2016-02-22 00:13:08 +00:00
|
|
|
/*
|
2016-09-08 11:02:39 +00:00
|
|
|
Copyright 2015 The Kubernetes Authors.
|
2016-02-22 00:13:08 +00:00
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2016-08-07 22:53:08 +00:00
|
|
|
package template
|
2016-02-22 00:13:08 +00:00
|
|
|
|
|
|
|
|
import (
|
2018-02-13 00:08:49 +00:00
|
|
|
"bytes"
|
2016-08-19 14:51:40 +00:00
|
|
|
"encoding/base64"
|
2016-02-22 00:13:08 +00:00
|
|
|
"encoding/json"
|
|
|
|
|
"fmt"
|
2019-08-13 21:14:55 +00:00
|
|
|
"io/ioutil"
|
2018-01-17 12:26:32 +00:00
|
|
|
"math/rand"
|
2016-12-22 03:00:27 +00:00
|
|
|
"net"
|
2017-10-05 04:55:42 +00:00
|
|
|
"net/url"
|
2017-05-07 04:28:21 +00:00
|
|
|
"os"
|
2016-11-10 22:56:29 +00:00
|
|
|
"os/exec"
|
2018-12-18 03:23:28 +00:00
|
|
|
"reflect"
|
2018-11-30 01:45:32 +00:00
|
|
|
"regexp"
|
2019-06-26 12:12:00 +00:00
|
|
|
"runtime"
|
2019-02-05 14:28:37 +00:00
|
|
|
"sort"
|
2016-05-25 21:04:34 +00:00
|
|
|
"strings"
|
2016-08-07 22:53:08 +00:00
|
|
|
text_template "text/template"
|
2018-01-17 12:26:32 +00:00
|
|
|
"time"
|
2016-02-22 00:13:08 +00:00
|
|
|
|
2017-11-22 13:40:54 +00:00
|
|
|
"github.com/pkg/errors"
|
2017-09-17 18:42:31 +00:00
|
|
|
|
2017-08-19 21:13:02 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
2019-08-13 18:04:31 +00:00
|
|
|
"k8s.io/klog"
|
|
|
|
|
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress"
|
2018-05-17 23:49:47 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/influxdb"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/controller/config"
|
|
|
|
|
ing_net "k8s.io/ingress-nginx/internal/net"
|
2016-02-22 00:13:08 +00:00
|
|
|
)
|
|
|
|
|
|
2016-05-25 21:04:34 +00:00
|
|
|
const (
|
2016-11-10 22:56:29 +00:00
|
|
|
slash = "/"
|
2017-10-10 10:18:45 +00:00
|
|
|
nonIdempotent = "non_idempotent"
|
2016-11-10 22:56:29 +00:00
|
|
|
defBufferSize = 65535
|
2016-03-22 18:01:04 +00:00
|
|
|
)
|
2016-02-22 00:13:08 +00:00
|
|
|
|
2019-02-21 19:45:21 +00:00
|
|
|
// TemplateWriter is the interface to render a template
|
|
|
|
|
type TemplateWriter interface {
|
|
|
|
|
Write(conf config.TemplateConfig) ([]byte, error)
|
|
|
|
|
}
|
|
|
|
|
|
2016-08-07 22:53:08 +00:00
|
|
|
// Template ...
|
|
|
|
|
type Template struct {
|
2017-09-18 23:53:26 +00:00
|
|
|
tmpl *text_template.Template
|
2017-11-22 13:40:54 +00:00
|
|
|
//fw watch.FileWatcher
|
|
|
|
|
bp *BufferPool
|
2016-08-07 22:53:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//NewTemplate returns a new Template instance or an
|
|
|
|
|
//error if the specified template file contains errors
|
2019-08-13 21:14:55 +00:00
|
|
|
func NewTemplate(file string) (*Template, error) {
|
|
|
|
|
data, err := ioutil.ReadFile(file)
|
2016-08-07 22:53:08 +00:00
|
|
|
if err != nil {
|
2017-11-22 13:40:54 +00:00
|
|
|
return nil, errors.Wrapf(err, "unexpected error reading template %v", file)
|
2016-08-07 22:53:08 +00:00
|
|
|
}
|
2017-11-22 13:40:54 +00:00
|
|
|
|
|
|
|
|
tmpl, err := text_template.New("nginx.tmpl").Funcs(funcMap).Parse(string(data))
|
2016-07-28 21:35:36 +00:00
|
|
|
if err != nil {
|
2016-08-07 22:53:08 +00:00
|
|
|
return nil, err
|
2016-07-28 21:35:36 +00:00
|
|
|
}
|
2016-08-07 22:53:08 +00:00
|
|
|
|
|
|
|
|
return &Template{
|
2017-09-18 23:53:26 +00:00
|
|
|
tmpl: tmpl,
|
2017-11-08 00:37:35 +00:00
|
|
|
bp: NewBufferPool(defBufferSize),
|
2016-08-07 22:53:08 +00:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Write populates a buffer using a template with NGINX configuration
|
|
|
|
|
// and the servers and upstreams created by Ingress rules
|
2017-02-20 02:34:05 +00:00
|
|
|
func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) {
|
2017-11-08 00:37:35 +00:00
|
|
|
tmplBuf := t.bp.Get()
|
|
|
|
|
defer t.bp.Put(tmplBuf)
|
2016-02-22 00:13:08 +00:00
|
|
|
|
2017-11-08 00:37:35 +00:00
|
|
|
outCmdBuf := t.bp.Get()
|
|
|
|
|
defer t.bp.Put(outCmdBuf)
|
2016-11-16 18:24:26 +00:00
|
|
|
|
2019-06-26 12:12:00 +00:00
|
|
|
// TODO: remove once we found a fix for coredump running luarocks install lrexlib
|
|
|
|
|
if runtime.GOARCH == "arm" {
|
|
|
|
|
conf.Cfg.DisableLuaRestyWAF = true
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-05 16:27:55 +00:00
|
|
|
if klog.V(3) {
|
2016-02-22 00:13:08 +00:00
|
|
|
b, err := json.Marshal(conf)
|
|
|
|
|
if err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("unexpected error: %v", err)
|
2016-02-22 00:13:08 +00:00
|
|
|
}
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Infof("NGINX configuration: %v", string(b))
|
2016-02-22 00:13:08 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-18 23:53:26 +00:00
|
|
|
err := t.tmpl.Execute(tmplBuf, conf)
|
2017-05-16 20:06:33 +00:00
|
|
|
if err != nil {
|
2016-11-16 18:24:26 +00:00
|
|
|
return nil, err
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// squeezes multiple adjacent empty lines to be single
|
|
|
|
|
// spaced this is to avoid the use of regular expressions
|
|
|
|
|
cmd := exec.Command("/ingress-controller/clean-nginx-conf.sh")
|
2017-09-18 23:53:26 +00:00
|
|
|
cmd.Stdin = tmplBuf
|
|
|
|
|
cmd.Stdout = outCmdBuf
|
2016-11-10 22:56:29 +00:00
|
|
|
if err := cmd.Run(); err != nil {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Warningf("unexpected error cleaning template: %v", err)
|
2017-09-18 23:53:26 +00:00
|
|
|
return tmplBuf.Bytes(), nil
|
2016-09-22 17:08:35 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-08 00:37:35 +00:00
|
|
|
return outCmdBuf.Bytes(), nil
|
2016-02-22 00:13:08 +00:00
|
|
|
}
|
2016-03-22 18:01:04 +00:00
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
var (
|
|
|
|
|
funcMap = text_template.FuncMap{
|
|
|
|
|
"empty": func(input interface{}) bool {
|
|
|
|
|
check, ok := input.(string)
|
|
|
|
|
if ok {
|
|
|
|
|
return len(check) == 0
|
|
|
|
|
}
|
|
|
|
|
return true
|
|
|
|
|
},
|
2019-08-15 02:03:17 +00:00
|
|
|
"escapeLiteralDollar": escapeLiteralDollar,
|
|
|
|
|
"shouldConfigureLuaRestyWAF": shouldConfigureLuaRestyWAF,
|
|
|
|
|
"buildLuaSharedDictionaries": buildLuaSharedDictionaries,
|
|
|
|
|
"luaConfigurationRequestBodySize": luaConfigurationRequestBodySize,
|
|
|
|
|
"buildLocation": buildLocation,
|
|
|
|
|
"buildAuthLocation": buildAuthLocation,
|
|
|
|
|
"shouldApplyGlobalAuth": shouldApplyGlobalAuth,
|
|
|
|
|
"buildAuthResponseHeaders": buildAuthResponseHeaders,
|
2019-09-24 14:53:23 +00:00
|
|
|
"buildAuthProxySetHeaders": buildAuthProxySetHeaders,
|
2019-08-15 02:03:17 +00:00
|
|
|
"buildProxyPass": buildProxyPass,
|
|
|
|
|
"filterRateLimits": filterRateLimits,
|
|
|
|
|
"buildRateLimitZones": buildRateLimitZones,
|
|
|
|
|
"buildRateLimit": buildRateLimit,
|
|
|
|
|
"configForLua": configForLua,
|
|
|
|
|
"locationConfigForLua": locationConfigForLua,
|
|
|
|
|
"buildResolvers": buildResolvers,
|
|
|
|
|
"buildUpstreamName": buildUpstreamName,
|
|
|
|
|
"isLocationInLocationList": isLocationInLocationList,
|
|
|
|
|
"isLocationAllowed": isLocationAllowed,
|
|
|
|
|
"buildDenyVariable": buildDenyVariable,
|
|
|
|
|
"getenv": os.Getenv,
|
|
|
|
|
"contains": strings.Contains,
|
|
|
|
|
"hasPrefix": strings.HasPrefix,
|
|
|
|
|
"hasSuffix": strings.HasSuffix,
|
|
|
|
|
"trimSpace": strings.TrimSpace,
|
|
|
|
|
"toUpper": strings.ToUpper,
|
|
|
|
|
"toLower": strings.ToLower,
|
|
|
|
|
"formatIP": formatIP,
|
|
|
|
|
"quote": quote,
|
|
|
|
|
"buildNextUpstream": buildNextUpstream,
|
|
|
|
|
"getIngressInformation": getIngressInformation,
|
2017-08-15 06:23:19 +00:00
|
|
|
"serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} {
|
2017-08-19 21:13:02 +00:00
|
|
|
return struct{ First, Second interface{} }{all, server}
|
2017-08-15 06:23:19 +00:00
|
|
|
},
|
2019-02-05 14:28:37 +00:00
|
|
|
"isValidByteSize": isValidByteSize,
|
|
|
|
|
"buildForwardedFor": buildForwardedFor,
|
|
|
|
|
"buildAuthSignURL": buildAuthSignURL,
|
|
|
|
|
"buildOpentracing": buildOpentracing,
|
|
|
|
|
"proxySetHeader": proxySetHeader,
|
|
|
|
|
"buildInfluxDB": buildInfluxDB,
|
|
|
|
|
"enforceRegexModifier": enforceRegexModifier,
|
|
|
|
|
"stripLocationModifer": stripLocationModifer,
|
|
|
|
|
"buildCustomErrorDeps": buildCustomErrorDeps,
|
|
|
|
|
"opentracingPropagateContext": opentracingPropagateContext,
|
|
|
|
|
"buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer,
|
2019-05-25 21:32:13 +00:00
|
|
|
"shouldLoadModSecurityModule": shouldLoadModSecurityModule,
|
2019-08-13 18:04:31 +00:00
|
|
|
"buildHTTPListener": buildHTTPListener,
|
|
|
|
|
"buildHTTPSListener": buildHTTPSListener,
|
2016-03-22 18:01:04 +00:00
|
|
|
}
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
2016-03-22 18:01:04 +00:00
|
|
|
|
2018-10-09 19:58:50 +00:00
|
|
|
// escapeLiteralDollar will replace the $ character with ${literal_dollar}
|
2018-10-03 22:05:12 +00:00
|
|
|
// which is made to work via the following configuration in the http section of
|
|
|
|
|
// the template:
|
|
|
|
|
// geo $literal_dollar {
|
|
|
|
|
// default "$";
|
|
|
|
|
// }
|
2018-10-09 19:58:50 +00:00
|
|
|
func escapeLiteralDollar(input interface{}) string {
|
2018-10-03 22:05:12 +00:00
|
|
|
inputStr, ok := input.(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
return strings.Replace(inputStr, `$`, `${literal_dollar}`, -1)
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-09 05:10:38 +00:00
|
|
|
// formatIP will wrap IPv6 addresses in [] and return IPv4 addresses
|
2017-06-09 03:11:00 +00:00
|
|
|
// without modification. If the input cannot be parsed as an IP address
|
|
|
|
|
// it is returned without modification.
