2017-08-03 14:51:39 +00:00
{{ $ all := . }}
2017-08-17 17:05:01 +00:00
{{ $ servers := .Servers }}
2017-04-28 20:41:53 +00:00
{{ $ cfg := .Cfg }}
2017-04-09 18:03:27 +00:00
{{ $ IsIPV6Enabled := .IsIPV6Enabled }}
2017-02-26 22:01:07 +00:00
{{ $ healthzURI := .HealthzURI }}
{{ $ backends := .Backends }}
{{ $ proxyHeaders := .ProxySetHeaders }}
2017-05-18 10:21:03 +00:00
{{ $ addHeaders := .AddHeaders }}
2017-10-08 14:52:02 +00:00
2018-06-21 14:50:57 +00:00
# Configuration checksum: {{ $ all . Cfg . Checksum }}
2018-06-11 02:30:37 +00:00
# setup custom paths that do not require root access
2019-01-21 14:29:36 +00:00
pid {{ .PID }};
2018-06-11 02:30:37 +00:00
2018-10-29 20:25:23 +00:00
{{ if $ cfg . UseGeoIP2 }}
load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
{{ end }}
2020-09-08 23:47:01 +00:00
{{ if $ cfg . EnableBrotli }}
load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
{{ end }}
{{ if (shouldLoadAuthDigestModule $ servers ) }}
load_module /etc/nginx/modules/ngx_http_auth_digest_module.so;
{{ end }}
2019-05-25 21:32:13 +00:00
{{ if (shouldLoadModSecurityModule $ cfg $ servers ) }}
2017-10-08 14:52:02 +00:00
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
2019-05-25 21:32:13 +00:00
{{ end }}
2017-10-08 14:52:02 +00:00
2023-03-22 18:58:22 +00:00
{{ if (shouldLoadOpentelemetryModule $ cfg $ servers ) }}
2024-01-27 15:33:50 +00:00
load_module /etc/nginx/modules/otel_ngx_module.so;
2023-03-22 18:58:22 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
daemon off;
2016-11-16 18:24:26 +00:00
worker_processes {{ $ cfg . WorkerProcesses }};
2018-10-30 23:46:48 +00:00
{{ if gt (len $ cfg . WorkerCPUAffinity ) 0 }}
worker_cpu_affinity {{ $ cfg . WorkerCPUAffinity }};
2018-03-16 16:32:45 +00:00
{{ end }}
2018-12-27 16:24:09 +00:00
worker_rlimit_nofile {{ $ cfg . MaxWorkerOpenFiles }};
2016-02-22 00:13:08 +00:00
2017-08-08 18:17:49 +00:00
{{/* http://nginx.org/en/docs/ngx_core_module.html #worker _shutdown_timeout * / } }
{{/* avoid waiting too long during a reload */}}
2017-08-29 09:49:18 +00:00
worker_shutdown_timeout {{ $ cfg . WorkerShutdownTimeout }} ;
2017-08-08 18:17:49 +00:00
2018-10-02 13:24:44 +00:00
{{ if not (empty $ cfg . MainSnippet ) }}
{{ $ cfg . MainSnippet }}
{{ end }}
2016-02-22 00:13:08 +00:00
events {
2018-08-04 15:53:56 +00:00
multi_accept {{ if $ cfg . EnableMultiAccept }}on{{ else }}off{{ end }};
2016-11-16 18:24:26 +00:00
worker_connections {{ $ cfg . MaxWorkerConnections }};
2017-03-03 01:44:45 +00:00
use epoll;
2022-06-10 11:01:46 +00:00
{{ range $ index , $v := $ cfg . DebugConnections }}
debug_connection {{ $v }};
{{ end }}
2016-02-22 00:13:08 +00:00
}
http {
2023-03-22 18:58:22 +00:00
{{ if (shouldLoadOpentelemetryModule $ cfg $ servers ) }}
opentelemetry_config {{ $ cfg . OpentelemetryConfig }};
{{ end }}
2019-09-24 22:51:35 +00:00
lua_package_path "/etc/nginx/lua/?.lua;;";
2018-03-18 13:13:41 +00:00
2019-11-04 18:41:26 +00:00
{{ buildLuaSharedDictionaries $ cfg $ servers }}
2018-03-18 13:13:41 +00:00
init_by_lua_block {
collectgarbage("collect")
-- init modules
local ok, res
2018-12-19 13:46:53 +00:00
ok, res = pcall(require, "lua_ingress")
if not ok then
error("require failed: " .. tostring(res))
else
lua_ingress = res
2019-02-21 22:31:20 +00:00
lua_ingress.set_config({{ configForLua $ all }})
2018-12-19 13:46:53 +00:00
end
2018-03-18 13:13:41 +00:00
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
2021-04-30 03:24:28 +00:00
configuration.prohibited_localhost_port = '{{ .StatusPort }}'
2018-03-18 13:13:41 +00:00
end
ok, res = pcall(require, "balancer")
if not ok then
error("require failed: " .. tostring(res))
else
balancer = res
end
2018-06-14 02:54:09 +00:00
2018-12-04 19:59:54 +00:00
{{ if $ all . EnableMetrics }}
2018-06-14 02:54:09 +00:00
ok, res = pcall(require, "monitor")
if not ok then
error("require failed: " .. tostring(res))
else
monitor = res
end
2018-12-04 19:59:54 +00:00
{{ end }}
2018-06-05 13:51:22 +00:00
ok, res = pcall(require, "certificate")
if not ok then
error("require failed: " .. tostring(res))
else
certificate = res
2020-04-17 02:34:12 +00:00
certificate.is_ocsp_stapling_enabled = {{ $ cfg . EnableOCSP }}
2018-06-05 13:51:22 +00:00
end
2018-03-18 13:13:41 +00:00
}
init_worker_by_lua_block {
2018-12-19 13:46:53 +00:00
lua_ingress.init_worker()
2018-03-18 13:13:41 +00:00
balancer.init_worker()
2018-12-04 19:59:54 +00:00
{{ if $ all . EnableMetrics }}
2020-06-20 06:58:14 +00:00
monitor.init_worker({{ $ all . MonitorMaxBatchSize }})
2018-12-04 19:59:54 +00:00
{{ end }}
2018-03-18 13:13:41 +00:00
}
2017-12-25 21:19:01 +00:00
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
{{/* we use the value of the real IP for the geo_ip module */}}
2023-08-31 07:36:48 +00:00
{{ if or (or $ cfg . UseForwardedHeaders $ cfg . UseProxyProtocol ) $ cfg . EnableRealIP }}
2016-11-16 18:24:26 +00:00
{{ if $ cfg . UseProxyProtocol }}
2016-07-05 16:37:54 +00:00
real_ip_header proxy_protocol;
{{ else }}
2017-09-07 21:11:23 +00:00
real_ip_header {{ $ cfg . ForwardedForHeader }};
2016-11-10 22:56:29 +00:00
{{ end }}
2017-03-03 01:44:45 +00:00
2016-06-17 22:26:08 +00:00
real_ip_recursive on;
2017-08-10 15:41:14 +00:00
{{ range $ trusted_ip := $ cfg . ProxyRealIPCIDR }}
set_real_ip_from {{ $ trusted_ip }};
{{ end }}
2017-12-25 21:19:01 +00:00
{{ end }}
2016-06-17 22:26:08 +00:00
2019-05-16 07:09:34 +00:00
{{ if $ all . Cfg . EnableModsecurity }}
modsecurity on;
2021-07-07 02:24:43 +00:00
{{ if (not (empty $ all . Cfg . ModsecuritySnippet )) }}
modsecurity_rules '
{{ $ all . Cfg . ModsecuritySnippet }}
';
2021-12-23 11:34:38 +00:00
{{ else }}
2019-05-16 07:09:34 +00:00
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
2021-12-23 11:34:38 +00:00
{{ end }}
2022-04-15 11:09:10 +00:00
2019-05-16 07:09:34 +00:00
{{ if $ all . Cfg . EnableOWASPCoreRules }}
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
{{ end }}
{{ end }}
2018-10-29 20:25:23 +00:00
{{ if $ cfg . UseGeoIP2 }}
# https://github.com/leev/ngx_http_geoip2_module #example - usage
2020-03-16 07:26:33 +00:00
{{ range $ index , $ file := $ all . MaxmindEditionFiles }}
2020-12-07 18:25:09 +00:00
{{ if eq $ file "GeoLite2-Country.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoLite2-Country.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
{{ end }}
2020-12-07 18:25:09 +00:00
$ geoip2_country_code source= $ remote_addr country iso_code;
$ geoip2_country_name source= $ remote_addr country names en;
2023-05-08 22:42:52 +00:00
$ geoip2_country_geoname_id source= $ remote_addr country geoname_id;
2021-12-30 00:02:50 +00:00
$ geoip2_continent_code source= $ remote_addr continent code;
2020-12-07 18:25:09 +00:00
$ geoip2_continent_name source= $ remote_addr continent names en;
2023-05-08 22:42:52 +00:00
$ geoip2_continent_geoname_id source= $ remote_addr continent geoname_id;
2020-12-07 18:25:09 +00:00
}
{{ end }}
{{ if eq $ file "GeoIP2-Country.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoIP2-Country.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
{{ end }}
2020-12-07 18:25:09 +00:00
$ geoip2_country_code source= $ remote_addr country iso_code;
$ geoip2_country_name source= $ remote_addr country names en;
2023-05-08 22:42:52 +00:00
$ geoip2_country_geoname_id source= $ remote_addr country geoname_id;
2021-12-30 00:02:50 +00:00
$ geoip2_continent_code source= $ remote_addr continent code;
2020-12-07 18:25:09 +00:00
$ geoip2_continent_name source= $ remote_addr continent names en;
2023-05-08 22:42:52 +00:00
$ geoip2_continent_geoname_id source= $ remote_addr continent geoname_id;
2020-12-07 18:25:09 +00:00
}
{{ end }}
2020-03-16 07:26:33 +00:00
{{ if eq $ file "GeoLite2-City.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoLite2-City.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
2024-03-25 00:44:36 +00:00
{{ end }}
2019-09-12 23:01:33 +00:00
$ geoip2_city_country_code source= $ remote_addr country iso_code;
$ geoip2_city_country_name source= $ remote_addr country names en;
2023-05-08 22:42:52 +00:00
$ geoip2_city_country_geoname_id source= $ remote_addr country geoname_id;
2019-09-12 23:01:33 +00:00
$ geoip2_city source= $ remote_addr city names en;
2023-05-08 22:42:52 +00:00
$ geoip2_city_geoname_id source= $ remote_addr city geoname_id;
2019-09-12 23:01:33 +00:00
$ geoip2_postal_code source= $ remote_addr postal code;
$ geoip2_dma_code source= $ remote_addr location metro_code;
$ geoip2_latitude source= $ remote_addr location latitude;
$ geoip2_longitude source= $ remote_addr location longitude;
$ geoip2_time_zone source= $ remote_addr location time_zone;
$ geoip2_region_code source= $ remote_addr subdivisions 0 iso_code;
$ geoip2_region_name source= $ remote_addr subdivisions 0 names en;
2023-05-08 22:42:52 +00:00
$ geoip2_region_geoname_id source= $ remote_addr subdivisions 0 geoname_id;
2021-03-22 17:30:16 +00:00
$ geoip2_subregion_code source= $ remote_addr subdivisions 1 iso_code;
$ geoip2_subregion_name source= $ remote_addr subdivisions 1 names en;
2023-05-08 22:42:52 +00:00
$ geoip2_subregion_geoname_id source= $ remote_addr subdivisions 1 geoname_id;
2023-07-06 23:39:04 +00:00
$ geoip2_city_continent_code source= $ remote_addr continent code;
$ geoip2_city_continent_name source= $ remote_addr continent names en;
2018-10-29 20:25:23 +00:00
}
2020-03-16 07:26:33 +00:00
{{ end }}
{{ if eq $ file "GeoIP2-City.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoIP2-City.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
2024-03-25 00:44:36 +00:00
{{ end }}
2020-03-16 07:26:33 +00:00
$ geoip2_city_country_code source= $ remote_addr country iso_code;
$ geoip2_city_country_name source= $ remote_addr country names en;
2023-05-08 22:42:52 +00:00
$ geoip2_city_country_geoname_id source= $ remote_addr country geoname_id;
2020-03-16 07:26:33 +00:00
$ geoip2_city source= $ remote_addr city names en;
2023-05-08 22:42:52 +00:00
$ geoip2_city_geoname_id source= $ remote_addr city geoname_id;
2020-03-16 07:26:33 +00:00
$ geoip2_postal_code source= $ remote_addr postal code;
$ geoip2_dma_code source= $ remote_addr location metro_code;
$ geoip2_latitude source= $ remote_addr location latitude;
