Merge branch 'master' into nginx/extauth_headers
This commit is contained in:
electroma
GitHub
commit
c8eda8f17f
89 changed files with 3309 additions and 379 deletions
|
|
@ -12,7 +12,7 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
FROM gcr.io/google_containers/nginx-slim:0.13
|
||||
FROM gcr.io/google_containers/nginx-slim:0.14
|
||||
|
||||
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
|
||||
diffutils \
|
||||
|
|
|
|||
|
|
@ -8,17 +8,17 @@ local get_upstreams = upstream.get_upstreams
|
|||
local random = math.random
|
||||
local us = get_upstreams()
|
||||
|
||||
function openURL(status)
|
||||
function openURL(original_headers, status)
|
||||
local httpc = http.new()
|
||||
|
||||
original_headers["X-Code"] = status or "404"
|
||||
original_headers["X-Format"] = original_headers["Accept"] or "text/html"
|
||||
|
||||
local random_backend = get_destination()
|
||||
local res, err = httpc:request_uri(random_backend, {
|
||||
path = "/",
|
||||
method = "GET",
|
||||
headers = {
|
||||
["X-Code"] = status or "404",
|
||||
["X-Format"] = ngx.var.httpAccept or "html",
|
||||
}
|
||||
headers = original_headers,
|
||||
})
|
||||
|
||||
if not res then
|
||||
|
|
@ -26,8 +26,8 @@ function openURL(status)
|
|||
ngx.exit(500)
|
||||
end
|
||||
|
||||
if ngx.var.http_cookie then
|
||||
ngx.header["Cookie"] = ngx.var.http_cookie
|
||||
for k,v in pairs(res.headers) do
|
||||
ngx.header[k] = v
|
||||
end
|
||||
|
||||
ngx.status = tonumber(status)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
{{ $cfg := .Cfg }}{{ $healthzURI := .HealthzURI }}{{ $backends := .Backends }}
|
||||
{{ $cfg := .Cfg }}
|
||||
{{ $healthzURI := .HealthzURI }}
|
||||
{{ $backends := .Backends }}
|
||||
{{ $proxyHeaders := .ProxySetHeaders }}
|
||||
{{ $passthroughBackends := .PassthroughBackends }}
|
||||
daemon off;
|
||||
|
||||
worker_processes {{ $cfg.WorkerProcesses }};
|
||||
|
|
@ -81,13 +85,17 @@ http {
|
|||
|
||||
{{/* map urls that should not appear in access.log */}}
|
||||
{{/* http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}}
|
||||
map $request $loggable {
|
||||
map $request_uri $loggable {
|
||||
{{ range $reqUri := $cfg.SkipAccessLogURLs }}
|
||||
{{ $reqUri }} 0;{{ end }}
|
||||
default 1;
|
||||
}
|
||||
|
||||
{{ if $cfg.DisableAccessLog }}
|
||||
access_log off;
|
||||
{{ else }}
|
||||
access_log /var/log/nginx/access.log upstreaminfo if=$loggable;
|
||||
{{ end }}
|
||||
error_log /var/log/nginx/error.log {{ $cfg.ErrorLogLevel }};
|
||||
|
||||
{{ buildResolvers $cfg.Resolver }}
|
||||
|
|
@ -181,8 +189,8 @@ http {
|
|||
|
||||
{{range $name, $upstream := $backends}}
|
||||
upstream {{$upstream.Name}} {
|
||||
{{ if $cfg.EnableStickySessions }}
|
||||
sticky hash=sha1 httponly;
|
||||
{{ if eq $upstream.SessionAffinity.AffinityType "cookie" }}
|
||||
sticky hash={{$upstream.SessionAffinity.CookieSessionAffinity.Hash}} name={{$upstream.SessionAffinity.CookieSessionAffinity.Name}} httponly;
|
||||
{{ else }}
|
||||
least_conn;
|
||||
{{ end }}
|
||||
|
|
@ -204,7 +212,7 @@ http {
|
|||
listen [::]:80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $index 0 }} ipv6only=off{{end}}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}};
|
||||
{{/* Listen on 442 because port 443 is used in the stream section */}}
|
||||
{{/* This listen cannot contains proxy_protocol directive because port 443 is in charge of decoding the protocol */}}
|
||||
{{ if not (empty $server.SSLCertificate) }}listen 442 {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
|
||||
{{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}[::]:443 {{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
|
||||
{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
|
||||
# PEM sha: {{ $server.SSLPemChecksum }}
|
||||
ssl_certificate {{ $server.SSLCertificate }};
|
||||
|
|
@ -221,10 +229,11 @@ http {
|
|||
{{ $path := buildLocation $location }}
|
||||
{{ $authPath := buildAuthLocation $location }}
|
||||
|
||||
{{ if not (empty $location.CertificateAuth.CertFileName) }}
|
||||
# PEM sha: {{ $location.CertificateAuth.PemSHA }}
|
||||
ssl_client_certificate {{ $location.CertificateAuth.CAFileName }};
|
||||
{{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }}
|
||||
# PEM sha: {{ $location.CertificateAuth.AuthSSLCert.PemSHA }}
|
||||
ssl_client_certificate {{ $location.CertificateAuth.AuthSSLCert.CAFileName }};
|
||||
ssl_verify_client on;
|
||||
ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }};
|
||||
{{ end }}
|
||||
|
||||
{{ if not (empty $authPath) }}
|
