2016-11-10 22:56:29 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package template
|
|
|
|
|
|
|
|
|
|
import (
|
2017-08-25 02:24:32 +00:00
|
|
|
"fmt"
|
|
|
|
|
"net"
|
2021-08-12 18:13:50 +00:00
|
|
|
"regexp"
|
2016-11-10 22:56:29 +00:00
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
2018-06-04 01:10:41 +00:00
|
|
|
"time"
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2020-08-08 23:31:02 +00:00
|
|
|
"k8s.io/klog/v2"
|
2017-09-17 18:42:31 +00:00
|
|
|
|
2023-02-22 15:27:57 +00:00
|
|
|
"github.com/mitchellh/hashstructure/v2"
|
2016-11-10 22:56:29 +00:00
|
|
|
"github.com/mitchellh/mapstructure"
|
|
|
|
|
|
2018-01-19 18:44:31 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
2018-11-27 16:12:17 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
|
2024-04-09 10:25:22 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/customheaders"
|
2020-02-05 02:06:07 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/controller/config"
|
|
|
|
|
ing_net "k8s.io/ingress-nginx/internal/net"
|
2022-07-20 18:53:44 +00:00
|
|
|
"k8s.io/ingress-nginx/pkg/util/runtime"
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2020-08-18 09:03:38 +00:00
|
|
|
customHTTPErrors = "custom-http-errors"
|
|
|
|
|
skipAccessLogUrls = "skip-access-log-urls"
|
|
|
|
|
whitelistSourceRange = "whitelist-source-range"
|
2023-01-08 22:43:28 +00:00
|
|
|
denylistSourceRange = "denylist-source-range"
|
2020-08-18 09:03:38 +00:00
|
|
|
proxyRealIPCIDR = "proxy-real-ip-cidr"
|
|
|
|
|
bindAddress = "bind-address"
|
|
|
|
|
httpRedirectCode = "http-redirect-code"
|
|
|
|
|
blockCIDRs = "block-cidrs"
|
|
|
|
|
blockUserAgents = "block-user-agents"
|
|
|
|
|
blockReferers = "block-referers"
|
|
|
|
|
proxyStreamResponses = "proxy-stream-responses"
|
|
|
|
|
hideHeaders = "hide-headers"
|
|
|
|
|
nginxStatusIpv4Whitelist = "nginx-status-ipv4-whitelist"
|
|
|
|
|
nginxStatusIpv6Whitelist = "nginx-status-ipv6-whitelist"
|
|
|
|
|
proxyHeaderTimeout = "proxy-protocol-header-timeout"
|
|
|
|
|
workerProcesses = "worker-processes"
|
2024-04-09 10:25:22 +00:00
|
|
|
globalAllowedResponseHeaders = "global-allowed-response-headers"
|
2020-08-18 09:03:38 +00:00
|
|
|
globalAuthURL = "global-auth-url"
|
|
|
|
|
globalAuthMethod = "global-auth-method"
|
|
|
|
|
globalAuthSignin = "global-auth-signin"
|
|
|
|
|
globalAuthSigninRedirectParam = "global-auth-signin-redirect-param"
|
|
|
|
|
globalAuthResponseHeaders = "global-auth-response-headers"
|
|
|
|
|
globalAuthRequestRedirect = "global-auth-request-redirect"
|
|
|
|
|
globalAuthSnippet = "global-auth-snippet"
|
|
|
|
|
globalAuthCacheKey = "global-auth-cache-key"
|
|
|
|
|
globalAuthCacheDuration = "global-auth-cache-duration"
|
2022-05-19 22:27:53 +00:00
|
|
|
globalAuthAlwaysSetCookie = "global-auth-always-set-cookie"
|
2020-08-18 09:03:38 +00:00
|
|
|
luaSharedDictsKey = "lua-shared-dicts"
|
2022-06-10 11:01:46 +00:00
|
|
|
debugConnections = "debug-connections"
|
2024-05-14 21:45:25 +00:00
|
|
|
workerSerialReloads = "enable-serial-reloads"
|
2017-11-30 14:59:39 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
2019-08-14 23:23:20 +00:00
|
|
|
validRedirectCodes = sets.NewInt([]int{301, 302, 307, 308}...)