$ geoip2_longitude source= $ remote_addr location longitude;
$ geoip2_time_zone source= $ remote_addr location time_zone;
$ geoip2_region_code source= $ remote_addr subdivisions 0 iso_code;
$ geoip2_region_name source= $ remote_addr subdivisions 0 names en;
2023-05-08 22:42:52 +00:00
$ geoip2_region_geoname_id source= $ remote_addr subdivisions 0 geoname_id;
2021-03-22 17:30:16 +00:00
$ geoip2_subregion_code source= $ remote_addr subdivisions 1 iso_code;
$ geoip2_subregion_name source= $ remote_addr subdivisions 1 names en;
2023-05-08 22:42:52 +00:00
$ geoip2_subregion_geoname_id source= $ remote_addr subdivisions 1 geoname_id;
2023-07-06 23:39:04 +00:00
$ geoip2_city_continent_code source= $ remote_addr continent code;
$ geoip2_city_continent_name source= $ remote_addr continent names en;
2020-03-16 07:26:33 +00:00
}
{{ end }}
2018-10-29 20:25:23 +00:00
2020-03-16 07:26:33 +00:00
{{ if eq $ file "GeoLite2-ASN.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoLite2-ASN.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
2024-03-25 00:44:36 +00:00
{{ end }}
2019-09-12 23:01:33 +00:00
$ geoip2_asn source= $ remote_addr autonomous_system_number;
2019-10-09 08:47:48 +00:00
$ geoip2_org source= $ remote_addr autonomous_system_organization;
2018-10-29 20:25:23 +00:00
}
{{ end }}
2020-03-16 07:26:33 +00:00
{{ if eq $ file "GeoIP2-ASN.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoIP2-ASN.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
2024-03-25 00:44:36 +00:00
{{ end }}
2020-03-16 07:26:33 +00:00
$ geoip2_asn source= $ remote_addr autonomous_system_number;
$ geoip2_org source= $ remote_addr autonomous_system_organization;
}
{{ end }}
{{ if eq $ file "GeoIP2-ISP.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoIP2-ISP.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
2024-03-25 00:44:36 +00:00
{{ end }}
2022-02-07 17:53:44 +00:00
$ geoip2_isp source= $ remote_addr isp;
$ geoip2_isp_org source= $ remote_addr organization;
$ geoip2_asn source= $ remote_addr default=0 autonomous_system_number;
2020-03-16 07:26:33 +00:00
}
{{ end }}
2020-05-21 03:50:57 +00:00
2020-03-16 07:26:33 +00:00
{{ if eq $ file "GeoIP2-Connection-Type.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoIP2-Connection-Type.mmdb {
2020-03-16 07:26:33 +00:00
$ geoip2_connection_type connection_type;
}
{{ end }}
2020-05-21 03:50:57 +00:00
{{ if eq $ file "GeoIP2-Anonymous-IP.mmdb" }}
2023-11-03 13:46:32 +00:00
geoip2 /etc/ingress-controller/geoip/GeoIP2-Anonymous-IP.mmdb {
2024-03-19 14:32:15 +00:00
{{ if (gt $ cfg . GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $ cfg . GeoIP2AutoReloadMinutes }}m;
2024-03-25 00:44:36 +00:00
{{ end }}
2020-05-21 03:50:57 +00:00
$ geoip2_is_anon source= $ remote_addr is_anonymous;
2022-02-07 17:53:44 +00:00
$ geoip2_is_anonymous source= $ remote_addr default=0 is_anonymous;
$ geoip2_is_anonymous_vpn source= $ remote_addr default=0 is_anonymous_vpn;
$ geoip2_is_hosting_provider source= $ remote_addr default=0 is_hosting_provider;
$ geoip2_is_public_proxy source= $ remote_addr default=0 is_public_proxy;
$ geoip2_is_tor_exit_node source= $ remote_addr default=0 is_tor_exit_node;
2020-05-21 03:50:57 +00:00
}
{{ end }}
2020-03-16 07:26:33 +00:00
{{ end }}
{{ end }}
2016-03-22 18:01:04 +00:00
aio threads;
2023-09-11 12:56:12 +00:00
{{ if $ cfg . EnableAioWrite }}
2017-09-07 16:40:10 +00:00
aio_write on;
2023-09-11 12:56:12 +00:00
{{ end }}
2017-09-07 16:40:10 +00:00
2016-03-22 18:01:04 +00:00
tcp_nopush on;
tcp_nodelay on;
2017-03-03 01:44:45 +00:00
2016-03-22 18:01:04 +00:00
log_subrequest on;
reset_timedout_connection on;
2016-02-22 00:13:08 +00:00
2017-05-17 06:23:18 +00:00
keepalive_timeout {{ $ cfg . KeepAlive }}s;
keepalive_requests {{ $ cfg . KeepAliveRequests }};
2016-02-22 00:13:08 +00:00
2022-04-09 04:48:04 +00:00
client_body_temp_path /tmp/nginx/client-body;
2023-06-13 19:55:59 +00:00
fastcgi_temp_path /tmp/nginx/fastcgi-temp;
2022-04-09 04:48:04 +00:00
proxy_temp_path /tmp/nginx/proxy-temp;
2018-06-11 02:30:37 +00:00
2017-01-20 22:14:59 +00:00
client_header_buffer_size {{ $ cfg . ClientHeaderBufferSize }};
2017-08-24 12:30:12 +00:00
client_header_timeout {{ $ cfg . ClientHeaderTimeout }}s;
2017-01-20 22:14:59 +00:00
large_client_header_buffers {{ $ cfg . LargeClientHeaderBuffers }};
2017-05-17 06:23:18 +00:00
client_body_buffer_size {{ $ cfg . ClientBodyBufferSize }};
2017-08-24 12:30:12 +00:00
client_body_timeout {{ $ cfg . ClientBodyTimeout }}s;
2017-04-28 20:41:53 +00:00
2024-03-24 22:07:28 +00:00
{{ if gt $ cfg . GRPCBufferSizeKb 0 }}
grpc_buffer_size {{ $ cfg . GRPCBufferSizeKb }}k;
{{ end }}
2023-06-18 19:16:21 +00:00
{{ if and (ne $ cfg . HTTP2MaxHeaderSize "") (ne $ cfg . HTTP2MaxFieldSize "") }}
2017-03-10 13:01:26 +00:00
http2_max_field_size {{ $ cfg . HTTP2MaxFieldSize }};
http2_max_header_size {{ $ cfg . HTTP2MaxHeaderSize }};
2023-06-18 19:16:21 +00:00
{{ end }}
{{ if (gt $ cfg . HTTP2MaxRequests 0) }}
2018-09-03 05:53:30 +00:00
http2_max_requests {{ $ cfg . HTTP2MaxRequests }};
2023-06-18 19:16:21 +00:00
{{ end }}
2019-10-31 12:13:38 +00:00
http2_max_concurrent_streams {{ $ cfg . HTTP2MaxConcurrentStreams }};
2017-01-20 22:14:59 +00:00
2016-11-10 22:56:29 +00:00
types_hash_max_size 2048;
2016-11-16 18:24:26 +00:00
server_names_hash_max_size {{ $ cfg . ServerNameHashMaxSize }};
server_names_hash_bucket_size {{ $ cfg . ServerNameHashBucketSize }};
map_hash_bucket_size {{ $ cfg . MapHashBucketSize }};
2016-02-22 00:13:08 +00:00
2017-07-13 11:45:02 +00:00
proxy_headers_hash_max_size {{ $ cfg . ProxyHeadersHashMaxSize }};
proxy_headers_hash_bucket_size {{ $ cfg . ProxyHeadersHashBucketSize }};
2017-05-28 20:05:49 +00:00
variables_hash_bucket_size {{ $ cfg . VariablesHashBucketSize }};
variables_hash_max_size {{ $ cfg . VariablesHashMaxSize }};
2017-05-24 04:25:42 +00:00
underscores_in_headers {{ if $ cfg . EnableUnderscoresInHeaders }}on{{ else }}off{{ end }};
ignore_invalid_headers {{ if $ cfg . IgnoreInvalidHeaders }}on{{ else }}off{{ end }};
2017-04-20 21:12:16 +00:00
2018-01-30 13:24:44 +00:00
limit_req_status {{ $ cfg . LimitReqStatusCode }};
2019-01-09 14:41:58 +00:00
limit_conn_status {{ $ cfg . LimitConnStatusCode }};
2018-01-30 13:24:44 +00:00
2023-03-22 18:58:22 +00:00
{{ buildOpentelemetry $ cfg $ servers }}
2017-09-17 21:44:01 +00:00
2016-02-22 00:13:08 +00:00
include /etc/nginx/mime.types;
2020-06-21 03:10:51 +00:00
default_type {{ $ cfg . DefaultType }};
2018-01-30 04:29:03 +00:00
2017-11-12 13:33:18 +00:00
{{ if $ cfg . EnableBrotli }}
2017-11-02 01:54:22 +00:00
brotli on;
brotli_comp_level {{ $ cfg . BrotliLevel }};
2021-11-02 11:52:59 +00:00
brotli_min_length {{ $ cfg . BrotliMinLength }};
2017-11-02 01:54:22 +00:00
brotli_types {{ $ cfg . BrotliTypes }};
2017-10-30 19:32:47 +00:00
{{ end }}
2016-11-16 18:24:26 +00:00
{{ if $ cfg . UseGzip }}
2016-02-22 00:13:08 +00:00
gzip on;
2018-07-09 00:30:59 +00:00
gzip_comp_level {{ $ cfg . GzipLevel }};
2023-01-17 01:08:32 +00:00
{{- if $ cfg . GzipDisable }}
gzip_disable "{{ $ cfg . GzipDisable }}";
{{- end }}
2016-02-22 00:13:08 +00:00
gzip_http_version 1.1;
2020-02-14 06:23:36 +00:00
gzip_min_length {{ $ cfg . GzipMinLength }};
2017-03-03 01:44:45 +00:00
gzip_types {{ $ cfg . GzipTypes }};
2016-02-22 00:13:08 +00:00
gzip_proxied any;
2017-10-29 13:54:25 +00:00
gzip_vary on;
2016-11-10 22:56:29 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
2017-05-18 10:21:03 +00:00
# Custom headers for response
{{ range $k, $v := $ addHeaders }}
2019-08-18 05:52:23 +00:00
more_set_headers {{ printf "%s: %s" $k $v | quote }};
2017-05-18 10:21:03 +00:00
{{ end }}
2017-02-27 10:00:31 +00:00
server_tokens {{ if $ cfg . ShowServerTokens }}on{{ else }}off{{ end }};
2018-01-17 12:26:53 +00:00
{{ if not $ cfg . ShowServerTokens }}
2018-06-23 14:01:33 +00:00
more_clear_headers Server;
2018-01-17 12:26:53 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
2017-05-11 18:04:19 +00:00
# disable warnings
uninitialized_variable_warn off;
2017-08-25 23:49:44 +00:00
# Additional available variables:
# $ namespace
# $ ingress_name
# $ service_name
2018-05-09 21:59:58 +00:00
# $ service_port
2022-09-30 15:00:29 +00:00
log_format upstreaminfo {{ if $ cfg . LogFormatEscapeNone }}escape=none {{ else if $ cfg . LogFormatEscapeJSON }}escape=json {{ end }}'{{ $ cfg . LogFormatUpstream }}';
2016-02-22 00:13:08 +00:00
2016-06-18 22:04:07 +00:00
{{/* map urls that should not appear in access.log */}}
{{/* http://nginx.org/en/docs/http/ngx_http_log_module.html #access _log * / } }
2017-02-17 21:21:46 +00:00
map $ request_uri $ loggable {
2016-11-16 18:24:26 +00:00
{{ range $ reqUri := $ cfg . SkipAccessLogURLs }}
2016-06-18 22:04:07 +00:00
{{ $ reqUri }} 0;{{ end }}
default 1;
}
2020-04-11 18:35:29 +00:00
{{ if or $ cfg . DisableAccessLog $ cfg . DisableHTTPAccessLog }}
2017-02-09 23:20:12 +00:00
access_log off;
{{ else }}
2018-02-25 15:47:14 +00:00
{{ if $ cfg . EnableSyslog }}
access_log syslog:server={{ $ cfg . SyslogHost }}:{{ $ cfg . SyslogPort }} upstreaminfo if= $ loggable ;
{{ else }}
2023-08-31 07:36:48 +00:00
access_log {{ or $ cfg . HTTPAccessLogPath $ cfg . AccessLogPath }} upstreaminfo {{ $ cfg . AccessLogParams }} if= $ loggable ;
2017-02-09 23:20:12 +00:00
{{ end }}
2018-02-25 15:47:14 +00:00
{{ end }}
{{ if $ cfg . EnableSyslog }}
error_log syslog:server={{ $ cfg . SyslogHost }}:{{ $ cfg . SyslogPort }} {{ $ cfg . ErrorLogLevel }};
{{ else }}
2017-08-23 14:57:28 +00:00
error_log {{ $ cfg . ErrorLogPath }} {{ $ cfg . ErrorLogLevel }};
2018-02-25 15:47:14 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
2018-02-02 19:53:28 +00:00
{{ buildResolvers $ cfg . Resolver $ cfg . DisableIpv6DNS }}
2016-02-22 00:13:08 +00:00
2018-09-14 23:40:54 +00:00
# See https://www.nginx.com/blog/websocket-nginx
2016-02-22 00:13:08 +00:00
map $ http_upgrade $ connection_upgrade {
2016-11-16 18:24:26 +00:00
default upgrade;
2018-09-14 23:40:54 +00:00
{{ if (gt $ cfg . UpstreamKeepaliveConnections 0) }}
# See http://nginx.org/en/docs/http/ngx_http_upstream_module.html #keepalive
'' '';
{{ else }}
2016-11-16 18:24:26 +00:00
'' close;