||||
|
|
@ -294,6 +303,11 @@ http {
|
|||
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Pass the extracted client certificate to the backend
|
||||
{{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }}
|
||||
proxy_set_header ssl-client-cert $ssl_client_cert;
|
||||
{{ end }}
|
||||
|
||||
# Pass Real IP
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
|
|
@ -310,6 +324,11 @@ http {
|
|||
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
# Custom headers
|
||||
{{ range $k, $v := $proxyHeaders }}
|
||||
proxy_set_header {{ $k }} "{{ $v }}";
|
||||
{{ end }}
|
||||
|
||||
proxy_connect_timeout {{ $location.Proxy.ConnectTimeout }}s;
|
||||
proxy_send_timeout {{ $location.Proxy.SendTimeout }}s;
|
||||
proxy_read_timeout {{ $location.Proxy.ReadTimeout }}s;
|
||||
|
|
@ -320,11 +339,17 @@ http {
|
|||
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_cookie_domain {{ $location.Proxy.CookieDomain }};
|
||||
proxy_cookie_path {{ $location.Proxy.CookiePath }};
|
||||
|
||||
{{/* rewrite only works if the content is not compressed */}}
|
||||
{{ if $location.Redirect.AddBaseURL }}
|
||||
proxy_set_header Accept-Encoding "";
|
||||
{{ end }}
|
||||
|
||||
{{/* Add any additional configuration defined */}}
|
||||
{{ $location.ConfigurationSnippet }}
|
||||
|
||||
{{ buildProxyPass $backends $location }}
|
||||
{{ else }}
|
||||
#{{ $location.Denied }}
|
||||
|
|
@ -406,7 +431,7 @@ http {
|
|||
location / {
|
||||
{{ if .CustomErrors }}
|
||||
content_by_lua_block {
|
||||
openURL(503)
|
||||
openURL(ngx.req.get_headers(0), 503)
|
||||
}
|
||||
{{ else }}
|
||||
return 503;
|
||||
|
|
@ -416,6 +441,7 @@ http {
|
|||
}
|
||||
|
||||
stream {
|
||||
{{ if gt (len $passthroughBackends) 0 }}
|
||||
# map FQDN that requires SSL passthrough
|
||||
map $ssl_preread_server_name $stream_upstream {
|
||||
{{ range $i, $passthrough := .PassthroughBackends }}
|
||||
|
|
@ -427,7 +453,12 @@ stream {
|
|||
|
||||
log_format log_stream '$remote_addr [$time_local] $protocol [$ssl_preread_server_name] [$stream_upstream] $status $bytes_sent $bytes_received $session_time';
|
||||
|
||||
{{ if $cfg.DisableAccessLog }}
|
||||
access_log off;
|
||||
{{ else }}
|
||||
access_log /var/log/nginx/access.log log_stream;
|
||||
{{ end }}
|
||||
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# configure default backend for SSL
|
||||
|
|
@ -435,33 +466,42 @@ stream {
|
|||
server 127.0.0.1:442;
|
||||
}
|
||||
|
||||
{{ buildSSPassthroughUpstreams $backends .PassthroughBackends }}
|
||||
{{ buildSSLPassthroughUpstreams $backends .PassthroughBackends }}
|
||||
|
||||
server {
|
||||
listen [::]:443 ipv6only=off{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};
|
||||
proxy_pass $stream_upstream;
|
||||
ssl_preread on;
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
{{ buildStreamUpstreams "tcp" $backends .TCPBackends }}
|
||||
|
||||
{{ buildStreamUpstreams "udp" $backends .UDPBackends }}
|
||||
|
||||
# TCP services
|
||||
{{ range $i, $tcpServer := .TCPBackends }}
|
||||
server {
|
||||
listen {{ $tcpServer.Path }};
|
||||
proxy_pass tcp-{{ $tcpServer.Backend }};
|
||||
}
|
||||
upstream {{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} {
|
||||
{{ range $j, $endpoint := $tcpServer.Endpoints }}
|
||||
server {{ $endpoint.Address }}:{{ $endpoint.Port }};
|
||||
{{ end }}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ $tcpServer.Port }};
|
||||
proxy_pass {{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }};
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
# UDP services
|
||||
{{ range $i, $udpServer := .UDPBackends }}
|
||||
server {
|
||||
listen {{ $udpServer.Path }} udp;
|
||||
proxy_responses 1;
|
||||
proxy_pass udp-{{ $udpServer.Backend }};
|
||||
}
|
||||
# UDP services
|
||||
{{ range $i, $udpServer := .UDPBackends }}
|
||||
upstream {{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }} {
|
||||
{{ range $j, $endpoint := $udpServer.Endpoints }}
|
||||
server {{ $endpoint.Address }}:{{ $endpoint.Port }};
|
||||
{{ end }}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ $udpServer.Port }};
|
||||
proxy_responses 1;
|
||||
proxy_pass {{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }};
|
||||
}
|
||||
{{ end }}
|
||||
}
|
||||
|
||||
|
|
@ -471,7 +511,7 @@ stream {
|
|||
location @custom_{{ $errCode }} {
|
||||
internal;
|
||||
content_by_lua_block {
|
||||
openURL({{ $errCode }})
|
||||
openURL(ngx.req.get_headers(0), {{ $errCode }})
|
||||
}
|
||||
}
|
||||
{{ end }}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue