ingress-nginx-helm/controllers/nginx-third-party/nginx.tmpl

{{ $cfg := .cfg }}
daemon off;

worker_processes {{ $cfg.WorkerProcesses }};

pid /run/nginx.pid;

worker_rlimit_nofile 131072;

events {
    worker_connections {{ $cfg.MaxWorkerConnections }};
}

http {
    #vhost_traffic_status_zone shared:vhost_traffic_status:10m;

    # lus sectrion to return proper error codes when custom pages are used
    lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;';
    init_by_lua_block {        
        require("error_page")
    }

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    keepalive_timeout {{ $cfg.KeepAlive }}s;

    types_hash_max_size 2048;
    server_names_hash_max_size {{ $cfg.ServerNameHashMaxSize }};
    server_names_hash_bucket_size {{ $cfg.ServerNameHashBucketSize }};

    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    {{ if $cfg.UseGzip }}
    gzip on;
    gzip_comp_level 5;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_types {{ $.cfg.GzipTypes }};    
    gzip_proxied any;
    gzip_vary on;
    {{ end }}

    client_max_body_size "{{ $cfg.BodySize }}";

    {{ if $cfg.UseProxyProtocol }}
    set_real_ip_from {{ $cfg.ProxyRealIpCidr }};
    real_ip_header proxy_protocol;
    {{ end }}

    log_format upstreaminfo '{{ if $cfg.UseProxyProtocol }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - '
        '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
        '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';

    access_log /var/log/nginx/access.log upstreaminfo;
    error_log  /var/log/nginx/error.log {{ $cfg.ErrorLogLevel }};

    {{ if not (empty .defResolver) }}# Custom dns resolver.
    resolver {{ .defResolver }} valid=30s;
    {{ end }}

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # trust http_x_forwarded_proto headers correctly indicate ssl offloading
    map $http_x_forwarded_proto $access_scheme {
      default $http_x_forwarded_proto;
      ''      $scheme;
    }

    map $access_scheme $sts {
      'https' 'max-age={{ $cfg.HtsMaxAge }}{{ if $cfg.HtsIncludeSubdomains }}; includeSubDomains{{ end }}; preload';
    }

    # Map a response error watching the header Content-Type
    map $http_accept $httpAccept {
        default          html;
        application/json json;
        application/xml  xml;
        text/plain       text;
    }

    map $httpAccept $httpReturnType {
        default          text/html;
        json             application/json;
        xml              application/xml;
        text             text/plain;
    }

    server_name_in_redirect off;
    port_in_redirect off;

    ssl_protocols {{ $cfg.SSLProtocols }};

    # turn on session caching to drastically improve performance
    {{ if $cfg.SSLSessionCache }}
    ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};
    ssl_session_timeout {{ $cfg.SSLSessionTimeout }};
    {{ end }}

    # allow configuring ssl session tickets
    ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};

    # slightly reduce the time-to-first-byte
    ssl_buffer_size {{ $cfg.SSLBufferSize }};

    {{ if not (empty $cfg.SSLCiphers) }}
    # allow configuring custom ssl ciphers
    ssl_ciphers '{{ $cfg.SSLCiphers }}';
    ssl_prefer_server_ciphers on;
    {{ end }}

    {{ if not (empty .sslDHParam) }}
    # allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
    ssl_dhparam {{ .sslDHParam }};
    {{ end }}

    # Custom error pages
    proxy_intercept_errors on;
    error_page 403 @custom_403;
    error_page 404 @custom_404;
    error_page 405 @custom_405;
    error_page 408 @custom_408;
    error_page 413 @custom_413;
    error_page 501 @custom_501;
    error_page 502 @custom_502;
    error_page 503 @custom_503;
    error_page 504 @custom_504;

    # Reverse Proxy configuration
    # pass original Host header
    proxy_set_header Host                   $host;
    # Pass Real IP
    proxy_set_header X-Real-IP              $remote_addr;