2018-09-14 23:40:54 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
}
2018-04-17 12:32:43 +00:00
# Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
# If no such header is provided, it can provide a random value.
2018-04-27 12:28:57 +00:00
map $ http_x_request_id $ req_id {
default $ http_x_request_id ;
2018-10-30 23:46:48 +00:00
{{ if $ cfg . GenerateRequestID }}
2018-04-27 12:28:57 +00:00
"" $ request_id ;
2018-05-21 07:32:50 +00:00
{{ end }}
2018-04-17 12:32:43 +00:00
}
2017-12-25 21:19:01 +00:00
{{ if and $ cfg . UseForwardedHeaders $ cfg . ComputeFullForwardedFor }}
2017-10-06 12:52:26 +00:00
# We can't use $ proxy_add_x_forwarded_for because the realip module
2017-10-09 09:10:58 +00:00
# replaces the remote_addr too soon
map $ http_x_forwarded_for $ full_x_forwarded_for {
2017-10-28 15:02:16 +00:00
{{ if $ all . Cfg . UseProxyProtocol }}
default " $ http_x_forwarded_for , $ proxy_protocol_addr ";
'' " $ proxy_protocol_addr ";
{{ else }}
2017-10-06 12:52:26 +00:00
default " $ http_x_forwarded_for , $ realip_remote_addr ";
'' " $ realip_remote_addr ";
2017-10-28 15:02:16 +00:00
{{ end}}
2017-10-06 12:52:26 +00:00
}
2020-01-24 19:43:49 +00:00
2020-06-12 14:50:07 +00:00
{{ end }}
2018-10-03 22:05:12 +00:00
# Create a variable that contains the literal $ character.
# This works because the geo module will not resolve variables.
geo $ literal_dollar {
default "$";
}
2016-02-22 00:13:08 +00:00
server_name_in_redirect off;
2016-11-16 18:24:26 +00:00
port_in_redirect off;
2016-02-22 00:13:08 +00:00
2016-11-16 18:24:26 +00:00
ssl_protocols {{ $ cfg . SSLProtocols }};
2016-02-22 00:13:08 +00:00
2019-08-07 20:04:09 +00:00
ssl_early_data {{ if $ cfg . SSLEarlyData }}on{{ else }}off{{ end }};
2016-02-22 00:13:08 +00:00
# turn on session caching to drastically improve performance
2016-11-16 18:24:26 +00:00
{{ if $ cfg . SSLSessionCache }}
2021-10-08 18:47:23 +00:00
ssl_session_cache shared:SSL:{{ $ cfg . SSLSessionCacheSize }};
2016-11-16 18:24:26 +00:00
ssl_session_timeout {{ $ cfg . SSLSessionTimeout }};
2016-02-22 00:13:08 +00:00
{{ end }}
# allow configuring ssl session tickets
2016-11-16 18:24:26 +00:00
ssl_session_tickets {{ if $ cfg . SSLSessionTickets }}on{{ else }}off{{ end }};
2016-02-22 00:13:08 +00:00
2017-10-08 22:37:19 +00:00
{{ if not (empty $ cfg . SSLSessionTicketKey ) }}
2023-11-03 13:46:32 +00:00
ssl_session_ticket_key /etc/ingress-controller/tickets.key;
2017-10-08 22:37:19 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
# slightly reduce the time-to-first-byte
2016-11-16 18:24:26 +00:00
ssl_buffer_size {{ $ cfg . SSLBufferSize }};
2016-02-22 00:13:08 +00:00
2016-11-16 18:24:26 +00:00
{{ if not (empty $ cfg . SSLCiphers ) }}
2016-02-22 00:13:08 +00:00
# allow configuring custom ssl ciphers
2016-11-16 18:24:26 +00:00
ssl_ciphers '{{ $ cfg . SSLCiphers }}';
2016-02-22 00:13:08 +00:00
ssl_prefer_server_ciphers on;
{{ end }}
2016-11-16 18:24:26 +00:00
{{ if not (empty $ cfg . SSLDHParam ) }}
2016-02-22 00:13:08 +00:00
# allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html #ssl _dhparam
2016-11-16 18:24:26 +00:00
ssl_dhparam {{ $ cfg . SSLDHParam }};
2016-02-22 00:13:08 +00:00
{{ end }}
2017-03-31 02:23:14 +00:00
ssl_ecdh_curve {{ $ cfg . SSLECDHCurve }};
2019-08-13 21:14:55 +00:00
# PEM sha: {{ $ cfg . DefaultSSLCertificate . PemSHA }}
ssl_certificate {{ $ cfg . DefaultSSLCertificate . PemFileName }};
ssl_certificate_key {{ $ cfg . DefaultSSLCertificate . PemFileName }};
2023-11-17 04:43:54 +00:00
{{ if and $ cfg . CustomHTTPErrors (not $ cfg . DisableProxyInterceptErrors ) }}
2016-02-22 00:13:08 +00:00
proxy_intercept_errors on;
2016-06-01 14:39:12 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
2016-11-16 18:24:26 +00:00
{{ range $ errCode := $ cfg . CustomHTTPErrors }}
2019-02-05 14:28:37 +00:00
error_page {{ $ errCode }} = @custom_upstream-default-backend_{{ $ errCode }};{{ end }}
2016-02-22 00:13:08 +00:00
2017-04-25 01:14:38 +00:00
proxy_ssl_session_reuse on;
2017-05-28 21:40:25 +00:00
{{ if $ cfg . AllowBackendServerHeader }}
proxy_pass_header Server;
{{ end }}
2018-01-18 18:37:22 +00:00
{{ range $ header := $ cfg . HideHeaders }}proxy_hide_header {{ $ header }};
