enable the instrumentation we must enable opentracing in the configuration configmap:</p>
<p>To enable the instrumentation we must enable opentracing in the configuration configmap:
<div class="codehilite"><pre><span></span><span class="n">data</span><span class="o">:</span>
<span class="n">enable</span><span class="o">-</span><span class="n">opentracing</span><span class="o">:</span> <span class="s2">&quot;true&quot;</span>
</pre></div>
</pre></div></p>
<p>We must also set the host to use when uploading traces:</p>
<div class="codehilite"><pre><span></span>zipkin-collector-host: zipkin.default.svc.cluster.local
jaeger-collector-host: jaeger-collector.default.svc.cluster.local
</pre></div>
<p>Next you will need to deploy a distributed tracing system which uses OpenTracing. Both <a href="https://github.com/openzipkin/zipkin">Zipkin</a> and
<a href="https://github.com/jaegertracing/jaeger">Jaeger</a> have been tested.</p>
<p>Other optional configuration options:</p>
<p>Other optional configuration options:
<div class="codehilite"><pre><span></span># specifies the port to use when uploading traces
zipkin-collector-port
@ -1189,9 +1198,7 @@ jaeger-sampler-type
# specifies the argument to be passed to the sampler constructor, Default: 1
jaeger-sampler-param
</pre></div>
</pre></div></p>
<h2 id="examples">Examples<a class="headerlink" href="#examples" title="Permanent link">&para;</a></h2>
<p>The following examples show how to deploy and test different distributed tracing systems. These example can be performed
using Minikube.</p>
@ -1202,7 +1209,6 @@ github repository is an example of a dockerized date service. To install the exa
kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/master/kubernetes/deployment.yaml
</pre></div>
<p>Also we need to configure the NGINX controller configmap with the required values:</p>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<span class="s1">apiVersion: v1</span>
@ -1216,28 +1222,30 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma
<span class="s1">&#39;</span> <span class="p">|</span> kubectl replace -f -
</pre></div>
<p>In the zipkin interface we can see the details:
<img alt="zipkin screenshot" src="../../../images/zipkin-demo.png" title="zipkin collector screenshot" /></p>
<h3 id="jaeger">Jaeger<a class="headerlink" href="#jaeger" title="Permanent link">&para;</a></h3>
<ol>
<li>
<p>Enable Ingress addon in minikube:
<code class="codehilite">$ minikube addons <span class="nb">enable</span> ingress</code></p>
<div class="codehilite"><pre><span></span>$ minikube addons <span class="nb">enable</span> ingress
</pre></div></p>
</li>
<li>
<p>Add minikube IP to /etc/hosts:
<code class="codehilite">$ <span class="nb">echo</span> <span class="s2">&quot;</span><span class="k">$(</span>minikube ip<span class="k">)</span><span class="s2"> example.com&quot;</span> <span class="p">|</span> sudo tee -a /etc/hosts</code></p>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span><span class="k">$(</span>minikube ip<span class="k">)</span><span class="s2"> example.com&quot;</span> <span class="p">|</span> sudo tee -a /etc/hosts
</pre></div></p>
</li>
<li>
<p>Apply a Basic Service and Ingress Resource:
```
# Create Echoheaders Deployment
$ kubectl run echoheaders --image=k8s.gcr.io/echoserver:1.4 --replicas=1 --port=8080</p>
<h1 id="expose-as-a-cluster-ip">Expose as a Cluster-IP<a class="headerlink" href="#expose-as-a-cluster-ip" title="Permanent link">&para;</a></h1>
<p>$ kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-x</p>
<h1 id="apply-the-ingress-resource">Apply the Ingress Resource<a class="headerlink" href="#apply-the-ingress-resource" title="Permanent link">&para;</a></h1>
<p>$ echo '
<div class="codehilite"><pre><span></span># Create Echoheaders Deployment
$ kubectl run echoheaders --image=k8s.gcr.io/echoserver:1.4 --replicas=1 --port=8080
# Expose as a Cluster-IP
$ kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-x
# Apply the Ingress Resource
$ echo &#39;
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
@ -1251,54 +1259,68 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma
serviceName: echoheaders-x
servicePort: 80
path: /echo
' | kubectl apply -f -
```</p>
&#39; | kubectl apply -f -
</pre></div></p>
</li>
<li>
<p>Enable OpenTracing and set the zipkin-collector-host:
<code class="codehilite">$ <span class="nb">echo</span> <span class="s1">&#39;</span><span class="s1"> apiVersion: v1</span><span class="s1"> kind: ConfigMap</span><span class="s1"> data:</span><span class="s1"> enable-opentracing: &quot;true&quot;</span><span class="s1"> zipkin-collector-host: zipkin.default.svc.cluster.local</span><span class="s1"> jaeger-collector-host: jaeger-collector.default.svc.cluster.local</span><span class="s1"> metadata:</span><span class="s1"> name: nginx-load-balancer-conf</span><span class="s1"> namespace: kube-system</span><span class="s1"> &#39;</span> <span class="p">|</span> kubectl replace -f -</code></p>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<span class="s1"> apiVersion: v1</span>