|
2021-08-12 18:13:50 +00:00
|
|
|
dictSizeRegex = regexp.MustCompile(`^(\d+)([kKmM])?$`)
|
2019-08-14 23:23:20 +00:00
|
|
|
defaultLuaSharedDicts = map[string]int{
|
2021-08-12 18:13:50 +00:00
|
|
|
"configuration_data": 20480,
|
|
|
|
|
"certificate_data": 20480,
|
|
|
|
|
"balancer_ewma": 10240,
|
|
|
|
|
"balancer_ewma_last_touched_at": 10240,
|
|
|
|
|
"balancer_ewma_locks": 1024,
|
|
|
|
|
"certificate_servers": 5120,
|
|
|
|
|
"ocsp_response_cache": 5120, // keep this same as certificate_servers
|
|
|
|
|
"global_throttle_cache": 10240,
|
2019-08-14 23:23:20 +00:00
|
|
|
}
|
2020-08-18 09:03:38 +00:00
|
|
|
defaultGlobalAuthRedirectParam = "rd"
|
2019-08-14 23:23:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2021-08-12 18:13:50 +00:00
|
|
|
maxAllowedLuaDictSize = 204800
|
2019-08-14 23:23:20 +00:00
|
|
|
maxNumberOfLuaDicts = 100
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// ReadConfig obtains the configuration defined by the user merged with the defaults.
|
2023-08-31 07:36:48 +00:00
|
|
|
//
|
|
|
|
|
//nolint:gocyclo // Ignore function complexity error
|
2017-01-20 22:37:59 +00:00
|
|
|
func ReadConfig(src map[string]string) config.Configuration {
|
|
|
|
|
conf := map[string]string{}
|
2017-11-05 01:18:28 +00:00
|
|
|
// we need to copy the configmap data because the content is altered
|
|
|
|
|
for k, v := range src {
|
|
|
|
|
conf[k] = v
|
2017-01-20 22:37:59 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-28 12:27:34 +00:00
|
|
|
to := config.NewDefault()
|
2016-11-16 18:24:26 +00:00
|
|
|
errors := make([]int, 0)
|
|
|
|
|
skipUrls := make([]string, 0)
|
2023-01-08 22:43:28 +00:00
|
|
|
denyList := make([]string, 0)
|
2018-03-16 16:32:45 +00:00
|
|
|
whiteList := make([]string, 0)
|
|
|
|
|
proxyList := make([]string, 0)
|
|
|
|
|
hideHeadersList := make([]string, 0)
|
2018-01-18 18:37:22 +00:00
|
|
|
|
2017-08-25 02:24:32 +00:00
|
|
|
bindAddressIpv4List := make([]string, 0)
|
|
|
|
|
bindAddressIpv6List := make([]string, 0)
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2018-08-27 13:50:04 +00:00
|
|
|
blockCIDRList := make([]string, 0)
|
|
|
|
|
blockUserAgentList := make([]string, 0)
|
|
|
|
|
blockRefererList := make([]string, 0)
|
2018-11-27 16:12:17 +00:00
|
|
|
responseHeaders := make([]string, 0)
|
2024-04-09 10:25:22 +00:00
|
|
|
allowedResponseHeaders := make([]string, 0)
|
2019-08-14 23:23:20 +00:00
|
|
|
luaSharedDicts := make(map[string]int)
|
2022-06-10 11:01:46 +00:00
|
|
|
debugConnectionsList := make([]string, 0)
|
2019-08-06 11:21:59 +00:00
|
|
|
|
2023-08-31 07:36:48 +00:00
|
|
|
// parse lua shared dict values
|
2019-08-14 23:23:20 +00:00
|
|
|
if val, ok := conf[luaSharedDictsKey]; ok {
|
|
|
|
|
delete(conf, luaSharedDictsKey)
|
2020-04-13 21:02:31 +00:00
|
|
|
lsd := splitAndTrimSpace(val, ",")
|
2019-08-06 11:21:59 +00:00
|
|
|
for _, v := range lsd {
|
2023-08-31 07:36:48 +00:00
|
|
|
v = strings.ReplaceAll(v, " ", "")
|
2019-08-06 11:21:59 +00:00
|
|
|
results := strings.SplitN(v, ":", 2)
|
2019-08-14 23:23:20 +00:00
|
|
|
dictName := results[0]
|
2021-08-12 18:13:50 +00:00
|
|
|
size := dictStrToKb(results[1])
|
|
|
|
|
if size < 0 {
|
|
|
|
|
klog.Errorf("Ignoring poorly formatted value %v for Lua dictionary %v", results[1], dictName)
|
2019-08-14 23:23:20 +00:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
if size > maxAllowedLuaDictSize {
|
2021-08-12 18:13:50 +00:00
|
|
|
klog.Errorf("Ignoring %v for Lua dictionary %v: maximum size is %vk.", results[1], dictName, maxAllowedLuaDictSize)
|
2019-08-14 23:23:20 +00:00
|
|
|
continue
|
2019-08-06 11:21:59 +00:00
|
|
|
}
|
2019-08-14 23:23:20 +00:00
|
|
|
if len(luaSharedDicts)+1 > maxNumberOfLuaDicts {
|
|
|
|
|
klog.Errorf("Ignoring %v for Lua dictionary %v: can not configure more than %v dictionaries.",
|
2021-08-12 18:13:50 +00:00
|
|
|
results[1], dictName, maxNumberOfLuaDicts)
|
2019-08-14 23:23:20 +00:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
luaSharedDicts[dictName] = size
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// set default Lua shared dicts
|
|
|
|
|
for k, v := range defaultLuaSharedDicts {
|
|
|
|
|
if _, ok := luaSharedDicts[k]; !ok {
|
|
|
|
|
luaSharedDicts[k] = v
|
2019-08-06 11:21:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2017-01-20 22:37:59 +00:00
|
|
|
if val, ok := conf[customHTTPErrors]; ok {
|
|
|
|
|
delete(conf, customHTTPErrors)
|
2020-04-13 21:02:31 +00:00
|
|
|
for _, i := range splitAndTrimSpace(val, ",") {
|
2016-11-10 22:56:29 +00:00
|
|
|
j, err := strconv.Atoi(i)
|
|
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("%v is not a valid http code: %v", i, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
} else {
|
|
|
|
|
errors = append(errors, j)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2018-01-18 18:37:22 +00:00
|
|
|
if val, ok := conf[hideHeaders]; ok {
|
|
|
|
|
delete(conf, hideHeaders)
|
2020-04-13 21:02:31 +00:00
|
|
|
hideHeadersList = splitAndTrimSpace(val, ",")
|
2018-01-18 18:37:22 +00:00
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2017-01-20 22:37:59 +00:00
|
|
|
if val, ok := conf[skipAccessLogUrls]; ok {
|
|
|
|
|
delete(conf, skipAccessLogUrls)
|
2020-04-13 21:02:31 +00:00
|
|
|
skipUrls = splitAndTrimSpace(val, ",")
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2023-01-08 22:43:28 +00:00
|
|
|
if val, ok := conf[denylistSourceRange]; ok {
|
|
|
|
|
delete(conf, denylistSourceRange)
|
|
|
|
|
denyList = append(denyList, splitAndTrimSpace(val, ",")...)
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-20 22:37:59 +00:00
|
|
|
if val, ok := conf[whitelistSourceRange]; ok {
|
|
|
|
|
delete(conf, whitelistSourceRange)
|
2020-04-13 21:02:31 +00:00
|
|
|
whiteList = append(whiteList, splitAndTrimSpace(val, ",")...)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2017-06-28 14:53:08 +00:00
|
|
|
if val, ok := conf[proxyRealIPCIDR]; ok {
|
|
|
|
|
delete(conf, proxyRealIPCIDR)
|
2020-04-13 21:02:31 +00:00
|
|
|
proxyList = append(proxyList, splitAndTrimSpace(val, ",")...)
|
2017-06-28 14:53:08 +00:00
|
|
|
} else {
|
2018-03-16 16:32:45 +00:00
|
|
|
proxyList = append(proxyList, "0.0.0.0/0")
|
2017-07-06 20:17:46 +00:00
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2017-08-25 02:24:32 +00:00
|
|
|
if val, ok := conf[bindAddress]; ok {
|
|
|
|
|
delete(conf, bindAddress)
|
2020-04-13 21:02:31 +00:00
|
|
|
for _, i := range splitAndTrimSpace(val, ",") {
|
2017-08-25 02:24:32 +00:00
|
|
|
ns := net.ParseIP(i)
|
|
|
|
|
if ns != nil {
|
|
|
|
|
if ing_net.IsIPV6(ns) {
|
|
|
|
|
bindAddressIpv6List = append(bindAddressIpv6List, fmt.Sprintf("[%v]", ns))
|
|
|
|
|
} else {
|
2023-08-31 07:36:48 +00:00
|
|
|
bindAddressIpv4List = append(bindAddressIpv4List, ns.String())
|
2017-08-25 02:24:32 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("%v is not a valid textual representation of an IP address", i)
|
2017-08-25 02:24:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2018-08-27 13:50:04 +00:00
|
|
|
if val, ok := conf[blockCIDRs]; ok {
|
|
|
|
|
delete(conf, blockCIDRs)
|
2020-04-13 21:02:31 +00:00
|
|
|
blockCIDRList = splitAndTrimSpace(val, ",")
|
2018-08-27 13:50:04 +00:00
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2018-08-27 13:50:04 +00:00
|
|
|
if val, ok := conf[blockUserAgents]; ok {
|
|
|
|
|
delete(conf, blockUserAgents)
|
2020-04-13 21:02:31 +00:00
|
|
|
blockUserAgentList = splitAndTrimSpace(val, ",")
|
2018-08-27 13:50:04 +00:00
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2018-08-27 13:50:04 +00:00
|
|
|
if val, ok := conf[blockReferers]; ok {
|
|
|
|
|
delete(conf, blockReferers)
|
2020-04-13 21:02:31 +00:00
|
|
|
blockRefererList = splitAndTrimSpace(val, ",")
|
2018-08-27 13:50:04 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-30 14:59:39 +00:00
|
|
|
if val, ok := conf[httpRedirectCode]; ok {
|
|
|
|
|
delete(conf, httpRedirectCode)
|
|
|
|
|
j, err := strconv.Atoi(val)
|
|
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("%v is not a valid HTTP code: %v", val, err)
|
2017-11-30 14:59:39 +00:00
|
|
|
} else {
|
2018-01-19 18:44:31 +00:00
|
|
|
if validRedirectCodes.Has(j) {
|
2018-03-28 12:27:34 +00:00
|
|
|
to.HTTPRedirectCode = j
|
2017-11-30 14:59:39 +00:00
|
|
|
} else {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("The code %v is not a valid as HTTP redirect code. Using the default.", val)
|
2017-11-30 14:59:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
// Verify that the configured global external authorization URL is parsable as URL. if not, set the default value
|
|
|
|
|
if val, ok := conf[globalAuthURL]; ok {
|
|
|
|
|
delete(conf, globalAuthURL)
|
|
|
|
|
|
2020-02-05 02:06:07 +00:00
|
|
|
authURL, message := parser.StringToURL(val)
|
2018-11-27 16:12:17 +00:00
|
|
|
if authURL == nil {
|
|
|
|
|
klog.Warningf("Global auth location denied - %v.", message)
|
|
|
|
|
} else {
|
|
|
|
|
to.GlobalExternalAuth.URL = val
|
|
|
|
|
to.GlobalExternalAuth.Host = authURL.Hostname()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-09 10:25:22 +00:00
|
|
|
// Verify that the configured global external authorization response headers are valid. if not, set the default value
|
|
|
|
|
if val, ok := conf[globalAllowedResponseHeaders]; ok {
|
|
|
|
|
delete(conf, globalAllowedResponseHeaders)
|
|
|
|
|
|
|
|
|
|
if val != "" {
|
|
|
|
|
harr := splitAndTrimSpace(val, ",")
|
|
|
|
|
for _, header := range harr {
|
|
|
|
|
if !customheaders.ValidHeader(header) {
|
|
|
|
|
klog.Warningf("Global allowed response headers denied - %s.", header)
|
|
|
|
|
} else {
|
|
|
|
|
allowedResponseHeaders = append(allowedResponseHeaders, header)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
// Verify that the configured global external authorization method is a valid HTTP method. if not, set the default value
|
|
|
|
|
if val, ok := conf[globalAuthMethod]; ok {
|
|
|
|
|
delete(conf, globalAuthMethod)
|
|
|
|
|
|
2023-08-31 07:36:48 +00:00
|
|
|
if val != "" && !authreq.ValidMethod(val) {
|
2018-11-27 16:12:17 +00:00
|
|
|
klog.Warningf("Global auth location denied - %v.", "invalid HTTP method")
|
|
|
|
|
} else {
|
|
|
|
|
to.GlobalExternalAuth.Method = val
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify that the configured global external authorization error page is set and valid. if not, set the default value
|
|
|
|
|
if val, ok := conf[globalAuthSignin]; ok {
|
|
|
|
|
delete(conf, globalAuthSignin)
|
|
|
|
|
|
2023-08-31 07:36:48 +00:00
|
|
|
signinURL, err := parser.StringToURL(val)
|
|
|
|
|
if err != nil {
|
|
|
|
|
klog.Errorf("string to URL conversion failed: %v", err)
|
|
|
|
|
}
|
2018-11-27 16:12:17 +00:00
|
|
|
if signinURL == nil {
|
|
|
|
|
klog.Warningf("Global auth location denied - %v.", "global-auth-signin setting is undefined and will not be set")
|
|
|
|
|
} else {
|
|
|
|
|
to.GlobalExternalAuth.SigninURL = val
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-08-18 09:03:38 +00:00
|
|
|
// Verify that the configured global external authorization error page redirection URL parameter is set and valid. if not, set the default value
|
|
|
|
|
if val, ok := conf[globalAuthSigninRedirectParam]; ok {
|
|
|
|
|
delete(conf, globalAuthSigninRedirectParam)
|
|
|
|
|
|
|
|
|
|
redirectParam := strings.TrimSpace(val)
|
2023-08-31 07:36:48 +00:00
|
|
|
dummySigninURL, err := parser.StringToURL(fmt.Sprintf("%s?%s=dummy", to.GlobalExternalAuth.SigninURL, redirectParam))
|
|
|
|
|
if err != nil {
|
|
|
|
|
klog.Errorf("string to URL conversion failed: %v", err)
|
|
|
|
|
}
|
2020-08-18 09:03:38 +00:00
|
|
|
if dummySigninURL == nil {
|
|
|
|
|
klog.Warningf("Global auth redirect parameter denied - %v.", "global-auth-signin-redirect-param setting is invalid and will not be set")
|
|
|
|
|
} else {
|
|
|
|
|
to.GlobalExternalAuth.SigninURLRedirectParam = redirectParam
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
// Verify that the configured global external authorization response headers are valid. if not, set the default value
|
|
|
|
|
if val, ok := conf[globalAuthResponseHeaders]; ok {
|
|
|
|
|
delete(conf, globalAuthResponseHeaders)
|
|
|
|
|
|
2023-08-31 07:36:48 +00:00
|
|
|
if val != "" {
|
2020-04-13 21:02:31 +00:00
|
|
|
harr := splitAndTrimSpace(val, ",")
|
2018-11-27 16:12:17 +00:00
|
|
|
for _, header := range harr {
|
2020-04-13 21:02:31 +00:00
|
|
|
if !authreq.ValidHeader(header) {
|
|
|
|
|
klog.Warningf("Global auth location denied - %v.", "invalid headers list")
|
|
|
|
|
} else {
|
|
|
|
|
responseHeaders = append(responseHeaders, header)
|
2018-11-27 16:12:17 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
to.GlobalExternalAuth.ResponseHeaders = responseHeaders
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if val, ok := conf[globalAuthRequestRedirect]; ok {
|
|
|
|
|
delete(conf, globalAuthRequestRedirect)
|
|
|
|
|
to.GlobalExternalAuth.RequestRedirect = val
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if val, ok := conf[globalAuthSnippet]; ok {
|
|
|
|
|
delete(conf, globalAuthSnippet)
|
|
|
|
|
to.GlobalExternalAuth.AuthSnippet = val
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-07 16:34:56 +00:00
|
|
|
if val, ok := conf[globalAuthCacheKey]; ok {
|
|
|
|
|
delete(conf, globalAuthCacheKey)
|
|
|
|
|
to.GlobalExternalAuth.AuthCacheKey = val
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify that the configured global external authorization cache duration is valid
|
|
|
|
|
if val, ok := conf[globalAuthCacheDuration]; ok {
|
|
|
|
|
delete(conf, globalAuthCacheDuration)
|
|
|
|
|
|
|
|
|
|
cacheDurations, err := authreq.ParseStringToCacheDurations(val)
|
|
|
|
|
if err != nil {
|
|
|
|
|
klog.Warningf("Global auth location denied - %s", err)
|
|
|
|
|
}
|
|
|
|
|
to.GlobalExternalAuth.AuthCacheDuration = cacheDurations
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-19 22:27:53 +00:00
|
|
|
if val, ok := conf[globalAuthAlwaysSetCookie]; ok {
|
|
|
|
|
delete(conf, globalAuthAlwaysSetCookie)
|
|
|
|
|
|
|
|
|
|
alwaysSetCookie, err := strconv.ParseBool(val)
|
|
|
|
|
if err != nil {
|
|
|
|
|
klog.Warningf("Global auth location denied - %s", fmt.Errorf("cannot convert %s to bool: %v", globalAuthAlwaysSetCookie, err))
|
|
|
|
|
}
|
|
|
|
|
to.GlobalExternalAuth.AlwaysSetCookie = alwaysSetCookie
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-04 01:10:41 +00:00
|
|
|
// Verify that the configured timeout is parsable as a duration. if not, set the default value
|
|
|
|
|
if val, ok := conf[proxyHeaderTimeout]; ok {
|
|
|
|
|
delete(conf, proxyHeaderTimeout)
|
|
|
|
|
duration, err := time.ParseDuration(val)
|
|
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("proxy-protocol-header-timeout of %v encountered an error while being parsed %v. Switching to use default value instead.", val, err)
|
2018-06-04 01:10:41 +00:00
|
|
|
} else {
|
|
|
|
|
to.ProxyProtocolHeaderTimeout = duration
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-30 20:53:23 +00:00
|
|
|
streamResponses := 1
|
|
|
|
|
if val, ok := conf[proxyStreamResponses]; ok {
|
|
|
|
|
delete(conf, proxyStreamResponses)
|
|
|
|
|
j, err := strconv.Atoi(val)
|
|
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("%v is not a valid number: %v", val, err)
|
2017-11-30 20:53:23 +00:00
|
|
|
} else {
|
|
|
|
|
streamResponses = j
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-06 09:59:03 +00:00
|
|
|
// Nginx Status whitelist
|
2018-03-28 12:27:34 +00:00
|
|
|
if val, ok := conf[nginxStatusIpv4Whitelist]; ok {
|
2020-04-13 21:02:31 +00:00
|
|
|
to.NginxStatusIpv4Whitelist = splitAndTrimSpace(val, ",")
|
2018-03-28 12:27:34 +00:00
|
|
|
delete(conf, nginxStatusIpv4Whitelist)
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-13 21:02:31 +00:00
|
|
|
if val, ok := conf[nginxStatusIpv6Whitelist]; ok {
|
|
|
|
|
to.NginxStatusIpv6Whitelist = splitAndTrimSpace(val, ",")
|
2018-03-28 12:27:34 +00:00
|
|
|
delete(conf, nginxStatusIpv6Whitelist)
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-25 21:08:12 +00:00
|
|
|
if val, ok := conf[workerProcesses]; ok {
|
|
|
|
|
to.WorkerProcesses = val
|
|
|
|
|
if val == "auto" {
|
|
|
|
|
to.WorkerProcesses = strconv.Itoa(runtime.NumCPU())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete(conf, workerProcesses)
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-14 21:45:25 +00:00
|
|
|
if val, ok := conf[workerSerialReloads]; ok {
|
|
|
|
|
boolVal, err := strconv.ParseBool(val)
|
|
|
|
|
if err != nil {
|
|
|
|
|
to.WorkerSerialReloads = false
|
|
|
|
|
klog.Warningf("failed to parse enable-serial-reloads setting, valid values are true or false, found %s", val)
|
|
|
|
|
} else {
|
|
|
|
|
to.WorkerSerialReloads = boolVal
|
|
|
|
|
}
|
|
|
|
|
delete(conf, workerSerialReloads)
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-10 11:01:46 +00:00
|
|
|
if val, ok := conf[debugConnections]; ok {
|
|
|
|
|
delete(conf, debugConnections)
|
|
|
|
|
for _, i := range splitAndTrimSpace(val, ",") {
|
2023-08-31 07:36:48 +00:00
|
|
|
validIP := net.ParseIP(i)
|
|
|
|
|
if validIP != nil {
|
2022-06-10 11:01:46 +00:00
|
|
|
debugConnectionsList = append(debugConnectionsList, i)
|
|
|
|
|
} else {
|
|
|
|
|
_, _, err := net.ParseCIDR(i)
|
|
|
|
|
if err == nil {
|
|
|
|
|
debugConnectionsList = append(debugConnectionsList, i)
|
|
|
|
|
} else {
|
|
|
|
|
klog.Warningf("%v is not a valid IP or CIDR address", i)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
to.DebugConnections = debugConnectionsList
|
|
|
|
|
}
|
2020-04-06 16:02:13 +00:00
|
|
|
|
2016-12-28 13:08:02 +00:00
|
|
|
to.CustomHTTPErrors = filterErrors(errors)
|
|
|
|
|
to.SkipAccessLogURLs = skipUrls
|
2023-01-08 22:43:28 +00:00
|
|
|
to.DenylistSourceRange = denyList
|
2018-03-16 16:32:45 +00:00
|
|
|
to.WhitelistSourceRange = whiteList
|
|
|
|
|
to.ProxyRealIPCIDR = proxyList
|
2017-08-25 02:24:32 +00:00
|
|
|
to.BindAddressIpv4 = bindAddressIpv4List
|
|
|
|
|
to.BindAddressIpv6 = bindAddressIpv6List
|
2018-08-27 13:50:04 +00:00
|
|
|
to.BlockCIDRs = blockCIDRList
|
|
|
|
|
to.BlockUserAgents = blockUserAgentList
|
|
|
|
|
to.BlockReferers = blockRefererList
|
2018-03-16 16:32:45 +00:00
|
|
|
to.HideHeaders = hideHeadersList
|
2017-11-30 20:53:23 +00:00
|
|
|
to.ProxyStreamResponses = streamResponses
|
2018-02-02 19:53:28 +00:00
|
|
|
to.DisableIpv6DNS = !ing_net.IsIPv6Enabled()
|
2019-08-14 23:23:20 +00:00
|
|
|
to.LuaSharedDicts = luaSharedDicts
|
2024-04-09 10:25:22 +00:00
|
|
|
to.Backend.AllowedResponseHeaders = allowedResponseHeaders
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2023-08-31 07:36:48 +00:00
|
|
|
decoderConfig := &mapstructure.DecoderConfig{
|
2016-12-28 13:08:02 +00:00
|
|
|
Metadata: nil,
|
2016-11-10 22:56:29 +00:00
|
|
|
WeaklyTypedInput: true,
|
2016-12-28 13:08:02 +00:00
|
|
|
Result: &to,
|
|
|
|
|
TagName: "json",
|
|
|
|
|
}
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2023-08-31 07:36:48 +00:00
|
|
|
decoder, err := mapstructure.NewDecoder(decoderConfig)
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("unexpected error merging defaults: %v", err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2017-01-20 22:37:59 +00:00
|
|
|
err = decoder.Decode(conf)
|
2016-12-22 03:00:27 +00:00
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("unexpected error merging defaults: %v", err)
|
2016-12-22 03:00:27 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-22 15:27:57 +00:00
|
|
|
hash, err := hashstructure.Hash(to, hashstructure.FormatV1, &hashstructure.HashOptions{
|
2018-06-21 14:50:57 +00:00
|
|
|
TagName: "json",
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("unexpected error obtaining hash: %v", err)
|
2018-06-21 14:50:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
to.Checksum = fmt.Sprintf("%v", hash)
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
return to
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func filterErrors(codes []int) []int {
|
|
|
|
|
var fa []int
|
|
|
|
|
for _, code := range codes {
|
|
|
|
|
if code > 299 && code < 600 {
|
|
|
|
|
fa = append(fa, code)
|
|
|
|
|
} else {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("error code %v is not valid for custom error pages", code)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return fa
|
|
|
|
|
}
|
2020-04-13 21:02:31 +00:00
|
|
|
|
2023-08-31 07:36:48 +00:00
|
|
|
//nolint:unparam // Ignore `sep` always receives `,` error
|
2020-04-13 21:02:31 +00:00
|
|
|
func splitAndTrimSpace(s, sep string) []string {
|
|
|
|
|
f := func(c rune) bool {
|
|
|
|
|
return strings.EqualFold(string(c), sep)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
values := strings.FieldsFunc(s, f)
|
|
|
|
|
for i := range values {
|
|
|
|
|
values[i] = strings.TrimSpace(values[i])
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return values
|
|
|
|
|
}
|
2021-08-12 18:13:50 +00:00
|
|
|
|
|
|
|
|
func dictStrToKb(sizeStr string) int {
|
|
|
|
|
sizeMatch := dictSizeRegex.FindStringSubmatch(sizeStr)
|
|
|
|
|
if sizeMatch == nil {
|
|
|
|
|
return -1
|
|
|
|
|
}
|
2023-08-31 07:36:48 +00:00
|
|
|
size, err := strconv.Atoi(sizeMatch[1]) // validated already with regex
|
|
|
|
|
if err != nil {
|
|
|
|
|
klog.Errorf("unexpected error converting size string %s to int: %v", sizeStr, err)
|
|
|
|
|
}
|
|
|
|
|
if sizeMatch[2] == "" || strings.EqualFold(sizeMatch[2], "m") {
|
2021-08-12 18:13:50 +00:00
|
|
|
size *= 1024
|
|
|
|
|
}
|
|
|
|
|
return size
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func dictKbToStr(size int) string {
|
|
|
|
|
if size%1024 == 0 {
|
|
|
|
|
return fmt.Sprintf("%dM", size/1024)
|
|
|
|
|
}
|
|
|
|
|
return fmt.Sprintf("%dK", size)
|
|
|
|
|
}
|