{{ end }}
2018-01-30 04:29:03 +00:00
2017-10-01 14:45:33 +00:00
{{ if not (empty $ cfg . HTTPSnippet ) }}
# Custom code snippet configured in the configuration configmap
2017-10-05 01:51:02 +00:00
{{ $ cfg . HTTPSnippet }}
2017-10-01 14:45:33 +00:00
{{ end }}
2018-03-18 13:13:41 +00:00
upstream upstream_balancer {
2019-08-27 11:42:42 +00:00
### Attention!!!
#
# We no longer create "upstream" section for every backend.
# Backends are handled dynamically using Lua. If you would like to debug
# and see what backends ingress-nginx has in its memory you can
# install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
# Once you have the plugin you can use "kubectl ingress-nginx backends" command to
# inspect current backends.
#
###
2018-03-18 13:13:41 +00:00
server 0.0.0.1; # placeholder
balancer_by_lua_block {
2018-05-26 01:25:41 +00:00
balancer.balance()
2018-03-18 13:13:41 +00:00
}
2018-03-21 03:42:22 +00:00
{{ if (gt $ cfg . UpstreamKeepaliveConnections 0) }}
keepalive {{ $ cfg . UpstreamKeepaliveConnections }};
2022-04-15 11:09:10 +00:00
keepalive_time {{ $ cfg . UpstreamKeepaliveTime }};
2018-10-10 23:56:07 +00:00
keepalive_timeout {{ $ cfg . UpstreamKeepaliveTimeout }}s;
keepalive_requests {{ $ cfg . UpstreamKeepaliveRequests }};
2018-03-21 03:42:22 +00:00
{{ end }}
2018-03-18 13:13:41 +00:00
}
2016-03-15 15:31:39 +00:00
2017-08-23 00:47:29 +00:00
{{ range $ rl := (filterRateLimits $ servers ) }}
# Ratelimit {{ $ rl . Name }}
2023-07-22 03:32:07 +00:00
geo $ remote_addr $ allowlist_ {{ $ rl . ID }} {
2017-08-21 19:36:31 +00:00
default 0;
2023-07-22 03:32:07 +00:00
{{ range $ ip := $ rl . Allowlist }}
2017-08-21 19:36:31 +00:00
{{ $ ip }} 1;{{ end }}
}
2017-08-23 00:47:29 +00:00
# Ratelimit {{ $ rl . Name }}
2023-07-22 03:32:07 +00:00
map $ allowlist_ {{ $ rl . ID }} $ limit_ {{ $ rl . ID }} {
2017-08-21 19:36:31 +00:00
0 {{ $ cfg . LimitConnZoneVariable }};
1 "";
}
{{ end }}
2017-05-20 23:32:03 +00:00
2016-05-27 21:03:54 +00:00
{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
2017-08-21 19:36:31 +00:00
{{ range $ zone := (buildRateLimitZones $ servers ) }}
2016-05-27 21:03:54 +00:00
{{ $ zone }}
{{ end }}
2019-07-07 16:34:56 +00:00
# Cache for internal auth checks
2022-04-09 04:48:04 +00:00
proxy_cache_path /tmp/nginx/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
2019-07-07 16:34:56 +00:00
2018-08-27 13:50:04 +00:00
# Global filters
{{ range $ ip := $ cfg . BlockCIDRs }}deny {{ trimSpace $ ip }};
{{ end }}
{{ if gt (len $ cfg . BlockUserAgents ) 0 }}
map $ http_user_agent $ block_ua {
default 0;
{{ range $ ua := $ cfg . BlockUserAgents }}{{ trimSpace $ ua }} 1;
{{ end }}
}
{{ end }}
{{ if gt (len $ cfg . BlockReferers ) 0 }}
map $ http_referer $ block_ref {
default 0;
{{ range $ ref := $ cfg . BlockReferers }}{{ trimSpace $ ref }} 1;
{{ end }}
}
{{ end }}
2017-08-19 21:13:02 +00:00
{{/* Build server redirects (from/to www) */}}
2019-01-09 03:33:16 +00:00
{{ range $ redirect := .RedirectServers }}
## start server {{ $redirect.From }}
2017-08-19 21:13:02 +00:00
server {
2019-01-09 03:33:16 +00:00
server_name {{ $ redirect . From }};
2019-08-13 18:04:31 +00:00
{{ buildHTTPListener $ all $ redirect . From }}
{{ buildHTTPSListener $ all $ redirect . From }}
2019-01-09 03:33:16 +00:00
ssl_certificate_by_lua_block {
certificate.call()
}
2017-11-29 20:16:45 +00:00
2018-08-27 13:50:04 +00:00
{{ if gt (len $ cfg . BlockUserAgents ) 0 }}
if ( $ block_ua ) {
return 403;
}
{{ end }}
{{ if gt (len $ cfg . BlockReferers ) 0 }}
if ( $ block_ref ) {
return 403;
}
{{ end }}
2020-09-27 23:26:39 +00:00
set_by_lua_block $ redirect_to {
local request_uri = ngx.var.request_uri
if string.sub(request_uri, -1) == "/" then
request_uri = string.sub(request_uri, 1, -2)
end
2022-01-16 22:17:28 +00:00
{{ if $ cfg . UseForwardedHeaders }}
2022-04-14 03:06:48 +00:00
local redirectScheme
if not ngx.var.http_x_forwarded_proto then
redirectScheme = ngx.var.scheme
else
redirectScheme = ngx.var.http_x_forwarded_proto
end
2022-01-16 22:17:28 +00:00
{{ else }}
local redirectScheme = ngx.var.scheme
{{ end }}
2020-09-27 23:26:39 +00:00
{{ if ne $ all . ListenPorts . HTTPS 443 }}
{{ $ redirect_port := (printf ":%v" $ all . ListenPorts . HTTPS ) }}
2022-01-16 22:17:28 +00:00
return string.format("%s://%s%s%s", redirectScheme, "{{ $ redirect . To }}", "{{ $ redirect_port }}", request_uri)
2020-09-27 23:26:39 +00:00
{{ else }}
2022-01-16 22:17:28 +00:00
return string.format("%s://%s%s", redirectScheme, "{{ $ redirect . To }}", request_uri)
2020-09-27 23:26:39 +00:00
{{ end }}
}
return {{ $ all . Cfg . HTTPRedirectCode }} $ redirect_to ;
2017-08-19 21:13:02 +00:00
}
2019-01-09 03:33:16 +00:00
## end server {{ $redirect.From }}
2017-08-19 21:13:02 +00:00
{{ end }}
2018-07-06 10:13:24 +00:00
{{ range $ server := $ servers }}
2022-04-09 03:22:04 +00:00
{{ range $ location := $ server . Locations }}
{{ $ applyGlobalAuth := shouldApplyGlobalAuth $ location $ all . Cfg . GlobalExternalAuth . URL }}
{{ $ applyAuthUpstream := shouldApplyAuthUpstream $ location $ all . Cfg }}
{{ if and (eq $ applyAuthUpstream true) (eq $ applyGlobalAuth false) }}
## start auth upstream {{ $server.Hostname }}{{ $location.Path }}
upstream {{ buildAuthUpstreamName $ location $ server . Hostname }} {
{{- $ externalAuth := $ location . ExternalAuth }}
server {{ extractHostPort $ externalAuth . URL }};
keepalive {{ $ externalAuth . KeepaliveConnections }};
keepalive_requests {{ $ externalAuth . KeepaliveRequests }};
keepalive_timeout {{ $ externalAuth . KeepaliveTimeout }}s;
}
## end auth upstream {{ $server.Hostname }}{{ $location.Path }}
{{ end }}
{{ end }}
{{ end }}
2017-09-18 23:53:26 +00:00
2022-04-09 03:22:04 +00:00
{{ range $ server := $ servers }}
2017-11-12 16:52:55 +00:00
## start server {{ $server.Hostname }}
2016-03-15 02:29:13 +00:00
server {
2020-10-19 22:40:06 +00:00
server_name {{ buildServerName $ server . Hostname }} {{range $ server . Aliases }}{{ . }} {{ end }};
2018-08-27 13:50:04 +00:00
2024-01-27 15:33:50 +00:00
{{ if $ cfg . UseHTTP2 }}
http2 on;
{{ end }}
2018-08-27 13:50:04 +00:00
{{ if gt (len $ cfg . BlockUserAgents ) 0 }}
if ( $ block_ua ) {
return 403;
}
{{ end }}
{{ if gt (len $ cfg . BlockReferers ) 0 }}
if ( $ block_ref ) {
return 403;
}
{{ end }}
2017-08-15 06:23:19 +00:00
{{ template "SERVER" serverConfig $ all $ server }}
2017-08-25 23:49:44 +00:00
2017-10-01 14:45:33 +00:00
{{ if not (empty $ cfg . ServerSnippet ) }}
# Custom code snippet configured in the configuration configmap
2017-10-05 01:51:02 +00:00
{{ $ cfg . ServerSnippet }}
2017-10-01 14:45:33 +00:00
{{ end }}
2017-08-25 23:49:44 +00:00
2022-05-04 15:29:51 +00:00
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $ cfg . CustomHTTPErrors $ all . EnableMetrics $ cfg . EnableModsecurity ) }}
2016-03-15 15:31:39 +00:00
}
2017-11-12 16:52:55 +00:00
## end server {{ $server.Hostname }}
2017-08-15 06:23:19 +00:00
{{ end }}
2017-03-03 01:44:45 +00:00
2018-09-25 03:33:13 +00:00
# backend for when default-backend-service is not configured or it does not have endpoints
server {
listen {{ $ all . ListenPorts . Default }} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }};
{{ if $ IsIPV6Enabled }}listen [::]:{{ $ all . ListenPorts . Default }} default_server {{ if $ all . Cfg . ReusePort }}reuseport{{ end }} backlog={{ $ all . BacklogSize }};{{ end }}
2019-01-21 14:29:36 +00:00
set $ proxy_upstream_name "internal";
2018-09-25 03:33:13 +00:00
2019-02-19 23:02:01 +00:00
access_log off;
2018-09-25 03:33:13 +00:00
location / {
return 404;
}
}
2016-07-21 15:40:47 +00:00
# default server, used for NGINX healthcheck and access to nginx stats
2016-02-22 00:13:08 +00:00
server {
2023-08-14 17:35:21 +00:00
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $ all . Cfg . EnableModsecurity }}
modsecurity off;
{{ end }}
2019-09-01 18:21:24 +00:00
listen 127.0.0.1:{{ .StatusPort }};
2019-01-21 14:29:36 +00:00
set $ proxy_upstream_name "internal";
2016-02-22 00:13:08 +00:00
2019-01-21 14:29:36 +00:00
keepalive_timeout 0;
gzip off;
access_log off;
2023-03-22 18:58:22 +00:00
{{ if $ cfg . EnableOpentelemetry }}
opentelemetry off;
{{ end }}
2016-11-16 18:24:26 +00:00
location {{ $ healthzURI }} {
2016-02-22 00:13:08 +00:00
return 200;
}
2018-10-09 22:36:10 +00:00
2018-04-08 18:24:37 +00:00
location /is-dynamic-lb-initialized {
content_by_lua_block {
local configuration = require("configuration")
local backend_data = configuration.get_backends_data()
if not backend_data then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
return
end
ngx.say("OK")
ngx.exit(ngx.HTTP_OK)
}
}
2018-10-09 22:36:10 +00:00
2019-01-21 14:29:36 +00:00
location {{ .StatusPath }} {
2016-02-22 00:13:08 +00:00
stub_status on;
}
2018-10-09 22:36:10 +00:00
2018-03-18 13:13:41 +00:00
location /configuration {
2021-08-12 18:13:50 +00:00
client_max_body_size {{ luaConfigurationRequestBodySize $ cfg }};
client_body_buffer_size {{ luaConfigurationRequestBodySize $ cfg }};
2018-04-08 18:47:49 +00:00
proxy_buffering off;
2018-03-18 13:13:41 +00:00
content_by_lua_block {
configuration.call()
}
}
2018-10-09 22:36:10 +00:00
2016-03-16 14:12:45 +00:00
location / {
2019-01-21 14:29:36 +00:00
content_by_lua_block {
ngx.exit(ngx.HTTP_NOT_FOUND)
}
2016-09-29 15:02:45 +00:00
}
2016-09-29 19:01:09 +00:00
}
2016-02-22 00:13:08 +00:00
}
stream {
2019-12-26 01:07:03 +00:00
lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
2018-11-16 16:48:47 +00:00
lua_shared_dict tcp_udp_configuration_data 5M;