<span class="s1"> kind: ConfigMap</span>
<span class="s1"> data:</span>
<span class="s1"> enable-opentracing: &quot;true&quot;</span>
<span class="s1"> zipkin-collector-host: zipkin.default.svc.cluster.local</span>
<span class="s1"> jaeger-collector-host: jaeger-collector.default.svc.cluster.local</span>
<span class="s1"> metadata:</span>
<span class="s1"> name: nginx-load-balancer-conf</span>
<span class="s1"> namespace: kube-system</span>
<span class="s1"> &#39;</span> <span class="p">|</span> kubectl replace -f -
</pre></div></p>
</li>
<li>
<p>Apply the Jaeger All-In-One Template:
<code class="codehilite">$ kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml</code></p>
<div class="codehilite"><pre><span></span>$ kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml
</pre></div></p>
</li>
<li>
<p>Make a few requests to the Service:
```
$ curl example.com/echo -d "meow"</p>
<p>CLIENT VALUES:
client_address=172.17.0.5
command=POST
real path=/echo
query=nil
request_version=1.1
request_uri=http://example.com:8080/echo</p>
<p>SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001</p>
<p>HEADERS RECEIVED:
accept=<em>/</em>
connection=close
content-length=4
content-type=application/x-www-form-urlencoded
host=example.com
user-agent=curl/7.54.0
x-forwarded-for=192.168.99.1
x-forwarded-host=example.com
x-forwarded-port=80
x-forwarded-proto=http
x-original-uri=/echo
x-real-ip=192.168.99.1
x-scheme=http
<div class="codehilite"><pre><span></span>$ curl example.com/echo -d <span class="s2">&quot;meow&quot;</span>
CLIENT VALUES:
<span class="nv">client_address</span><span class="o">=</span><span class="m">172</span>.17.0.5
<span class="nv">command</span><span class="o">=</span>POST
real <span class="nv">path</span><span class="o">=</span>/echo
<span class="nv">query</span><span class="o">=</span>nil
<span class="nv">request_version</span><span class="o">=</span><span class="m">1</span>.1
<span class="nv">request_uri</span><span class="o">=</span>http://example.com:8080/echo
SERVER VALUES:
<span class="nv">server_version</span><span class="o">=</span>nginx: <span class="m">1</span>.10.0 - lua: <span class="m">10001</span>
HEADERS RECEIVED:
<span class="nv">accept</span><span class="o">=</span>*/*
<span class="nv">connection</span><span class="o">=</span>close
content-length<span class="o">=</span><span class="m">4</span>
content-type<span class="o">=</span>application/x-www-form-urlencoded
<span class="nv">host</span><span class="o">=</span>example.com
user-agent<span class="o">=</span>curl/7.54.0
x-forwarded-for<span class="o">=</span><span class="m">192</span>.168.99.1
x-forwarded-host<span class="o">=</span>example.com
x-forwarded-port<span class="o">=</span><span class="m">80</span>
x-forwarded-proto<span class="o">=</span>http
x-original-uri<span class="o">=</span>/echo
x-real-ip<span class="o">=</span><span class="m">192</span>.168.99.1
x-scheme<span class="o">=</span>http
BODY:
meow
```</p>
</pre></div></p>
</li>
<li>
<p>View the Jaeger UI:
```
$ minikube service jaeger-query --url</p>
<p>http://192.168.99.100:30183
```</p>
<div class="codehilite"><pre><span></span>$ minikube service jaeger-query --url
http://192.168.99.100:30183
</pre></div></p>
<p>In the jaeger interface we can see the details:
<img alt="jaeger screenshot" src="../../../images/jaeger-demo.png" title="jaeger collector screenshot" /></p>
</li>

15
user-guide/tls/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1209,12 +1221,10 @@
<div class="codehilite"><pre><span></span>$ openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> -out <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span> -subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">&quot;</span><span class="sb">`</span>
</pre></div>
<p>Then create the secret in the cluster via:</p>
<div class="codehilite"><pre><span></span>kubectl create secret tls <span class="si">${</span><span class="nv">CERT_NAME</span><span class="si">}</span> --key <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> --cert <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span>
</pre></div>
<p>The resulting secret will be of type <code class="codehilite">kubernetes.io/tls</code>.</p>
<h2 id="default-ssl-certificate">Default SSL Certificate<a class="headerlink" href="#default-ssl-certificate" title="Permanent link">&para;</a></h2>
<p>NGINX provides the option to configure a server as a catch-all with
@ -1265,7 +1275,6 @@ by monitoring ingress resources and their referenced secrets.</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl annotate ing ingress-demo kubernetes.io/tls-acme=&quot;true&quot;</span>
</pre></div>
<p>To setup Kube-Lego you can take a look at this <a href="https://github.com/jetstack/kube-lego/tree/master/examples">full example</a>.
The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.</p>
<h2 id="default-tls-version-and-ciphers">Default TLS Version and Ciphers<a class="headerlink" href="#default-tls-version-and-ciphers" title="Permanent link">&para;</a></h2>