|
|
|
|
|
func formatIP(input string) string {
|
|
|
|
|
ip := net.ParseIP(input)
|
|
|
|
|
if ip == nil {
|
|
|
|
|
return input
|
|
|
|
|
}
|
|
|
|
|
if v4 := ip.To4(); v4 != nil {
|
|
|
|
|
return input
|
|
|
|
|
}
|
|
|
|
|
return fmt.Sprintf("[%s]", input)
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:47:29 +00:00
|
|
|
func quote(input interface{}) string {
|
|
|
|
|
var inputStr string
|
|
|
|
|
switch input := input.(type) {
|
|
|
|
|
case string:
|
|
|
|
|
inputStr = input
|
|
|
|
|
case fmt.Stringer:
|
|
|
|
|
inputStr = input.String()
|
|
|
|
|
default:
|
|
|
|
|
inputStr = fmt.Sprintf("%v", input)
|
|
|
|
|
}
|
|
|
|
|
return fmt.Sprintf("%q", inputStr)
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-09 12:19:13 +00:00
|
|
|
func shouldConfigureLuaRestyWAF(disableLuaRestyWAF bool, mode string) bool {
|
|
|
|
|
if !disableLuaRestyWAF && len(mode) > 0 {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-06 11:21:59 +00:00
|
|
|
func buildLuaSharedDictionaries(c interface{}, s interface{}, disableLuaRestyWAF bool) string {
|
|
|
|
|
var out []string
|
2019-08-14 23:23:20 +00:00
|
|
|
|
2019-08-06 11:21:59 +00:00
|
|
|
cfg, ok := c.(config.Configuration)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'config.Configuration' type but %T was returned", c)
|
|
|
|
|
return ""
|
|
|
|
|
}
|
2018-04-08 20:37:13 +00:00
|
|
|
servers, ok := s.([]*ingress.Server)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s)
|
2018-04-08 20:37:13 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-14 23:23:20 +00:00
|
|
|
for name, size := range cfg.LuaSharedDicts {
|
|
|
|
|
out = append(out, fmt.Sprintf("lua_shared_dict %s %dM", name, size))
|
2019-08-06 11:21:59 +00:00
|
|
|
}
|
2019-08-14 23:23:20 +00:00
|
|
|
|
|
|
|
|
// TODO: there must be a better place for this
|
|
|
|
|
if _, ok := cfg.LuaSharedDicts["waf_storage"]; !ok && !disableLuaRestyWAF {
|
2018-04-08 20:37:13 +00:00
|
|
|
luaRestyWAFEnabled := func() bool {
|
|
|
|
|
for _, server := range servers {
|
|
|
|
|
for _, location := range server.Locations {
|
2018-04-09 12:19:13 +00:00
|
|
|
if len(location.LuaRestyWAF.Mode) > 0 {
|
2018-04-08 20:37:13 +00:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}()
|
|
|
|
|
if luaRestyWAFEnabled {
|
|
|
|
|
out = append(out, "lua_shared_dict waf_storage 64M")
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-08-14 23:23:20 +00:00
|
|
|
|
2019-09-23 00:16:00 +00:00
|
|
|
sort.Strings(out)
|
|
|
|
|
|
2019-08-14 23:23:20 +00:00
|
|
|
return strings.Join(out, ";\n") + ";\n"
|
2018-04-08 20:37:13 +00:00
|
|
|
}
|
|
|
|
|
|
2019-08-15 02:03:17 +00:00
|
|
|
func luaConfigurationRequestBodySize(c interface{}) string {
|
|
|
|
|
cfg, ok := c.(config.Configuration)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'config.Configuration' type but %T was returned", c)
|
|
|
|
|
return "100" // just a default number
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
size := cfg.LuaSharedDicts["configuration_data"]
|
|
|
|
|
if size < cfg.LuaSharedDicts["certificate_data"] {
|
|
|
|
|
size = cfg.LuaSharedDicts["certificate_data"]
|
|
|
|
|
}
|
|
|
|
|
size = size + 1
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf("%d", size)
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-21 22:31:20 +00:00
|
|
|
// configForLua returns some general configuration as Lua table represented as string
|
|
|
|
|
func configForLua(input interface{}) string {
|
|
|
|
|
all, ok := input.(config.TemplateConfig)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'config.TemplateConfig' type but %T was given", input)
|
|
|
|
|
return "{}"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf(`{
|
|
|
|
|
use_forwarded_headers = %t,
|
|
|
|
|
is_ssl_passthrough_enabled = %t,
|
|
|
|
|
http_redirect_code = %v,
|
|
|
|
|
listen_ports = { ssl_proxy = "%v", https = "%v" },
|
|
|
|
|
}`, all.Cfg.UseForwardedHeaders, all.IsSSLPassthroughEnabled, all.Cfg.HTTPRedirectCode, all.ListenPorts.SSLProxy, all.ListenPorts.HTTPS)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// locationConfigForLua formats some location specific configuration into Lua table represented as string
|
|
|
|
|
func locationConfigForLua(l interface{}, s interface{}, a interface{}) string {
|
|
|
|
|
location, ok := l.(*ingress.Location)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected an '*ingress.Location' type but %T was given", l)
|
|
|
|
|
return "{}"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
server, ok := s.(*ingress.Server)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected an '*ingress.Server' type but %T was given", s)
|
|
|
|
|
return "{}"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
all, ok := a.(config.TemplateConfig)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'config.TemplateConfig' type but %T was given", a)
|
|
|
|
|
return "{}"
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-13 21:14:55 +00:00
|
|
|
forceSSLRedirect := location.Rewrite.ForceSSLRedirect || (server.SSLCert != nil && location.Rewrite.SSLRedirect)
|
2019-02-21 22:31:20 +00:00
|
|
|
forceSSLRedirect = forceSSLRedirect && !isLocationInLocationList(l, all.Cfg.NoTLSRedirectLocations)
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf(`{
|
|
|
|
|
force_ssl_redirect = %t,
|
|
|
|
|
use_port_in_redirects = %t,
|
|
|
|
|
}`, forceSSLRedirect, location.UsePortInRedirects)
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-22 03:00:27 +00:00
|
|
|
// buildResolvers returns the resolvers reading the /etc/resolv.conf file
|
2018-02-02 19:53:28 +00:00
|
|
|