2023-01-09 11:01:29 +00:00
{{ buildResolvers $ cfg . Resolver $ cfg . DisableIpv6DNS }}
2018-11-16 16:48:47 +00:00
init_by_lua_block {
collectgarbage("collect")
-- init modules
local ok, res
2019-02-17 22:12:10 +00:00
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
end
2018-11-16 16:48:47 +00:00
ok, res = pcall(require, "tcp_udp_configuration")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_configuration = res
2021-04-30 03:24:28 +00:00
tcp_udp_configuration.prohibited_localhost_port = '{{ .StatusPort }}'
2018-11-16 16:48:47 +00:00
end
ok, res = pcall(require, "tcp_udp_balancer")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_balancer = res
end
}
init_worker_by_lua_block {
tcp_udp_balancer.init_worker()
}
lua_add_variable $ proxy_upstream_name ;
2019-10-10 07:27:15 +00:00
log_format log_stream '{{ $ cfg . LogFormatStream }}';
2016-11-10 22:56:29 +00:00
2020-04-11 18:35:29 +00:00
{{ if or $ cfg . DisableAccessLog $ cfg . DisableStreamAccessLog }}
2017-02-09 23:20:12 +00:00
access_log off;
{{ else }}
2020-06-04 12:56:41 +00:00
access_log {{ or $ cfg . StreamAccessLogPath $ cfg . AccessLogPath }} log_stream {{ $ cfg . AccessLogParams }};
2017-02-09 23:20:12 +00:00
{{ end }}
2022-05-19 22:27:53 +00:00
2020-11-27 05:29:43 +00:00
error_log {{ $ cfg . ErrorLogPath }} {{ $ cfg . ErrorLogLevel }};
2023-08-31 07:36:48 +00:00
{{ if $ cfg . EnableRealIP }}
2020-08-27 13:40:10 +00:00
{{ range $ trusted_ip := $ cfg . ProxyRealIPCIDR }}
set_real_ip_from {{ $ trusted_ip }};
{{ end }}
{{ end }}
2018-11-16 16:48:47 +00:00
upstream upstream_balancer {
server 0.0.0.1:1234; # placeholder
balancer_by_lua_block {
tcp_udp_balancer.balance()
}
}
server {
2019-09-08 21:14:54 +00:00
listen 127.0.0.1:{{ .StreamPort }};
2018-11-16 16:48:47 +00:00
2019-07-10 17:42:13 +00:00
access_log off;
2019-08-08 19:52:56 +00:00
2018-11-16 16:48:47 +00:00
content_by_lua_block {
tcp_udp_configuration.call()
}
}
# TCP services
{{ range $ tcpServer := .TCPBackends }}
server {
preread_by_lua_block {
ngx.var.proxy_upstream_name="tcp-{{ $ tcpServer . Backend . Namespace }}-{{ $ tcpServer . Backend . Name }}-{{ $ tcpServer . Backend . Port }}";
}
{{ range $ address := $ all . Cfg . BindAddressIpv4 }}
listen {{ $ address }}:{{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
{{ else }}
listen {{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
{{ end }}
{{ if $ IsIPV6Enabled }}
{{ range $ address := $ all . Cfg . BindAddressIpv6 }}
listen {{ $ address }}:{{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
{{ else }}
listen [::]:{{ $ tcpServer . Port }}{{ if $ tcpServer . Backend . ProxyProtocol . Decode }} proxy_protocol{{ end }};
{{ end }}
{{ end }}
proxy_timeout {{ $ cfg . ProxyStreamTimeout }};
2020-12-02 06:54:14 +00:00
proxy_next_upstream {{ if $ cfg . ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
proxy_next_upstream_timeout {{ $ cfg . ProxyStreamNextUpstreamTimeout }};
proxy_next_upstream_tries {{ $ cfg . ProxyStreamNextUpstreamTries }};
2018-11-16 16:48:47 +00:00
proxy_pass upstream_balancer;
{{ if $ tcpServer . Backend . ProxyProtocol . Encode }}
proxy_protocol on;
{{ end }}
}
{{ end }}
# UDP services
{{ range $ udpServer := .UDPBackends }}
server {
preread_by_lua_block {
ngx.var.proxy_upstream_name="udp-{{ $ udpServer . Backend . Namespace }}-{{ $ udpServer . Backend . Name }}-{{ $ udpServer . Backend . Port }}";
}
{{ range $ address := $ all . Cfg . BindAddressIpv4 }}
listen {{ $ address }}:{{ $ udpServer . Port }} udp;
{{ else }}
listen {{ $ udpServer . Port }} udp;
{{ end }}
{{ if $ IsIPV6Enabled }}
{{ range $ address := $ all . Cfg . BindAddressIpv6 }}
listen {{ $ address }}:{{ $ udpServer . Port }} udp;
{{ else }}
listen [::]:{{ $ udpServer . Port }} udp;
{{ end }}
{{ end }}
proxy_responses {{ $ cfg . ProxyStreamResponses }};
proxy_timeout {{ $ cfg . ProxyStreamTimeout }};
2020-12-02 06:54:14 +00:00
proxy_next_upstream {{ if $ cfg . ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
proxy_next_upstream_timeout {{ $ cfg . ProxyStreamNextUpstreamTimeout }};
proxy_next_upstream_tries {{ $ cfg . ProxyStreamNextUpstreamTries }};
2018-11-16 16:48:47 +00:00
proxy_pass upstream_balancer;
}
{{ end }}
2021-12-23 19:46:30 +00:00
# Stream Snippets
{{ range $ snippet := .StreamSnippets }}
{{ $ snippet }}
{{ end }}
2016-02-22 00:13:08 +00:00
}
{{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }}
2018-12-04 19:59:54 +00:00
{{ $ enableMetrics := .EnableMetrics }}
2022-05-04 15:29:51 +00:00
{{ $ modsecurityEnabled := .ModsecurityEnabled }}
2019-02-05 14:28:37 +00:00
{{ $ upstreamName := .UpstreamName }}
2018-10-25 16:35:48 +00:00
{{ range $ errCode := .ErrorCodes }}
2019-02-05 14:28:37 +00:00
location @custom_{{ $ upstreamName }}_{{ $ errCode }} {
2016-03-22 18:01:04 +00:00
internal;
2017-09-07 23:39:58 +00:00
2022-05-04 15:29:51 +00:00
# Ensure that modsecurity will not run on custom error pages or they might be blocked
{{ if $ modsecurityEnabled }}
modsecurity off;
{{ end }}
2017-09-28 13:07:02 +00:00
proxy_intercept_errors off;
2017-09-08 23:18:11 +00:00
proxy_set_header X-Code {{ $ errCode }};
proxy_set_header X-Format $ http_accept ;
proxy_set_header X-Original-URI $ request_uri ;
proxy_set_header X-Namespace $ namespace ;
proxy_set_header X-Ingress-Name $ ingress_name ;
proxy_set_header X-Service-Name $ service_name ;
2018-05-09 21:59:58 +00:00
proxy_set_header X-Service-Port $ service_port ;
2019-03-22 10:33:11 +00:00
proxy_set_header X-Request-ID $ req_id ;
2022-07-28 10:23:10 +00:00
proxy_set_header X-Forwarded-For $ remote_addr ;
2018-09-09 11:39:10 +00:00
proxy_set_header Host $ best_http_host ;
2017-09-07 23:39:58 +00:00
2019-08-13 21:14:55 +00:00
set $ proxy_upstream_name {{ $ upstreamName | quote }};
2017-09-07 23:39:58 +00:00
2017-09-28 13:07:02 +00:00
rewrite (.*) / break;
2018-03-18 13:13:41 +00:00
proxy_pass http://upstream_balancer;
2018-09-26 14:26:38 +00:00
log_by_lua_block {
2018-12-04 19:59:54 +00:00
{{ if $ enableMetrics }}
2018-09-26 14:26:38 +00:00
monitor.call()
2018-12-04 19:59:54 +00:00
{{ end }}
2018-09-26 14:26:38 +00:00
}
2017-03-03 01:44:45 +00:00
}
2016-05-23 23:15:13 +00:00
{{ end }}
2016-02-22 00:13:08 +00:00
{{ end }}
2016-09-22 18:00:09 +00:00
{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}}
{{ define "CORS" }}
2017-10-19 20:03:02 +00:00
{{ $ cors := .CorsConfig }}
# Cors Preflight methods needs additional options and different Return Code
2021-11-02 19:31:42 +00:00
{{ if $ cors . CorsAllowOrigin }}
{{ buildCorsOriginRegex $ cors . CorsAllowOrigin }}
{{ end }}
2016-09-22 18:00:09 +00:00
if ( $ request_method = 'OPTIONS') {
2021-11-02 19:31:42 +00:00
set $ cors ${ cors } options;
}
if ( $ cors = "true") {
more_set_headers 'Access-Control-Allow-Origin: $ http_origin ';
2018-02-24 20:52:23 +00:00
{{ if $ cors . CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $ cors . CorsAllowCredentials }}'; {{ end }}
more_set_headers 'Access-Control-Allow-Methods: {{ $ cors . CorsAllowMethods }}';
more_set_headers 'Access-Control-Allow-Headers: {{ $ cors . CorsAllowHeaders }}';
2020-09-23 15:41:52 +00:00
{{ if not (empty $ cors . CorsExposeHeaders ) }} more_set_headers 'Access-Control-Expose-Headers: {{ $ cors . CorsExposeHeaders }}'; {{ end }}
2018-02-24 20:52:23 +00:00
more_set_headers 'Access-Control-Max-Age: {{ $ cors . CorsMaxAge }}';
2016-09-22 18:00:09 +00:00
}
2017-03-23 15:07:09 +00:00
2021-11-02 19:31:42 +00:00
if ( $ cors = "trueoptions") {
more_set_headers 'Access-Control-Allow-Origin: $ http_origin ';
2018-02-24 20:52:23 +00:00
{{ if $ cors . CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $ cors . CorsAllowCredentials }}'; {{ end }}
2021-11-02 19:31:42 +00:00
more_set_headers 'Access-Control-Allow-Methods: {{ $ cors . CorsAllowMethods }}';
more_set_headers 'Access-Control-Allow-Headers: {{ $ cors . CorsAllowHeaders }}';
2020-09-23 15:41:52 +00:00
{{ if not (empty $ cors . CorsExposeHeaders ) }} more_set_headers 'Access-Control-Expose-Headers: {{ $ cors . CorsExposeHeaders }}'; {{ end }}
2021-11-02 19:31:42 +00:00
more_set_headers 'Access-Control-Max-Age: {{ $ cors . CorsMaxAge }}';
more_set_headers 'Content-Type: text/plain charset=UTF-8';
more_set_headers 'Content-Length: 0';
return 204;
}
2016-09-22 18:00:09 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
{{/* definition of server-template to avoid repetitions with server-alias */}}
{{ define "SERVER" }}
{{ $ all := .First }}
{{ $ server := .Second }}
2019-08-13 18:04:31 +00:00
{{ buildHTTPListener $ all $ server . Hostname }}
{{ buildHTTPSListener $ all $ server . Hostname }}
2017-08-15 06:23:19 +00:00
set $ proxy_upstream_name "-";
2018-06-05 13:51:22 +00:00
2022-04-15 19:59:10 +00:00
{{ if not ( empty $ server . CertificateAuth . MatchCN ) }}
2022-10-12 22:41:04 +00:00
{{ if gt (len $ server . CertificateAuth . MatchCN ) 0 }}
2024-03-09 00:06:47 +00:00
if ( $ ssl_client_s_dn !~ {{ $ server . CertificateAuth . MatchCN }} ) {
return 403 "client certificate unauthorized";
2022-04-15 19:59:10 +00:00
}
{{ end }}
{{ end }}
2021-11-29 16:33:23 +00:00
{{ if eq $ server . Hostname "_" }}
ssl_reject_handshake {{ if $ all . Cfg . SSLRejectHandshake }}on{{ else }}off{{ end }};
{{ end }}
2018-06-05 13:51:22 +00:00
ssl_certificate_by_lua_block {
certificate.call()
}
2017-08-15 06:23:19 +00:00
2018-02-25 20:20:14 +00:00
{{ if not (empty $ server . AuthTLSError ) }}
# {{ $ server . AuthTLSError }}
return 403;
{{ else }}
2017-08-22 20:16:59 +00:00
{{ if not (empty $ server . CertificateAuth . CAFileName ) }}
2019-08-13 21:14:55 +00:00
# PEM sha: {{ $ server . CertificateAuth . CASHA }}
2017-08-22 20:16:59 +00:00
ssl_client_certificate {{ $ server . CertificateAuth . CAFileName }};
2017-10-05 11:26:07 +00:00
ssl_verify_client {{ $ server . CertificateAuth . VerifyClient }};
2017-08-22 20:16:59 +00:00
ssl_verify_depth {{ $ server . CertificateAuth . ValidationDepth }};
2019-09-03 20:47:28 +00:00
{{ if not (empty $ server . CertificateAuth . CRLFileName ) }}
# PEM sha: {{ $ server . CertificateAuth . CRLSHA }}
2020-02-05 02:06:07 +00:00
ssl_crl {{ $ server . CertificateAuth . CRLFileName }};
2019-09-03 20:47:28 +00:00
{{ end }}
2017-09-03 20:12:03 +00:00
{{ if not (empty $ server . CertificateAuth . ErrorPage )}}
error_page 495 496 = {{ $ server . CertificateAuth . ErrorPage }};
{{ end }}
2017-08-22 20:16:59 +00:00
{{ end }}
2019-07-17 00:23:32 +00:00
{{ if not (empty $ server . ProxySSL . CAFileName ) }}
2019-08-16 04:31:15 +00:00
# PEM sha: {{ $ server . ProxySSL . CASHA }}
2019-07-17 00:23:32 +00:00
proxy_ssl_trusted_certificate {{ $ server . ProxySSL . CAFileName }};
proxy_ssl_ciphers {{ $ server . ProxySSL . Ciphers }};
proxy_ssl_protocols {{ $ server . ProxySSL . Protocols }};
proxy_ssl_verify {{ $ server . ProxySSL . Verify }};
proxy_ssl_verify_depth {{ $ server . ProxySSL . VerifyDepth }};
2019-10-04 07:19:31 +00:00
{{ if not (empty $ server . ProxySSL . ProxySSLName ) }}
2020-05-30 15:35:20 +00:00
proxy_ssl_name {{ $ server . ProxySSL . ProxySSLName }};
proxy_ssl_server_name {{ $ server . ProxySSL . ProxySSLServerName }};
2020-03-19 18:49:18 +00:00
{{ end }}
2019-07-17 00:23:32 +00:00
{{ end }}
2019-10-17 07:23:42 +00:00
{{ if not (empty $ server . ProxySSL . PemFileName ) }}
2019-10-26 17:36:25 +00:00
proxy_ssl_certificate {{ $ server . ProxySSL . PemFileName }};
proxy_ssl_certificate_key {{ $ server . ProxySSL . PemFileName }};
2019-10-17 07:23:42 +00:00
{{ end }}
2018-01-31 16:53:07 +00:00
{{ if not (empty $ server . SSLCiphers ) }}
ssl_ciphers {{ $ server . SSLCiphers }};
{{ end }}
2020-05-11 08:31:08 +00:00
{{ if not (empty $ server . SSLPreferServerCiphers ) }}
ssl_prefer_server_ciphers {{ $ server . SSLPreferServerCiphers }};
{{ end }}
2018-01-31 16:53:07 +00:00
2017-09-20 09:35:16 +00:00
{{ if not (empty $ server . ServerSnippet ) }}
2020-11-03 12:59:31 +00:00
# Custom code snippet configured for host {{ $ server . Hostname }}
2017-09-20 09:35:16 +00:00
{{ $ server . ServerSnippet }}
{{ end }}
2017-10-09 12:16:09 +00:00
2019-02-05 14:28:37 +00:00
{{ range $ errorLocation := (buildCustomErrorLocationsPerServer $ server ) }}
2022-05-04 15:29:51 +00:00
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $ errorLocation . UpstreamName $ errorLocation . Codes $ all . EnableMetrics $ all . Cfg . EnableModsecurity ) }}
2019-02-05 14:28:37 +00:00
{{ end }}
2020-02-05 02:06:07 +00:00
{{ buildMirrorLocations $ server . Locations }}
2018-10-25 16:35:48 +00:00
2020-07-15 15:20:47 +00:00
{{ $ enforceRegex := enforceRegexModifier $ server . Locations }}
2017-08-15 06:23:19 +00:00
{{ range $ location := $ server . Locations }}
2020-07-15 15:20:47 +00:00
{{ $ path := buildLocation $ location $ enforceRegex }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader := proxySetHeader $ location }}
2018-11-27 16:12:17 +00:00
{{ $ authPath := buildAuthLocation $ location $ all . Cfg . GlobalExternalAuth . URL }}
{{ $ applyGlobalAuth := shouldApplyGlobalAuth $ location $ all . Cfg . GlobalExternalAuth . URL }}
2022-04-09 03:22:04 +00:00
{{ $ applyAuthUpstream := shouldApplyAuthUpstream $ location $ all . Cfg }}
2018-11-27 16:12:17 +00:00
{{ $ externalAuth := $ location . ExternalAuth }}
{{ if eq $ applyGlobalAuth true }}
{{ $ externalAuth = $ all . Cfg . GlobalExternalAuth }}
{{ end }}
2017-08-15 06:23:19 +00:00
2020-03-19 18:49:18 +00:00
{{ if not (empty $ location . Rewrite . AppRoot ) }}
2017-08-15 06:23:19 +00:00
if ( $ uri = /) {
2020-03-19 18:49:18 +00:00
return 302 $ scheme :// $ http_host {{ $ location . Rewrite . AppRoot }};
2017-08-15 06:23:19 +00:00
}
{{ end }}
2018-01-28 00:32:08 +00:00
{{ if $ authPath }}
2017-08-15 06:23:19 +00:00
location = {{ $ authPath }} {
2017-08-31 06:58:01 +00:00
internal;
2018-03-30 17:19:33 +00:00
2023-03-22 18:58:22 +00:00
{{ if (or $ all . Cfg . EnableOpentelemetry $ location . Opentelemetry . Enabled ) }}
opentelemetry on;
opentelemetry_propagate;
{{ end }}
2023-08-28 14:37:44 +00:00
{{ if not $ all . Cfg . EnableAuthAccessLog }}
2023-01-08 22:49:27 +00:00
access_log off;
2023-08-28 14:37:44 +00:00
{{ end }}
2023-01-08 22:49:27 +00:00
2022-05-04 15:29:51 +00:00
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $ all . Cfg . EnableModsecurity }}
modsecurity off;
{{ end }}
2019-07-07 16:34:56 +00:00
{{ if $ externalAuth . AuthCacheKey }}
set $ tmp_cache_key '{{ $ server . Hostname }}{{ $ authPath }}{{ $ externalAuth . AuthCacheKey }}';
set $ cache_key '';
rewrite_by_lua_block {
ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))
}
proxy_cache auth_cache;
{{- range $ dur := $ externalAuth . AuthCacheDuration }}
proxy_cache_valid {{ $ dur }};
{{- end }}
proxy_cache_key " $ cache_key ";
{{ end }}
2018-03-30 17:19:33 +00:00
# ngx_auth_request module overrides variables in the parent request,
# therefore we have to explicitly set this variable again so that when the parent request
# resumes it has the correct value set for this variable so that Lua can pick backend correctly
2019-08-09 19:47:29 +00:00
set $ proxy_upstream_name {{ buildUpstreamName $ location | quote }};
2017-08-15 06:23:19 +00:00
2017-08-31 06:58:01 +00:00
proxy_pass_request_body off;
2020-03-29 22:58:36 +00:00
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-Proto "";
proxy_set_header X-Request-ID $ req_id ;
2017-10-15 20:20:33 +00:00
2018-11-27 16:12:17 +00:00
{{ if $ externalAuth . Method }}
proxy_method {{ $ externalAuth . Method }};
2017-10-04 13:59:14 +00:00
proxy_set_header X-Original-URI $ request_uri ;
proxy_set_header X-Scheme $ pass_access_scheme ;
2017-08-31 06:58:01 +00:00
{{ end }}
2017-10-15 20:20:33 +00:00
2018-11-27 16:12:17 +00:00
proxy_set_header Host {{ $ externalAuth . Host }};
2017-10-04 13:59:14 +00:00
proxy_set_header X-Original-URL $ scheme :// $ http_host $ request_uri ;
2017-11-08 11:14:04 +00:00
proxy_set_header X-Original-Method $ request_method ;
2017-10-15 20:20:33 +00:00
proxy_set_header X-Sent-From "nginx-ingress-controller";
2019-09-12 23:01:33 +00:00
proxy_set_header X-Real-IP $ remote_addr ;
2018-08-23 13:37:33 +00:00
{{ if and $ all . Cfg . UseForwardedHeaders $ all . Cfg . ComputeFullForwardedFor }}
proxy_set_header X-Forwarded-For $ full_x_forwarded_for ;
{{ else }}
2019-09-12 23:01:33 +00:00
proxy_set_header X-Forwarded-For $ remote_addr ;
2018-08-23 13:37:33 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
2018-11-27 16:12:17 +00:00
{{ if $ externalAuth . RequestRedirect }}
proxy_set_header X-Auth-Request-Redirect {{ $ externalAuth . RequestRedirect }};
2018-01-28 00:32:08 +00:00
{{ else }}
proxy_set_header X-Auth-Request-Redirect $ request_uri ;
{{ end }}
2019-07-07 16:34:56 +00:00
{{ if $ externalAuth . AuthCacheKey }}
proxy_buffering "on";
{{ else }}
2018-10-01 21:10:33 +00:00
proxy_buffering {{ $ location . Proxy . ProxyBuffering }};
2019-07-07 16:34:56 +00:00
{{ end }}
2018-10-01 21:10:33 +00:00
proxy_buffer_size {{ $ location . Proxy . BufferSize }};
2019-02-22 02:21:17 +00:00
proxy_buffers {{ $ location . Proxy . BuffersNumber }} {{ $ location . Proxy . BufferSize }};
2018-10-01 21:10:33 +00:00
proxy_request_buffering {{ $ location . Proxy . RequestBuffering }};
2018-04-26 14:04:12 +00:00
2017-10-15 20:20:33 +00:00
proxy_ssl_server_name on;
proxy_pass_request_headers on;
2018-12-02 18:10:36 +00:00
{{ if isValidByteSize $ location . Proxy . BodySize true }}
2018-10-01 21:10:33 +00:00
client_max_body_size {{ $ location . Proxy . BodySize }};
2018-11-09 14:45:11 +00:00
{{ end }}
2018-12-02 18:10:36 +00:00
{{ if isValidByteSize $ location . ClientBodyBufferSize false }}
2017-08-31 06:58:01 +00:00
client_body_buffer_size {{ $ location . ClientBodyBufferSize }};
{{ end }}
2017-08-15 06:23:19 +00:00
2018-03-19 12:30:36 +00:00
# Pass the extracted client certificate to the auth provider
{{ if not (empty $ server . CertificateAuth . CAFileName ) }}
{{ if $ server . CertificateAuth . PassCertToUpstream }}
proxy_set_header ssl-client-cert $ ssl_client_escaped_cert ;
{{ end }}
proxy_set_header ssl-client-verify $ ssl_client_verify ;
2018-03-22 11:53:29 +00:00
proxy_set_header ssl-client-subject-dn $ ssl_client_s_dn ;
proxy_set_header ssl-client-issuer-dn $ ssl_client_i_dn ;
2018-03-19 12:30:36 +00:00
{{ end }}
2019-09-24 14:53:23 +00:00
{{- range $ line := buildAuthProxySetHeaders $ externalAuth . ProxySetHeaders }}
{{ $ line }}
{{- end }}
2018-11-27 16:12:17 +00:00
{{ if not (empty $ externalAuth . AuthSnippet ) }}
{{ $ externalAuth . AuthSnippet }}
2018-10-29 21:34:44 +00:00
{{ end }}
2022-04-09 03:22:04 +00:00
{{ if and (eq $ applyAuthUpstream true) (eq $ applyGlobalAuth false) }}
{{ $ authUpstreamName := buildAuthUpstreamName $ location $ server . Hostname }}
# The target is an upstream with HTTP keepalive, that is why the
# Connection header is cleared and the HTTP version is set to 1.1 as
# the Nginx documentation suggests:
# http://nginx.org/en/docs/http/ngx_http_upstream_module.html #keepalive
proxy_http_version 1.1;
proxy_set_header Connection "";
set $ target {{ changeHostPort $ externalAuth . URL $ authUpstreamName }};
{{ else }}
proxy_http_version {{ $ location . Proxy . ProxyHTTPVersion }};
2018-11-27 16:12:17 +00:00
set $ target {{ $ externalAuth . URL }};
2022-04-09 03:22:04 +00:00
{{ end }}
2017-08-31 06:58:01 +00:00
proxy_pass $ target ;
2017-08-15 06:23:19 +00:00
}
{{ end }}
2017-10-15 20:20:33 +00:00
2020-06-08 15:18:53 +00:00
{{ if isLocationAllowed $ location }}
2019-12-25 01:50:25 +00:00
{{ if $ externalAuth . SigninURL }}
location {{ buildAuthSignURLLocation $ location . Path $ externalAuth . SigninURL }} {
internal;
2020-02-14 04:41:11 +00:00
add_header Set-Cookie $ auth_cookie ;
2023-01-19 14:58:36 +00:00
{{ if $ location . CorsConfig . CorsEnabled }}
{{ template "CORS" $ location }}
{{ end }}
2022-05-04 15:29:51 +00:00
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $ all . Cfg . EnableModsecurity }}
modsecurity off;
{{ end }}
2020-08-18 09:03:38 +00:00
return 302 {{ buildAuthSignURL $ externalAuth . SigninURL $ externalAuth . SigninURLRedirectParam }};
2019-12-25 01:50:25 +00:00
}
{{ end }}
2020-06-08 15:18:53 +00:00
{{ end }}
2019-12-25 01:50:25 +00:00
2017-10-06 01:55:10 +00:00
location {{ $ path }} {
2020-12-11 15:27:15 +00:00
{{ $ ing := (getIngressInformation $ location . Ingress $ server . Hostname $ location . IngressPath ) }}
2019-08-09 19:47:29 +00:00
set $ namespace {{ $ ing . Namespace | quote}};
set $ ingress_name {{ $ ing . Rule | quote }};
set $ service_name {{ $ ing . Service | quote }};
2019-08-31 15:24:01 +00:00
set $ service_port {{ $ ing . ServicePort | quote }};
2020-12-11 15:27:15 +00:00
set $ location_path {{ $ ing . Path | escapeLiteralDollar | quote }};
2018-05-09 21:50:55 +00:00
2023-03-22 18:58:22 +00:00
{{ buildOpentelemetryForLocation $ all . Cfg . EnableOpentelemetry $ all . Cfg . OpentelemetryTrustIncomingSpan $ location }}
2018-06-21 22:15:18 +00:00
2020-02-05 02:06:07 +00:00
{{ if $ location . Mirror . Source }}
mirror {{ $ location . Mirror . Source }};
2019-07-30 19:43:13 +00:00
mirror_request_body {{ $ location . Mirror . RequestBody }};
{{ end }}
2018-05-26 01:25:41 +00:00
rewrite_by_lua_block {
2019-09-24 03:40:47 +00:00
lua_ingress.rewrite({{ locationConfigForLua $ location $ all }})
2018-05-26 01:25:41 +00:00
balancer.rewrite()
}
2019-01-10 13:27:23 +00:00
2019-04-13 20:11:46 +00:00
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
2019-11-04 18:41:26 +00:00
#access _by_lua_block {
#}
2019-01-10 13:27:23 +00:00
2018-04-08 20:37:13 +00:00
header_filter_by_lua_block {
2019-12-12 18:49:13 +00:00
lua_ingress.header()
2018-04-08 20:37:13 +00:00
}
2018-10-09 22:36:10 +00:00
2018-04-08 20:37:13 +00:00
log_by_lua_block {
2018-05-26 01:25:41 +00:00
balancer.log()
2018-12-04 19:59:54 +00:00
{{ if $ all . EnableMetrics }}
2018-06-19 08:46:49 +00:00
monitor.call()
2018-12-04 19:59:54 +00:00
{{ end }}
2018-04-08 20:37:13 +00:00
}
2018-04-11 14:52:42 +00:00
2018-02-25 14:38:54 +00:00
{{ if not $ location . Logs . Access }}
access_log off;
{{ end }}
2018-04-27 12:28:57 +00:00
{{ if $ location . Logs . Rewrite }}
rewrite_log on;
{{ end }}
2018-10-12 19:48:10 +00:00
{{ if $ location . HTTP2PushPreload }}
http2_push_preload on;
{{ end }}
2018-01-02 17:48:42 +00:00
port_in_redirect {{ if $ location . UsePortInRedirects }}on{{ else }}off{{ end }};
2019-07-03 20:34:27 +00:00
set $ balancer_ewma_score -1;
2019-08-13 21:14:55 +00:00
set $ proxy_upstream_name {{ buildUpstreamName $ location | quote }};
set $ proxy_host $ proxy_upstream_name ;
set $ pass_access_scheme $ scheme ;
2020-01-29 15:20:05 +00:00
2020-01-24 12:50:35 +00:00
{{ if $ all . Cfg . UseProxyProtocol }}
set $ pass_server_port $ proxy_protocol_server_port ;
{{ else }}
2019-08-13 21:14:55 +00:00
set $ pass_server_port $ server_port ;
2020-01-24 12:50:35 +00:00
{{ end }}
2020-01-29 15:20:05 +00:00
2019-08-13 21:14:55 +00:00
set $ best_http_host $ http_host ;
set $ pass_port $ pass_server_port ;
2017-08-31 06:58:01 +00:00
2019-06-28 18:02:50 +00:00
set $ proxy_alternative_upstream_name "";
2020-02-04 17:04:11 +00:00
{{ buildModSecurityForLocation $ all . Cfg $ location }}
2017-10-08 14:52:02 +00:00
2017-08-31 06:58:01 +00:00
{{ if isLocationAllowed $ location }}
2023-01-08 22:43:28 +00:00
{{ if gt (len $ location . Denylist . CIDR ) 0 }}
{{ range $ ip := $ location . Denylist . CIDR }}
deny {{ $ ip }};{{ end }}
{{ end }}
2023-07-22 03:32:07 +00:00
{{ if gt (len $ location . Allowlist . CIDR ) 0 }}
{{ range $ ip := $ location . Allowlist . CIDR }}
2019-05-27 08:55:38 +00:00
allow {{ $ ip }};{{ end }}
deny all;
2017-08-31 06:58:01 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
2022-12-05 01:49:01 +00:00
{{ if $ location . CorsConfig . CorsEnabled }}
{{ template "CORS" $ location }}
{{ end }}
2018-04-02 00:02:34 +00:00
{{ if not (isLocationInLocationList $ location $ all . Cfg . NoAuthLocations ) }}
2018-01-28 00:32:08 +00:00
{{ if $ authPath }}
2017-08-31 06:58:01 +00:00
# this location requires authentication
2022-04-09 03:22:04 +00:00
{{ if and (eq $ applyAuthUpstream true) (eq $ applyGlobalAuth false) }}
set $ auth_cookie '';
add_header Set-Cookie $ auth_cookie ;
{{- range $ line := buildAuthResponseHeaders $ proxySetHeader $ externalAuth . ResponseHeaders true }}
{{ $ line }}
{{- end }}
# `auth_request` module does not support HTTP keepalives in upstream block:
# https://trac.nginx.org/nginx/ticket/1579
access_by_lua_block {
2023-08-07 13:16:32 +00:00
local res = ngx.location.capture('{{ $ authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $ externalAuth . KeepaliveShareVars }} })
2022-04-09 03:22:04 +00:00
if res.status == ngx.HTTP_OK then
ngx.var.auth_cookie = res.header['Set-Cookie']
{{- range $ line := buildAuthUpstreamLuaHeaders $ externalAuth . ResponseHeaders }}
{{ $ line }}
{{- end }}
return
end
2022-10-12 22:41:04 +00:00
if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
2022-04-09 03:22:04 +00:00
ngx.exit(res.status)
end
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
}
{{ else }}
2017-10-04 13:59:14 +00:00
auth_request {{ $ authPath }};
auth_request_set $ auth_cookie $ upstream_http_set_cookie ;
2022-05-19 22:27:53 +00:00
{{ if $ externalAuth . AlwaysSetCookie }}
add_header Set-Cookie $ auth_cookie always;
{{ else }}
2017-10-04 13:59:14 +00:00
add_header Set-Cookie $ auth_cookie ;
2022-05-19 22:27:53 +00:00
{{ end }}
2022-04-09 03:22:04 +00:00
{{- range $ line := buildAuthResponseHeaders $ proxySetHeader $ externalAuth . ResponseHeaders false }}
2017-08-31 06:58:01 +00:00
{{ $ line }}
{{- end }}
{{ end }}
2022-04-09 03:22:04 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
2018-11-27 16:12:17 +00:00
{{ if $ externalAuth . SigninURL }}
2018-07-19 06:22:05 +00:00
set_escape_uri $ escaped_request_uri $ request_uri ;
2019-12-25 01:50:25 +00:00
error_page 401 = {{ buildAuthSignURLLocation $ location . Path $ externalAuth . SigninURL }};
2017-08-31 06:58:01 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
2017-08-31 06:58:01 +00:00
{{ if $ location . BasicDigestAuth . Secured }}
{{ if eq $ location . BasicDigestAuth . Type "basic" }}
2019-08-09 19:47:29 +00:00
auth_basic {{ $ location . BasicDigestAuth . Realm | quote }};
2017-08-31 06:58:01 +00:00
auth_basic_user_file {{ $ location . BasicDigestAuth . File }};
{{ else }}
2019-08-09 19:47:29 +00:00
auth_digest {{ $ location . BasicDigestAuth . Realm | quote }};
2017-08-31 06:58:01 +00:00
auth_digest_user_file {{ $ location . BasicDigestAuth . File }};
{{ end }}
2021-07-13 06:08:29 +00:00
{{ $ proxySetHeader }} Authorization "";
2017-08-31 06:58:01 +00:00
{{ end }}
2018-04-02 00:02:34 +00:00
{{ end }}
{{/* if the location contains a rate limit annotation, create one */}}
{{ $ limits := buildRateLimit $ location }}
{{ range $ limit := $ limits }}
{{ $ limit }}{{ end }}
2017-08-15 06:23:19 +00:00
2018-12-02 18:10:36 +00:00
{{ if isValidByteSize $ location . Proxy . BodySize true }}
2018-10-01 21:10:33 +00:00
client_max_body_size {{ $ location . Proxy . BodySize }};
2018-11-09 14:45:11 +00:00
{{ end }}
2018-12-02 18:10:36 +00:00
{{ if isValidByteSize $ location . ClientBodyBufferSize false }}
2017-08-31 06:58:01 +00:00
client_body_buffer_size {{ $ location . ClientBodyBufferSize }};
{{ end }}
2017-08-15 06:23:19 +00:00
2017-05-15 19:17:58 +00:00
{{/* By default use vhost as Host to upstream, but allow overrides */}}
{{ if not (empty $ location . UpstreamVhost ) }}
2019-08-09 19:47:29 +00:00
{{ $ proxySetHeader }} Host {{ $ location . UpstreamVhost | quote }};
2017-05-15 19:17:58 +00:00
{{ else }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} Host $ best_http_host ;
2017-05-15 19:17:58 +00:00
{{ end }}
2017-08-31 06:58:01 +00:00
# Pass the extracted client certificate to the backend
{{ if not (empty $ server . CertificateAuth . CAFileName ) }}
2017-11-18 00:28:45 +00:00
{{ if $ server . CertificateAuth . PassCertToUpstream }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} ssl-client-cert $ ssl_client_escaped_cert ;
2017-11-18 00:28:45 +00:00
{{ end }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} ssl-client-verify $ ssl_client_verify ;
{{ $ proxySetHeader }} ssl-client-subject-dn $ ssl_client_s_dn ;
{{ $ proxySetHeader }} ssl-client-issuer-dn $ ssl_client_i_dn ;
2017-08-31 06:58:01 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
2017-08-31 06:58:01 +00:00
# Allow websocket connections
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} Upgrade $ http_upgrade ;
2018-01-30 04:29:03 +00:00
