</code></pre></div><divclass="admonition important"><pclass=admonition-title>Important</p><p>The key and values in a ConfigMap can only be strings. This means that we want a value with boolean values we need to quote the values, like "true" or "false". Same for numbers, like "100".</p><p>"Slice" types (defined below as <code>[]string</code> or <code>[]int</code>) can be provided as a comma-delimited string.</p></div><h2id=configuration-options>Configuration options<aclass=headerlinkhref=#configuration-optionstitle="Permanent link"> ¶</a></h2><p>The following table shows a configuration option's name, type, and the default value:</p><table><thead><tr><thstyle="text-align: left;">name</th><thstyle="text-align: left;">type</th><thstyle="text-align: left;">default</th><thstyle="text-align: left;">notes</th></tr></thead><tbody><tr><tdstyle="text-align: left;"><ahref=#add-headers>add-headers</a></td><tdstyle="text-align: left;">string</td><tdstyle="text-align: left;">""</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#allow-backend-server-header>allow-backend-server-header</a></td><tdstyle="text-align: left;">bool</td><tdstyle="text-align: left;">"false"</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#allow-cross-namespace-resources>allow-cross-namespace-resources</a></td><tdstyle="text-align: left;">bool</td><tdstyle="text-align: left;">"false"</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#allow-snippet-annotations>allow-snippet-annotations</a></td><tdstyle="text-align: left;">bool</td><tdstyle="text-align: left;">"false"</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#annotations-risk-level>annotations-risk-level</a></td><tdstyle="text-align: left;">string</td><tdstyle="text-align: left;">High</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#annotation-value-word-blocklist>annotation-value-word-blocklist</a></td><tdstyle="text-align: left;">string array</td><tdstyle="text-align: left;">""</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#hide-headers>hide-headers</a></td><tdstyle="text-align: left;">string array</td><tdstyle="text-align: left;">empty</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#access-log-params>access-log-params</a></td><tdstyle="text-align: left;">string</td><tdstyle="text-align: left;">""</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#access-log-path>access-log-path</a></td><tdstyle="text-align: left;">string</td><tdstyle="text-align: left;">"/var/log/nginx/access.log"</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#http-access-log-path>http-access-log-path</a></td><tdstyle="text-align: left;">string</td><tdstyle="text-align: left;">""</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#stream-access-log-path>stream-access-log-path</a></td><tdstyle="text-align: left;">string</td><tdstyle="text-align: left;">""</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#enable-access-log-for-default-backend>enable-access-log-for-default-backend</a></td><tdstyle="text-align: left;">bool</td><tdstyle="text-align: left;">"false"</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#error-log-path>error-log-path</a></td><tdstyle="text-align: left;">string</td><tdstyle="text-align: left;">"/var/log/nginx/error.log"</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#enable-modsecurity>enable-modsecurity</a></td><tdstyle="text-align: left;">bool</td><tdstyle="text-align: left;">"false"</td><tdstyle="text-align: left;"></td></tr><tr><tdstyle="text-align: left;"><ahref=#modsecurity-snippet>modse
</code></pre></div><p><em>References:</em><ahref=https://nginx.org/en/CHANGES>nginx change log</a><ahref=https://trac.nginx.org/nginx/ticket/2155>nginx issue tracker</a><ahref=https://mailman.nginx.org/pipermail/nginx/2021-May/060697.html>nginx mailing list</a></p><h2id=keep-alive-requests>keep-alive-requests<aclass=headerlinkhref=#keep-alive-requeststitle="Permanent link"> ¶</a></h2><p>Sets the maximum number of requests that can be served through one keep-alive connection.</p><p><em>References:</em><ahref=https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests>https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests</a></p><h2id=large-client-header-buffers>large-client-header-buffers<aclass=headerlinkhref=#large-client-header-bufferstitle="Permanent link"> ¶</a></h2><p>Sets the maximum number and size of buffers used for reading large client request header. <em><strong>default:</strong></em> 4 8k</p><p><em>References:</em><ahref=https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers>https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers</a></p><h2id=log-format-escape-none>log-format-escape-none<aclass=headerlinkhref=#log-format-escape-nonetitle="Permanent link"> ¶</a></h2><p>Sets if the escape parameter is disabled entirely for character escaping in variables ("true") or controlled by log-format-escape-json ("false") Sets the nginx <ahref=https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format>log format</a>.