func buildResolvers(res interface{}, disableIpv6 interface{}) string {
|
2017-09-09 05:10:38 +00:00
|
|
|
// NGINX need IPV6 addresses to be surrounded by brackets
|
2018-02-02 19:53:28 +00:00
|
|
|
nss, ok := res.([]net.IP)
|
2017-09-22 22:21:32 +00:00
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '[]net.IP' type but %T was returned", res)
|
2018-02-02 19:53:28 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
no6, ok := disableIpv6.(bool)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a 'bool' type but %T was returned", disableIpv6)
|
2017-09-22 22:21:32 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-22 03:00:27 +00:00
|
|
|
if len(nss) == 0 {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r := []string{"resolver"}
|
|
|
|
|
for _, ns := range nss {
|
|
|
|
|
if ing_net.IsIPV6(ns) {
|
2018-02-02 19:53:28 +00:00
|
|
|
if no6 {
|
|
|
|
|
continue
|
|
|
|
|
}
|
2016-12-22 03:00:27 +00:00
|
|
|
r = append(r, fmt.Sprintf("[%v]", ns))
|
|
|
|
|
} else {
|
|
|
|
|
r = append(r, fmt.Sprintf("%v", ns))
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-02-02 19:53:28 +00:00
|
|
|
r = append(r, "valid=30s")
|
|
|
|
|
|
|
|
|
|
if no6 {
|
|
|
|
|
r = append(r, "ipv6=off")
|
|
|
|
|
}
|
2016-12-22 03:00:27 +00:00
|
|
|
|
2018-02-02 19:53:28 +00:00
|
|
|
return strings.Join(r, " ") + ";"
|
2016-12-22 03:00:27 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-13 14:39:52 +00:00
|
|
|
func needsRewrite(location *ingress.Location) bool {
|
|
|
|
|
if len(location.Rewrite.Target) > 0 && location.Rewrite.Target != location.Path {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-01 17:54:11 +00:00
|
|
|
func stripLocationModifer(path string) string {
|
|
|
|
|
return strings.TrimLeft(path, "~* ")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// enforceRegexModifier checks if the "rewrite-target" or "use-regex" annotation
|
|
|
|
|
// is used on any location path within a server
|
|
|
|
|
func enforceRegexModifier(input interface{}) bool {
|
2018-09-13 14:39:52 +00:00
|
|
|
locations, ok := input.([]*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '[]*ingress.Location' type but %T was returned", input)
|
2018-09-13 14:39:52 +00:00
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, location := range locations {
|
2018-10-01 17:54:11 +00:00
|
|
|
if needsRewrite(location) || location.Rewrite.UseRegex {
|
2018-09-13 14:39:52 +00:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-27 14:58:13 +00:00
|
|
|
// buildLocation produces the location string, if the ingress has redirects
|
2018-07-19 08:22:17 +00:00
|
|
|
// (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation)
|
2018-10-01 17:54:11 +00:00
|
|
|
func buildLocation(input interface{}, enforceRegex bool) string {
|
2016-08-07 22:53:08 +00:00
|
|
|
location, ok := input.(*ingress.Location)
|
2016-05-25 21:04:34 +00:00
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '*ingress.Location' type but %T was returned", input)
|
2016-05-25 21:04:34 +00:00
|
|
|
return slash
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
path := location.Path
|
2018-10-01 17:54:11 +00:00
|
|
|
if enforceRegex {
|
2018-10-04 14:58:38 +00:00
|
|
|
return fmt.Sprintf(`~* "^%s"`, path)
|
2018-09-13 14:39:52 +00:00
|
|
|
}
|
2016-05-25 21:04:34 +00:00
|
|
|
return path
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
func buildAuthLocation(input interface{}, globalExternalAuthURL string) string {
|
2016-08-19 14:51:40 +00:00
|
|
|
location, ok := input.(*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '*ingress.Location' type but %T was returned", input)
|
2016-08-19 14:51:40 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
if (location.ExternalAuth.URL == "") && (!shouldApplyGlobalAuth(input, globalExternalAuthURL)) {
|
2016-08-19 14:51:40 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
str := base64.URLEncoding.EncodeToString([]byte(location.Path))
|
2018-01-28 00:32:08 +00:00
|
|
|
// removes "=" after encoding
|
2016-08-19 14:51:40 +00:00
|
|
|
str = strings.Replace(str, "=", "", -1)
|
|
|
|
|
return fmt.Sprintf("/_external-auth-%v", str)
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
// shouldApplyGlobalAuth returns true only in case when ExternalAuth.URL is not set and
|
|
|
|
|
// GlobalExternalAuth is set and enabled
|
|
|
|
|
func shouldApplyGlobalAuth(input interface{}, globalExternalAuthURL string) bool {
|
2017-02-04 00:43:15 +00:00
|
|
|
location, ok := input.(*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '*ingress.Location' type but %T was returned", input)
|
2017-02-04 00:43:15 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
if (location.ExternalAuth.URL == "") && (globalExternalAuthURL != "") && (location.EnableGlobalAuth) {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func buildAuthResponseHeaders(headers []string) []string {
|
|
|
|
|
res := []string{}
|
|
|
|
|
|
|
|
|
|
if len(headers) == 0 {
|
2017-02-04 00:43:15 +00:00
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-27 16:12:17 +00:00
|
|
|
for i, h := range headers {
|
2017-02-04 00:43:15 +00:00
|
|
|
hvar := strings.ToLower(h)
|
|
|
|
|
hvar = strings.NewReplacer("-", "_").Replace(hvar)
|
|
|
|
|
res = append(res, fmt.Sprintf("auth_request_set $authHeader%v $upstream_http_%v;", i, hvar))
|
|
|
|
|
res = append(res, fmt.Sprintf("proxy_set_header '%v' $authHeader%v;", h, i))
|
|
|
|
|
}
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-24 14:53:23 +00:00
|
|
|
func buildAuthProxySetHeaders(headers map[string]string) []string {
|
|
|
|
|
res := []string{}
|
|
|
|
|
|
|
|
|
|