{{ if $ location . Connection . Enabled }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} Connection {{ $ location . Connection . Header }};
2018-01-30 04:29:03 +00:00
{{ else }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} Connection $ connection_upgrade ;
2018-01-30 04:29:03 +00:00
{{ end }}
2017-08-31 06:58:01 +00:00
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} X-Request-ID $ req_id ;
2019-09-12 23:01:33 +00:00
{{ $ proxySetHeader }} X-Real-IP $ remote_addr ;
2017-12-25 21:19:01 +00:00
{{ if and $ all . Cfg . UseForwardedHeaders $ all . Cfg . ComputeFullForwardedFor }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} X-Forwarded-For $ full_x_forwarded_for ;
2017-10-09 09:10:58 +00:00
{{ else }}
2019-09-12 23:01:33 +00:00
{{ $ proxySetHeader }} X-Forwarded-For $ remote_addr ;
2017-10-09 09:10:58 +00:00
{{ end }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} X-Forwarded-Host $ best_http_host ;
{{ $ proxySetHeader }} X-Forwarded-Port $ pass_port ;
2020-09-15 17:22:26 +00:00
{{ $ proxySetHeader }} X-Forwarded-Proto $ pass_access_scheme ;
2021-05-11 17:03:20 +00:00
{{ $ proxySetHeader }} X-Forwarded-Scheme $ pass_access_scheme ;
2018-10-30 23:46:48 +00:00
{{ if $ all . Cfg . ProxyAddOriginalURIHeader }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} X-Original-URI $ request_uri ;
2018-04-16 10:03:06 +00:00
{{ end }}
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} X-Scheme $ pass_access_scheme ;
2017-08-31 06:58:01 +00:00
2017-10-06 01:55:10 +00:00
# Pass the original X-Forwarded-For
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} X-Original-Forwarded-For {{ buildForwardedFor $ all . Cfg . ForwardedForHeader }};
2017-10-06 01:55:10 +00:00
2017-08-31 06:58:01 +00:00
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2018-05-17 12:35:11 +00:00
{{ $ proxySetHeader }} Proxy "";
2017-08-31 06:58:01 +00:00
# Custom headers to proxied server
{{ range $k, $v := $ all . ProxySetHeaders }}
2019-08-09 19:47:29 +00:00
{{ $ proxySetHeader }} {{ $k }} {{ $v | quote }};
2017-08-31 06:58:01 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
2017-08-31 06:58:01 +00:00
proxy_connect_timeout {{ $ location . Proxy . ConnectTimeout }}s;
proxy_send_timeout {{ $ location . Proxy . SendTimeout }}s;
proxy_read_timeout {{ $ location . Proxy . ReadTimeout }}s;
2017-08-15 06:23:19 +00:00
2018-10-01 21:10:33 +00:00
proxy_buffering {{ $ location . Proxy . ProxyBuffering }};
proxy_buffer_size {{ $ location . Proxy . BufferSize }};
2019-02-22 02:21:17 +00:00
proxy_buffers {{ $ location . Proxy . BuffersNumber }} {{ $ location . Proxy . BufferSize }};
2019-08-12 17:27:05 +00:00
{{ if isValidByteSize $ location . Proxy . ProxyMaxTempFileSize true }}
proxy_max_temp_file_size {{ $ location . Proxy . ProxyMaxTempFileSize }};
{{ end }}
2018-10-01 21:10:33 +00:00
proxy_request_buffering {{ $ location . Proxy . RequestBuffering }};
2019-07-08 18:32:00 +00:00
proxy_http_version {{ $ location . Proxy . ProxyHTTPVersion }};
2017-08-15 06:23:19 +00:00
2017-08-31 06:58:01 +00:00
proxy_cookie_domain {{ $ location . Proxy . CookieDomain }};
proxy_cookie_path {{ $ location . Proxy . CookiePath }};
2017-08-15 06:23:19 +00:00
2017-08-31 06:58:01 +00:00
# In case of errors try the next upstream server before returning an error
2017-10-10 10:18:45 +00:00
proxy_next_upstream {{ buildNextUpstream $ location . Proxy . NextUpstream $ all . Cfg . RetryNonIdempotent }};
2019-04-15 15:08:57 +00:00
proxy_next_upstream_timeout {{ $ location . Proxy . NextUpstreamTimeout }};
2018-03-22 11:12:36 +00:00
proxy_next_upstream_tries {{ $ location . Proxy . NextUpstreamTries }};
2017-08-15 06:23:19 +00:00
2024-05-26 16:37:11 +00:00
{{ if or (eq $ location . BackendProtocol "GRPC") (eq $ location . BackendProtocol "GRPCS") }}
# Grpc settings
grpc_connect_timeout {{ $ location . Proxy . ConnectTimeout }}s;
grpc_send_timeout {{ $ location . Proxy . SendTimeout }}s;
grpc_read_timeout {{ $ location . Proxy . ReadTimeout }}s;
{{ end }}
2017-08-31 06:58:01 +00:00
{{/* Add any additional configuration defined */}}
{{ $ location . ConfigurationSnippet }}
2017-08-15 06:23:19 +00:00
2017-10-01 14:45:33 +00:00
{{ if not (empty $ all . Cfg . LocationSnippet ) }}
# Custom code snippet configured in the configuration configmap
2017-10-05 01:51:02 +00:00
{{ $ all . Cfg . LocationSnippet }}
2017-10-01 14:45:33 +00:00
{{ end }}
2024-04-09 10:25:22 +00:00
{{ if $ location . CustomHeaders }}
# Custom Response Headers
{{ range $k, $v := $ location . CustomHeaders . Headers }}
more_set_headers {{ printf "%s: %s" $k $v | escapeLiteralDollar | quote }};
{{ end }}
{{ end }}
2017-08-31 06:58:01 +00:00
{{/* if we are sending the request to a custom default backend, we add the required headers */}}
{{ if (hasPrefix $ location . Backend "custom-default-backend-") }}
proxy_set_header X-Code 503;
proxy_set_header X-Format $ http_accept ;
proxy_set_header X-Namespace $ namespace ;
proxy_set_header X-Ingress-Name $ ingress_name ;
proxy_set_header X-Service-Name $ service_name ;
2018-05-09 21:59:58 +00:00
proxy_set_header X-Service-Port $ service_port ;
2019-03-22 10:33:11 +00:00
proxy_set_header X-Request-ID $ req_id ;
2017-08-31 06:58:01 +00:00
{{ end }}
2017-08-25 23:49:44 +00:00
2019-02-11 21:34:55 +00:00
{{ if $ location . Satisfy }}
satisfy {{ $ location . Satisfy }};
{{ end }}
2018-10-25 16:35:48 +00:00
{{/* if a location-specific error override is set, add the proxy_intercept here */}}
2023-11-17 04:43:54 +00:00
{{ if and $ location . CustomHTTPErrors (not $ location . DisableProxyInterceptErrors ) }}
2018-10-25 16:35:48 +00:00
# Custom error pages per ingress
proxy_intercept_errors on;
{{ end }}
{{ range $ errCode := $ location . CustomHTTPErrors }}
2019-02-05 14:28:37 +00:00
error_page {{ $ errCode }} = @custom_{{ $ location . DefaultBackendUpstreamName }}_{{ $ errCode }};{{ end }}
2018-10-25 16:35:48 +00:00
2023-06-13 19:55:59 +00:00
{{ if (eq $ location . BackendProtocol "FCGI") }}
include /etc/nginx/fastcgi_params;
{{ end }}
{{- if $ location . FastCGI . Index -}}
fastcgi_index {{ $ location . FastCGI . Index | quote }};
{{- end -}}
{{ range $k, $v := $ location . FastCGI . Params }}
fastcgi_param {{ $k }} {{ $v | quote }};
{{ end }}
2020-04-08 16:02:15 +00:00
{{ if not (empty $ location . Redirect . URL ) }}
return {{ $ location . Redirect . Code }} {{ $ location . Redirect . URL }};
{{ end }}
2018-10-09 22:36:10 +00:00
{{ buildProxyPass $ server . Hostname $ all . Backends $ location }}
2018-01-02 11:34:20 +00:00
{{ if (or (eq $ location . Proxy . ProxyRedirectFrom "default") (eq $ location . Proxy . ProxyRedirectFrom "off")) }}
proxy_redirect {{ $ location . Proxy . ProxyRedirectFrom }};
2018-04-25 21:38:30 +00:00
{{ else if not (eq $ location . Proxy . ProxyRedirectTo "off") }}
2018-01-02 11:34:20 +00:00
proxy_redirect {{ $ location . Proxy . ProxyRedirectFrom }} {{ $ location . Proxy . ProxyRedirectTo }};
{{ end }}
2017-08-31 06:58:01 +00:00
{{ else }}
2019-08-09 19:47:29 +00:00
# Location denied. Reason: {{ $ location . Denied | quote }}
2017-08-31 06:58:01 +00:00
return 503;
{{ end }}
2019-10-17 07:23:42 +00:00
{{ if not (empty $ location . ProxySSL . CAFileName ) }}
# PEM sha: {{ $ location . ProxySSL . CASHA }}
proxy_ssl_trusted_certificate {{ $ location . ProxySSL . CAFileName }};
proxy_ssl_ciphers {{ $ location . ProxySSL . Ciphers }};
proxy_ssl_protocols {{ $ location . ProxySSL . Protocols }};
proxy_ssl_verify {{ $ location . ProxySSL . Verify }};
proxy_ssl_verify_depth {{ $ location . ProxySSL . VerifyDepth }};
{{ end }}
2020-02-25 12:52:34 +00:00
{{ if not (empty $ location . ProxySSL . ProxySSLName ) }}
2020-05-30 15:35:20 +00:00
proxy_ssl_name {{ $ location . ProxySSL . ProxySSLName }};
2020-07-06 20:39:47 +00:00
{{ end }}
{{ if not (empty $ location . ProxySSL . ProxySSLServerName ) }}
2020-05-30 15:35:20 +00:00
proxy_ssl_server_name {{ $ location . ProxySSL . ProxySSLServerName }};
2020-02-25 12:52:34 +00:00
{{ end }}
2019-10-17 07:23:42 +00:00
{{ if not (empty $ location . ProxySSL . PemFileName ) }}
2019-10-26 17:36:25 +00:00
proxy_ssl_certificate {{ $ location . ProxySSL . PemFileName }};
proxy_ssl_certificate_key {{ $ location . ProxySSL . PemFileName }};
2019-10-17 07:23:42 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
}
2018-02-25 20:20:14 +00:00
{{ end }}
2017-08-15 06:23:19 +00:00
{{ end }}
{{ if eq $ server . Hostname "_" }}
2017-08-24 13:33:26 +00:00
# health checks in cloud providers require the use of port {{ $ all . ListenPorts . HTTP }}
2017-08-15 06:23:19 +00:00
location {{ $ all . HealthzURI }} {
2018-03-29 16:47:13 +00:00
2023-03-22 18:58:22 +00:00
{{ if $ all . Cfg . EnableOpentelemetry }}
opentelemetry off;
{{ end }}
2017-08-31 06:58:01 +00:00
access_log off;
return 200;
2017-08-15 06:23:19 +00:00
}
# this is required to avoid error if nginx is being monitored
# with an external software (like sysdig)
location /nginx_status {
2018-03-29 16:47:13 +00:00
2023-03-22 18:58:22 +00:00
{{ if $ all . Cfg . EnableOpentelemetry }}
opentelemetry off;
{{ end }}
2018-03-28 12:27:34 +00:00
{{ range $v := $ all . NginxStatusIpv4Whitelist }}
allow {{ $v }};
{{ end }}
{{ if $ all . IsIPV6Enabled -}}
{{ range $v := $ all . NginxStatusIpv6Whitelist }}
allow {{ $v }};
{{ end }}
{{ end -}}
2017-08-31 06:58:01 +00:00
deny all;
2017-08-15 06:23:19 +00:00
2017-08-31 06:58:01 +00:00
access_log off;
stub_status on;
2017-08-15 06:23:19 +00:00
}
{{ end }}
{{ end }}