</p><h2id=log-format-escape-json>log-format-escape-json<aclass=headerlinkhref=#log-format-escape-jsontitle="Permanent link"> ¶</a></h2><p>Sets if the escape parameter allows JSON ("true") or default characters escaping in variables ("false") Sets the nginx <ahref=https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format>log format</a>.</p><h2id=log-format-upstream>log-format-upstream<aclass=headerlinkhref=#log-format-upstreamtitle="Permanent link"> ¶</a></h2><p>Sets the nginx <ahref=https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format>log format</a>. Example for json output:</p><divclass=highlight><pre><span></span><code><spanclass=err>log</span><spanclass=mi>-</span><spanclass=kc>f</span><spanclass=err>orma</span><spanclass=kc>t</span><spanclass=mi>-</span><spanclass=err>ups</span><spanclass=kc>trea</span><spanclass=err>m</span><spanclass=p>:</span><spanclass=w></span><spanclass=err>'</span><spanclass=p>{</span><spanclass=nt>"time"</span><spanclass=p>:</span><spanclass=w></span><spanclass=s2>"$time_iso8601"</span><spanclass=p>,</span><spanclass=w></span><spanclass=nt>"remote_addr"</span><spanclass=p>:</span><spanclass=w></span><spanclass=s2>"$proxy_protocol_addr"</span><spanclass=p>,</span><spanclass=w></span><spanclass=nt>"x_forwarded_for"</span><spanclass=p>:</span><spanclass=w></span><spanclass=s2>"$proxy_add_x_forwarded_for"</span><spanclass=p>,</span><spanclass=w></span><spanclass=nt>"request_id"</span><spanclass=p>:</span><spanclass=w></span><spanclass=s2>"$req_id"</span><spanclass=p>,</span>
</code></pre></div><p>Please check the <ahref=../log-format/>log-format</a> for definition of each field.</p><h2id=log-format-stream>log-format-stream<aclass=headerlinkhref=#log-format-streamtitle="Permanent link"> ¶</a></h2><p>Sets the nginx <ahref=https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format>stream format</a>.</p><h2id=enable-multi-accept>enable-multi-accept<aclass=headerlinkhref=#enable-multi-accepttitle="Permanent link"> ¶</a></h2><p>If disabled, a worker process will accept one new connection at a time. Otherwise, a worker process will accept all new connections at a time. <em><strong>default:</strong></em> true</p><p><em>References:</em><ahref=https://nginx.org/en/docs/ngx_core_module.html#multi_accept>https://nginx.org/en/docs/ngx_core_module.html#multi_accept</a></p><h2id=max-worker-connections>max-worker-connections<aclass=headerlinkhref=#max-worker-connectionstitle="Permanent link"> ¶</a></h2><p>Sets the <ahref=https://nginx.org/en/docs/ngx_core_module.html#worker_connections>maximum number of simultaneous connections</a> that can be opened by each worker process. 0 will use the value of <ahref=#max-worker-open-files>max-worker-open-files</a>. <em><strong>default:</strong></em> 16384</p><divclass="admonition tip"><pclass=admonition-title>Tip</p><p>Using 0 in scenarios of high load improves performance at the cost of increasing RAM utilization (even on idle).</p></div><h2id=max-worker-open-files>max-worker-open-files<aclass=headerlinkhref=#max-worker-open-filestitle="Permanent link"> ¶</a></h2><p>Sets the <ahref=https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile>maximum number of files</a> that can be opened by each worker process. The default of 0 means "max open files (system's limit) - 1024". <em><strong>default:</strong></em> 0</p><h2id=map-hash-bucket-size>map-hash-bucket-size<aclass=headerlinkhref=#map-hash-bucket-sizetitle="Permanent link"> ¶</a></h2><p>Sets the bucket size for the <ahref=https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size>map variables hash tables</a>. The details of setting up hash tables are provided in a separate <ahref=https://nginx.org/en/docs/hash.html>document</a>.</p><h2id=proxy-real-ip-cidr>proxy-real-ip-cidr<aclass=headerlinkhref=#proxy-real-ip-cidrtitle="Permanent link"> ¶</a></h2><p>If <code>use-forwarded-headers</code> or <code>use-proxy-protocol</code> is enabled, <code>proxy-real-ip-cidr</code> defines the default IP/network address of your external load balancer. Can be a comma-separated list of CIDR blocks. <em><strong>default:</strong></em> "0.0.0.0/0"</p><h2id=proxy-set-headers>proxy-set-headers<aclass=headerlinkhref=#proxy-set-headerstitle="Permanent link"> ¶</a></h2><p>Sets custom headers from named configmap before sending traffic to backends. The value format is namespace/name. See <ahref=https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers/>example</a></p><h2id=server-name-hash-max-size>server-name-hash-max-size<aclass=headerlinkhref=#server-name-hash-max-sizetitle="Permanent link"> ¶</a></h2><p>Sets the maximum size of the <ahref=https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size>server names hash tables</a> used in server names,map directive’s values, MIME types, names of request header strings, etc.</p><p><em>References:</em><ahref=https://nginx.org/en/docs/hash.html>https://nginx.org/en/docs/hash.html</a></p><h2id=server-name-hash-bucket-size>server-name-hash-bucket-size<aclass=headerlinkhref=#server-name-hash-bucket-sizetitle="Permanent link"> ¶</a></h2><p>Sets the size of the bucket for the server names hash tables.</p><p><em>References:</em></p><ul><li><ahref=https://nginx.org/en/docs/hash.html>https://nginx.org/en/docs/hash.html</a></li><li><ahref=https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size>https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size</a></li></ul><h