if len(headers) == 0 {
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for name, value := range headers {
|
|
|
|
|
res = append(res, fmt.Sprintf("proxy_set_header '%v' '%v';", name, value))
|
|
|
|
|
}
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-27 14:58:13 +00:00
|
|
|
// buildProxyPass produces the proxy pass string, if the ingress has redirects
|
2018-07-19 08:22:17 +00:00
|
|
|
// (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation)
|
2017-11-08 20:58:57 +00:00
|
|
|
// If the annotation nginx.ingress.kubernetes.io/add-base-url:"true" is specified it will
|
2016-05-27 14:58:13 +00:00
|
|
|
// add a base tag in the head of the response from the service
|
2018-10-09 22:36:10 +00:00
|
|
|
func buildProxyPass(host string, b interface{}, loc interface{}) string {
|
2017-09-22 22:21:32 +00:00
|
|
|
backends, ok := b.([]*ingress.Backend)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b)
|
2017-09-22 22:21:32 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
location, ok := loc.(*ingress.Location)
|
2016-05-25 21:04:34 +00:00
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '*ingress.Location' type but %T was returned", loc)
|
2016-05-25 21:04:34 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
path := location.Path
|
2018-08-05 22:43:45 +00:00
|
|
|
proto := "http://"
|
2016-11-16 18:24:26 +00:00
|
|
|
|
2018-03-22 03:38:47 +00:00
|
|
|
proxyPass := "proxy_pass"
|
2018-08-05 22:43:45 +00:00
|
|
|
|
|
|
|
|
switch location.BackendProtocol {
|
|
|
|
|
case "HTTPS":
|
|
|
|
|
proto = "https://"
|
|
|
|
|
case "GRPC":
|
|
|
|
|
proto = "grpc://"
|
|
|
|
|
proxyPass = "grpc_pass"
|
|
|
|
|
case "GRPCS":
|
|
|
|
|
proto = "grpcs://"
|
|
|
|
|
proxyPass = "grpc_pass"
|
|
|
|
|
case "AJP":
|
|
|
|
|
proto = ""
|
|
|
|
|
proxyPass = "ajp_pass"
|
2019-07-31 14:39:21 +00:00
|
|
|
case "FCGI":
|
|
|
|
|
proto = ""
|
|
|
|
|
proxyPass = "fastcgi_pass"
|
2018-08-05 22:43:45 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-18 13:13:41 +00:00
|
|
|
upstreamName := "upstream_balancer"
|
|
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
for _, backend := range backends {
|
|
|
|
|
if backend.Name == location.Backend {
|
2018-10-08 15:26:06 +00:00
|
|
|
if backend.SSLPassthrough {
|
2018-08-05 22:43:45 +00:00
|
|
|
proto = "https://"
|
2018-10-08 15:26:06 +00:00
|
|
|
|
|
|
|
|
if location.BackendProtocol == "GRPCS" {
|
2018-08-05 22:43:45 +00:00
|
|
|
proto = "grpcs://"
|
2018-03-22 03:38:47 +00:00
|
|
|
}
|
2016-11-16 18:24:26 +00:00
|
|
|
}
|
2017-06-16 00:43:17 +00:00
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
break
|
|
|
|
|
}
|
2016-06-01 18:47:37 +00:00
|
|
|
}
|
2016-11-16 18:24:26 +00:00
|
|
|
|
2016-05-27 14:58:13 +00:00
|
|
|
// defProxyPass returns the default proxy_pass, just the name of the upstream
|
2018-08-05 22:43:45 +00:00
|
|
|
defProxyPass := fmt.Sprintf("%v %s%s;", proxyPass, proto, upstreamName)
|
2018-03-18 13:13:41 +00:00
|
|
|
|
2016-05-27 14:58:13 +00:00
|
|
|
// if the path in the ingress rule is equals to the target: no special rewrite
|
2017-08-19 21:13:02 +00:00
|
|
|
if path == location.Rewrite.Target {
|
2016-05-27 14:58:13 +00:00
|
|
|
return defProxyPass
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
|
|
|
|
|
2017-08-19 21:13:02 +00:00
|
|
|
if len(location.Rewrite.Target) > 0 {
|
2018-04-05 23:21:35 +00:00
|
|
|
var xForwardedPrefix string
|
|
|
|
|
|
2019-03-11 16:23:14 +00:00
|
|
|
if len(location.XForwardedPrefix) > 0 {
|
|
|
|
|
xForwardedPrefix = fmt.Sprintf("proxy_set_header X-Forwarded-Prefix \"%s\";\n", location.XForwardedPrefix)
|
2017-12-06 20:11:18 +00:00
|
|
|
}
|
2018-04-05 23:21:35 +00:00
|
|
|
|
2016-05-27 14:58:13 +00:00
|
|
|
return fmt.Sprintf(`
|
2018-12-13 18:02:05 +00:00
|
|
|
rewrite "(?i)%s" %s break;
|
|
|
|
|
%v%v %s%s;`, path, location.Rewrite.Target, xForwardedPrefix, proxyPass, proto, upstreamName)
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// default proxy_pass
|
2016-05-27 14:58:13 +00:00
|
|
|
return defProxyPass
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
2016-05-30 17:39:10 +00:00
|
|
|
|
2017-09-09 05:10:38 +00:00
|
|
|
// TODO: Needs Unit Tests
|
2017-11-07 16:36:51 +00:00
|
|
|
func filterRateLimits(input interface{}) []ratelimit.Config {
|
|
|
|
|
ratelimits := []ratelimit.Config{}
|
2017-08-22 20:16:59 +00:00
|
|
|
found := sets.String{}
|
2017-08-22 18:53:53 +00:00
|
|
|
|
2017-08-23 00:47:29 +00:00
|
|
|
servers, ok := input.([]*ingress.Server)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '[]ratelimit.RateLimit' type but %T was returned", input)
|
2017-08-23 00:47:29 +00:00
|
|
|
return ratelimits
|
2017-08-21 19:36:31 +00:00
|
|
|
}
|
2017-08-23 00:47:29 +00:00
|
|
|
for _, server := range servers {
|
|
|
|
|
for _, loc := range server.Locations {
|
2017-08-22 20:16:59 +00:00
|
|
|
if loc.RateLimit.ID != "" && !found.Has(loc.RateLimit.ID) {
|
|
|
|
|
found.Insert(loc.RateLimit.ID)
|
2017-08-23 00:47:29 +00:00
|
|
|
ratelimits = append(ratelimits, loc.RateLimit)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return ratelimits
|
2017-08-21 19:36:31 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-09 05:10:38 +00:00
|
|
|
// TODO: Needs Unit Tests
|
2016-05-30 17:39:10 +00:00
|
|
|
// buildRateLimitZones produces an array of limit_conn_zone in order to allow
|
2017-08-23 00:47:29 +00:00
|
|
|
// rate limiting of request. Each Ingress rule could have up to three zones, one
|
|
|
|
|
// for connection limit by IP address, one for limiting requests per minute, and
|
|
|
|
|
// one for limiting requests per second.