    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host       $host;
    proxy_set_header X-Forwarded-Server     $host;
    proxy_set_header X-Forwarded-Port       $http_x_forwarded_port;
    proxy_set_header X-Forwarded-Proto      $scheme;

    proxy_connect_timeout                   {{ .cfg.ProxyConnectTimeout }}s;
    proxy_send_timeout                      {{ .cfg.ProxySendTimeout }}s;
    proxy_read_timeout                      {{ .cfg.ProxyReadTimeout }}s;

    proxy_buffering                         off;
    
    proxy_http_version                      1.1;

    # Allow websocket connections
    proxy_set_header            Upgrade           $http_upgrade;
    proxy_set_header            Connection        $connection_upgrade;

    # In case of errors try the next upstream server before returning an error
    proxy_next_upstream                     error timeout http_501 http_502 http_503 http_504;

    server {
        listen 80 default_server{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};

        location / {
            return 200;
        }

        {{ template "CUSTOM_ERRORS" $cfg }}
    }

    {{range $name, $upstream := .upstreams}}
    upstream {{$upstream.Name}} {
        least_conn;
        {{range $server := $upstream.Backends}}server {{$server.Address}}:{{$server.Port}};
        {{end}}
    }
    {{end}}

    {{ range $server := .servers }}
    server {
        listen 80;
        {{ if $server.SSL }}listen 443 ssl http2;
        ssl_certificate {{ $server.SSLCertificate }};
        ssl_certificate_key {{ $server.SSLCertificateKey }};{{ end }}

        server_name {{ $server.Name }};
        {{ if $server.SSL }}
        if ($scheme = http) {
            return 301 https://$host$request_uri;
        }
        {{ end }}
        {{ range $location := $server.Locations }}
        location {{ $location.Path }} {
            proxy_set_header Host $host;
            proxy_pass http://{{ $location.Upstream.Name }};
        }
        {{ end }}

        {{ template "CUSTOM_ERRORS" $cfg }}

    }
    {{ end }}

    # default server, including healthcheck
    server {
        listen 8080 default_server{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }} reuseport;
        #vhost_traffic_status_filter_by_host on;

        location /healthz {
            access_log off;
            return 200;
        }
       
        location /health-check {
            access_log off;
            proxy_pass http://127.0.0.1:10249/healthz;
        }

        location /nginx-status {
            #vhost_traffic_status_display;
            #vhost_traffic_status_display_format html;
            stub_status on;
        }

        location / {
            proxy_pass             http://upstream-default-backend;
        }
        {{ template "CUSTOM_ERRORS" $cfg }}
    }

    # default server for services without endpoints
    server {
        listen 8081;

        location / {
            content_by_lua_block {
                openURL(503)
            }
        }        
    }    
}

# TCP services
stream {
{{ range $name, $upstream := .tcpUpstreams }}
    upstream tcp-{{ $upstream.Name }} {
        least_conn;
        {{ range $server := $upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }};
        {{ end }}
    }
{{ end }}

{{ range $tcpSvc := .tcpServices }}
    server {
        listen {{ $tcpSvc.ExposedPort }};
        proxy_connect_timeout  {{ $cfg.ProxyConnectTimeout }}s;
        proxy_timeout          {{ $cfg.ProxyReadTimeout }}s;
        proxy_pass             {{ $tcpSvc.Namespace }}-{{ $tcpSvc.ServiceName }}:{{ $tcpSvc.ServicePort }};
    }
{{ end }}
}

{{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }}
        location @custom_403 {
            content_by_lua_block {
                openURL(403)
            }
        }

        location @custom_404 {
            content_by_lua_block {
                openURL(404)
            }
        }

        location @custom_405 {
            content_by_lua_block {
                openURL(405)
            }
        }

        location @custom_408 {
            content_by_lua_block {
                openURL(408)
            }
        }

        location @custom_413 {
            content_by_lua_block {
                openURL(413)
            }
        }

        location @custom_501 {
            content_by_lua_block {
                openURL(501)
            }
        }

        location @custom_502 {
            content_by_lua_block {
                openURL(502)
            }
        }

        location @custom_503 {
            content_by_lua_block {
                openURL(503)
            }
        }

        location @custom_504 {
            content_by_lua_block {
                openURL(504)
            }
        }
{{ end }}