</code></pre></div><p>For example following will set default <code>certificate_data</code> dictionary to <code>100M</code> and will introduce a new dictionary called <code>my_custom_plugin</code>:</p><divclass=highlight><pre><span></span><code>lua-shared-dicts: "certificate_data: 100, my_custom_plugin: 5"
</code></pre></div><p>You can optionally set a size unit to allow for kilobyte-granularity. Allowed units are 'm' or 'k' (case-insensitive), and it defaults to MB if no unit is provided. Here is a similar example, but the <code>my_custom_plugin</code> dict is only 512KB.</p><divclass=highlight><pre><span></span><code>lua-shared-dicts: "certificate_data: 100, my_custom_plugin: 512k"
</code></pre></div><h2id=http-redirect-code>http-redirect-code<aclass=headerlinkhref=#http-redirect-codetitle="Permanent link"> ¶</a></h2><p>Sets the HTTP status code to be used in redirects. Supported codes are <ahref=https://developer.mozilla.org/docs/Web/HTTP/Status/301>301</a>,<ahref=https://developer.mozilla.org/docs/Web/HTTP/Status/302>302</a>,<ahref=https://developer.mozilla.org/docs/Web/HTTP/Status/307>307</a> and <ahref=https://developer.mozilla.org/docs/Web/HTTP/Status/308>308</a><em><strong>default:</strong></em> 308</p><blockquote><p><strong>Why the default code is 308?</strong></p><p><ahref=https://tools.ietf.org/html/rfc7238>RFC 7238</a> was created to define the 308 (Permanent Redirect) status code that is similar to 301 (Moved Permanently) but it keeps the payload in the redirect. This is important if we send a redirect in methods like POST.</p></blockquote><h2id=proxy-buffering>proxy-buffering<aclass=headerlinkhref=#proxy-bufferingtitle="Permanent link"> ¶</a></h2><p>Enables or disables <ahref=https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering>buffering of responses from the proxied server</a>.</p><h2id=limit-req-status-code>limit-req-status-code<aclass=headerlinkhref=#limit-req-status-codetitle="Permanent link"> ¶</a></h2><p>Sets the <ahref=https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status>status code to return in response to rejected requests</a>. <em><strong>default:</strong></em> 503</p><h2id=limit-conn-status-code>limit-conn-status-code<aclass=headerlinkhref=#limit-conn-status-codetitle="Permanent link"> ¶</a></h2><p>Sets the <ahref=https://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_status>status code to return in response to rejected connections</a>. <em><strong>default:</strong></em> 503</p><h2id=enable-syslog>enable-syslog<aclass=headerlinkhref=#enable-syslogtitle="Permanent link"> ¶</a></h2><p>Enable <ahref=https://nginx.org/en/docs/syslog.html>syslog</a> feature for access log and error log. <em><strong>default:</strong></em> false</p><h2id=syslog-host>syslog-host<aclass=headerlinkhref=#syslog-hosttitle="Permanent link"> ¶</a></h2><p>Sets the address of syslog server. The address can be specified as a domain name or IP address.</p><h2id=syslog-port>syslog-port<aclass=headerlinkhref=#syslog-porttitle="Permanent link"> ¶</a></h2><p>Sets the port of syslog server. <em><strong>default:</strong></em> 514</p><h2id=no-tls-redirect-locations>no-tls-redirect-locations<aclass=headerlinkhref=#no-tls-redirect-locationstitle="Permanent link"> ¶</a></h2><p>A comma-separated list of locations on which http requests will never get redirected to their https counterpart. <em><strong>default:</strong></em> "/.well-known/acme-challenge"</p><h2id=global-allowed-response-headers>global-allowed-response-headers<aclass=headerlinkhref=#global-allowed-response-headerstitle="Permanent link"> ¶</a></h2><p>A comma-separated list of allowed response headers inside the <ahref=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#custom-headers>custom headers annotations</a></p><h2id=global-auth-url>global-auth-url<aclass=headerlinkhref=#global-auth-urltitle="Permanent link"> ¶</a></h2><p>A url to an existing service that provides authentication for all the locations. Similar to the Ingress rule annotation <code>nginx.ingress.kubernetes.io/auth-url</code>. Locations that should not get authenticated can be listed using <code>no-auth-locations</code> See <ahref=#no-auth-locations>no-auth-locations</a>. In addition, each service can be excluded from authentication via annotation <code>enable-global-auth</code> set to "false". <em><strong>default:</strong></em> ""</p><p><em>References:</em><ahref=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#external-authentication>https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annot