|
2017-08-21 19:36:31 +00:00
|
|
|
func buildRateLimitZones(input interface{}) []string {
|
2017-01-24 08:19:28 +00:00
|
|
|
zones := sets.String{}
|
2016-05-30 17:39:10 +00:00
|
|
|
|
2016-08-07 22:53:08 +00:00
|
|
|
servers, ok := input.([]*ingress.Server)
|
2016-05-30 17:39:10 +00:00
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '[]*ingress.Server' type but %T was returned", input)
|
2017-01-24 08:19:28 +00:00
|
|
|
return zones.List()
|
2016-05-30 17:39:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, server := range servers {
|
|
|
|
|
for _, loc := range server.Locations {
|
2016-06-01 14:39:12 +00:00
|
|
|
if loc.RateLimit.Connections.Limit > 0 {
|
2017-08-22 12:33:56 +00:00
|
|
|
zone := fmt.Sprintf("limit_conn_zone $limit_%s zone=%v:%vm;",
|
2017-08-23 00:47:29 +00:00
|
|
|
loc.RateLimit.ID,
|
2016-09-22 17:08:35 +00:00
|
|
|
loc.RateLimit.Connections.Name,
|
|
|
|
|
loc.RateLimit.Connections.SharedSize)
|
2017-01-24 08:19:28 +00:00
|
|
|
if !zones.Has(zone) {
|
|
|
|
|
zones.Insert(zone)
|
|
|
|
|
}
|
2016-05-30 17:39:10 +00:00
|
|
|
}
|
|
|
|
|
|
2017-08-02 03:24:48 +00:00
|
|
|
if loc.RateLimit.RPM.Limit > 0 {
|
2017-08-22 12:33:56 +00:00
|
|
|
zone := fmt.Sprintf("limit_req_zone $limit_%s zone=%v:%vm rate=%vr/m;",
|
2017-08-23 00:47:29 +00:00
|
|
|
loc.RateLimit.ID,
|
2017-08-02 03:24:48 +00:00
|
|
|
loc.RateLimit.RPM.Name,
|
|
|
|
|
loc.RateLimit.RPM.SharedSize,
|
|
|
|
|
loc.RateLimit.RPM.Limit)
|
|
|
|
|
if !zones.Has(zone) {
|
|
|
|
|
zones.Insert(zone)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-01 14:39:12 +00:00
|
|
|
if loc.RateLimit.RPS.Limit > 0 {
|
2017-08-22 12:33:56 +00:00
|
|
|
zone := fmt.Sprintf("limit_req_zone $limit_%s zone=%v:%vm rate=%vr/s;",
|
2017-08-23 00:47:29 +00:00
|
|
|
loc.RateLimit.ID,
|
2017-01-23 02:01:51 +00:00
|
|
|
loc.RateLimit.RPS.Name,
|
|
|
|
|
loc.RateLimit.RPS.SharedSize,
|
|
|
|
|
loc.RateLimit.RPS.Limit)
|
2017-01-24 08:19:28 +00:00
|
|
|
if !zones.Has(zone) {
|
|
|
|
|
zones.Insert(zone)
|
|
|
|
|
}
|
2016-05-30 17:39:10 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-24 08:19:28 +00:00
|
|
|
return zones.List()
|
2016-05-30 17:39:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// buildRateLimit produces an array of limit_req to be used inside the Path of
|
2017-08-02 03:24:48 +00:00
|
|
|
// Ingress rules. The order: connections by IP first, then RPS, and RPM last.
|
2016-05-30 17:39:10 +00:00
|
|
|
func buildRateLimit(input interface{}) []string {
|
|
|
|
|
limits := []string{}
|
|
|
|
|
|
2016-08-07 22:53:08 +00:00
|
|
|
loc, ok := input.(*ingress.Location)
|
2016-05-30 17:39:10 +00:00
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '*ingress.Location' type but %T was returned", input)
|
2016-05-30 17:39:10 +00:00
|
|
|
return limits
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-01 14:39:12 +00:00
|
|
|
if loc.RateLimit.Connections.Limit > 0 {
|
2016-05-30 17:39:10 +00:00
|
|
|
limit := fmt.Sprintf("limit_conn %v %v;",
|
|
|
|
|
loc.RateLimit.Connections.Name, loc.RateLimit.Connections.Limit)
|
|
|
|
|
limits = append(limits, limit)
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-01 14:39:12 +00:00
|
|
|
if loc.RateLimit.RPS.Limit > 0 {
|
2016-05-30 17:39:10 +00:00
|
|
|
limit := fmt.Sprintf("limit_req zone=%v burst=%v nodelay;",
|
2017-01-23 02:01:51 +00:00
|
|
|
loc.RateLimit.RPS.Name, loc.RateLimit.RPS.Burst)
|
2016-05-30 17:39:10 +00:00
|
|
|
limits = append(limits, limit)
|
2017-08-02 03:24:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if loc.RateLimit.RPM.Limit > 0 {
|
|
|
|
|
limit := fmt.Sprintf("limit_req zone=%v burst=%v nodelay;",
|
|
|
|
|
loc.RateLimit.RPM.Name, loc.RateLimit.RPM.Burst)
|
|
|
|
|
limits = append(limits, limit)
|
2017-08-13 06:52:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if loc.RateLimit.LimitRateAfter > 0 {
|
|
|
|
|
limit := fmt.Sprintf("limit_rate_after %vk;",
|
|
|
|
|
loc.RateLimit.LimitRateAfter)
|
|
|
|
|
limits = append(limits, limit)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if loc.RateLimit.LimitRate > 0 {
|
|
|
|
|
limit := fmt.Sprintf("limit_rate %vk;",
|
|
|
|
|
loc.RateLimit.LimitRate)
|
|
|
|
|
limits = append(limits, limit)
|
2016-05-30 17:39:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return limits
|
|
|
|
|
}
|
2016-12-29 20:02:06 +00:00
|
|
|
|
2018-03-18 20:44:59 +00:00
|
|
|
func isLocationInLocationList(location interface{}, rawLocationList string) bool {
|
|
|
|
|
loc, ok := location.(*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '*ingress.Location' type but %T was returned", location)
|
2018-03-18 20:44:59 +00:00
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
locationList := strings.Split(rawLocationList, ",")
|
|
|
|
|
|
|
|
|
|
for _, locationListItem := range locationList {
|
|
|
|
|
locationListItem = strings.Trim(locationListItem, " ")
|
|
|
|
|
if locationListItem == "" {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
if strings.HasPrefix(loc.Path, locationListItem) {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-29 20:02:06 +00:00
|
|
|
func isLocationAllowed(input interface{}) bool {
|
|
|
|
|
loc, ok := input.(*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '*ingress.Location' type but %T was returned", input)
|
2016-12-29 20:02:06 +00:00
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return loc.Denied == nil
|
|
|
|
|
}
|
2017-06-02 03:30:22 +00:00
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
denyPathSlugMap = map[string]string{}
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// buildDenyVariable returns a nginx variable for a location in a
|
|
|
|
|
// server to be used in the whitelist check
|
|
|
|
|
// This method uses a unique id generator library to reduce the
|
|
|
|
|
// size of the string to be used as a variable in nginx to avoid
|
|
|
|
|
// issue with the size of the variable bucket size directive
|
|
|
|
|
func buildDenyVariable(a interface{}) string {
|
2017-09-22 22:21:32 +00:00
|
|
|
l, ok := a.(string)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a 'string' type but %T was returned", a)
|
2017-09-22 22:21:32 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
2017-06-02 03:30:22 +00:00
|
|
|
|
|
|
|
|
if _, ok := denyPathSlugMap[l]; !ok {
|
2018-01-17 12:26:32 +00:00
|
|
|
denyPathSlugMap[l] = randomString()
|
2017-06-02 03:30:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
|
|
|
|
|
}
|
2017-06-16 00:43:17 +00:00
|
|
|
|
2018-10-09 22:36:10 +00:00
|
|
|
func buildUpstreamName(loc interface{}) string {
|
2017-06-16 00:43:17 +00:00
|
|
|
location, ok := loc.(*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '*ingress.Location' type but %T was returned", loc)
|
2017-06-16 00:43:17 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
upstreamName := location.Backend
|
|
|
|
|
|
|
|
|
|
return upstreamName
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-10 10:18:45 +00:00
|
|
|
func buildNextUpstream(i, r interface{}) string {
|
|
|
|
|
nextUpstream, ok := i.(string)
|
2017-06-26 19:39:24 +00:00
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a 'string' type but %T was returned", i)
|
2017-09-22 22:21:32 +00:00
|
|
|
return ""
|
2017-06-26 19:39:24 +00:00
|
|
|
}
|
|
|
|
|
|
2017-10-10 10:18:45 +00:00
|
|
|
retryNonIdempotent := r.(bool)
|
|
|
|
|
|
2017-06-26 19:39:24 +00:00
|
|
|
parts := strings.Split(nextUpstream, " ")
|
|
|
|
|
|
|
|
|
|
nextUpstreamCodes := make([]string, 0, len(parts))
|
|
|
|
|
for _, v := range parts {
|
2017-10-10 10:18:45 +00:00
|
|
|
if v != "" && v != nonIdempotent {
|
2017-06-26 19:39:24 +00:00
|
|
|
nextUpstreamCodes = append(nextUpstreamCodes, v)
|
|
|
|
|
}
|
2017-10-10 10:18:45 +00:00
|
|
|
|
|
|
|
|
if v == nonIdempotent {
|
|
|
|
|
retryNonIdempotent = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if retryNonIdempotent {
|
|
|
|
|
nextUpstreamCodes = append(nextUpstreamCodes, nonIdempotent)
|
2017-06-26 19:39:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return strings.Join(nextUpstreamCodes, " ")
|
2017-08-19 21:13:02 +00:00
|
|
|
}
|
2017-08-20 23:39:58 +00:00
|
|
|
|
2018-12-02 18:10:36 +00:00
|
|
|
// refer to http://nginx.org/en/docs/syntax.html
|
|
|
|
|
// Nginx differentiates between size and offset
|
|
|
|
|
// offset directives support gigabytes in addition
|
|
|
|
|
var nginxSizeRegex = regexp.MustCompile("^[0-9]+[kKmM]{0,1}$")
|
|
|
|
|
var nginxOffsetRegex = regexp.MustCompile("^[0-9]+[kKmMgG]{0,1}$")
|
2018-11-30 01:45:32 +00:00
|
|
|
|
|
|
|
|
// isValidByteSize validates size units valid in nginx
|
|
|
|
|
// http://nginx.org/en/docs/syntax.html
|
2018-12-02 18:10:36 +00:00
|
|
|
func isValidByteSize(input interface{}, isOffset bool) bool {
|
2017-08-23 04:57:35 +00:00
|
|
|
s, ok := input.(string)
|
|
|
|
|
if !ok {
|
2018-12-05 16:28:28 +00:00
|
|
|
klog.Errorf("expected an 'string' type but %T was returned", input)
|
2017-08-23 04:57:35 +00:00
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-30 01:45:32 +00:00
|
|
|
s = strings.TrimSpace(s)
|
2017-08-23 04:57:35 +00:00
|
|
|
if s == "" {
|
2018-12-05 16:28:28 +00:00
|
|
|
klog.V(2).Info("empty byte size, hence it will not be set")
|
2017-08-23 04:57:35 +00:00
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-02 18:10:36 +00:00
|
|
|
if isOffset {
|
|
|
|
|
return nginxOffsetRegex.MatchString(s)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nginxSizeRegex.MatchString(s)
|
2017-08-23 04:57:35 +00:00
|
|
|
}
|
2017-08-25 23:49:44 +00:00
|
|
|
|
|
|
|
|
type ingressInformation struct {
|
2017-08-26 01:39:30 +00:00
|
|
|
Namespace string
|
|
|
|
|
Rule string
|
|
|
|
|
Service string
|
2019-08-31 15:24:01 +00:00
|
|
|
ServicePort string
|
2017-08-26 01:39:30 +00:00
|
|
|
Annotations map[string]string
|
2017-08-25 23:49:44 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-18 03:23:28 +00:00
|
|
|
func (info *ingressInformation) Equal(other *ingressInformation) bool {
|
|
|
|
|
if info.Namespace != other.Namespace {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
if info.Rule != other.Rule {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
if info.Service != other.Service {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2019-08-31 15:24:01 +00:00
|
|
|
if info.ServicePort != other.ServicePort {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2018-12-18 03:23:28 +00:00
|
|
|
if !reflect.DeepEqual(info.Annotations, other.Annotations) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 22:34:14 +00:00
|
|
|
func getIngressInformation(i, h, p interface{}) *ingressInformation {
|
2018-11-19 21:52:10 +00:00
|
|
|
ing, ok := i.(*ingress.Ingress)
|
2017-08-25 23:49:44 +00:00
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an '*ingress.Ingress' type but %T was returned", i)
|
2017-08-25 23:49:44 +00:00
|
|
|
return &ingressInformation{}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 22:34:14 +00:00
|
|
|
hostname, ok := h.(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'string' type but %T was returned", h)
|
|
|
|
|
return &ingressInformation{}
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-25 23:49:44 +00:00
|
|
|
path, ok := p.(string)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a 'string' type but %T was returned", p)
|
2017-08-25 23:49:44 +00:00
|
|
|
return &ingressInformation{}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ing == nil {
|
|
|
|
|
return &ingressInformation{}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
info := &ingressInformation{
|
2017-08-26 01:39:30 +00:00
|
|
|
Namespace: ing.GetNamespace(),
|
|
|
|
|
Rule: ing.GetName(),
|
|
|
|
|
Annotations: ing.Annotations,
|
2017-08-25 23:49:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ing.Spec.Backend != nil {
|
|
|
|
|
info.Service = ing.Spec.Backend.ServiceName
|
2019-08-31 15:24:01 +00:00
|
|
|
if ing.Spec.Backend.ServicePort.String() != "0" {
|
|
|
|
|
info.ServicePort = ing.Spec.Backend.ServicePort.String()
|
|
|
|
|
}
|
2017-08-25 23:49:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, rule := range ing.Spec.Rules {
|
|
|
|
|
if rule.HTTP == nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 22:34:14 +00:00
|
|
|
if hostname != "" && hostname != rule.Host {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-25 23:49:44 +00:00
|
|
|
for _, rPath := range rule.HTTP.Paths {
|
|
|
|
|
if path == rPath.Path {
|
|
|
|
|
info.Service = rPath.Backend.ServiceName
|
2019-08-31 15:24:01 +00:00
|
|
|
if rPath.Backend.ServicePort.String() != "0" {
|
|
|
|
|
info.ServicePort = rPath.Backend.ServicePort.String()
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-25 23:49:44 +00:00
|
|
|
return info
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return info
|
|
|
|
|
}
|
2017-09-07 21:11:23 +00:00
|
|
|
|
|
|
|
|
func buildForwardedFor(input interface{}) string {
|
|
|
|
|
s, ok := input.(string)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a 'string' type but %T was returned", input)
|
2017-09-22 22:21:32 +00:00
|
|
|
return ""
|
2017-09-07 21:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ffh := strings.Replace(s, "-", "_", -1)
|
|
|
|
|
ffh = strings.ToLower(ffh)
|
|
|
|
|
return fmt.Sprintf("$http_%v", ffh)
|
|
|
|
|
}
|
2017-09-17 18:03:05 +00:00
|
|
|
|
2017-10-05 04:55:42 +00:00
|
|
|
func buildAuthSignURL(input interface{}) string {
|
|
|
|
|
s, ok := input.(string)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an 'string' type but %T was returned", input)
|
2017-10-05 04:55:42 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
u, _ := url.Parse(s)
|
|
|
|
|
q := u.Query()
|
|
|
|
|
if len(q) == 0 {
|
2018-07-19 06:22:05 +00:00
|
|
|
return fmt.Sprintf("%v?rd=$pass_access_scheme://$http_host$escaped_request_uri", s)
|
2017-10-05 04:55:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if q.Get("rd") != "" {
|
|
|
|
|
return s
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-19 06:22:05 +00:00
|
|
|
return fmt.Sprintf("%v&rd=$pass_access_scheme://$http_host$escaped_request_uri", s)
|
2017-10-05 04:55:42 +00:00
|
|
|
}
|
2018-01-07 15:07:33 +00:00
|
|
|
|
2018-01-17 12:26:32 +00:00
|
|
|
var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
rand.Seed(time.Now().UnixNano())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func randomString() string {
|
|
|
|
|
b := make([]rune, 32)
|
|
|
|
|
for i := range b {
|
|
|
|
|
b[i] = letters[rand.Intn(len(letters))]
|
2018-01-07 15:07:33 +00:00
|
|
|
}
|
|
|
|
|
|
2018-01-17 12:26:32 +00:00
|
|
|
return string(b)
|
2018-01-07 15:07:33 +00:00
|
|
|
}
|
2018-02-13 00:08:49 +00:00
|
|
|
|
|
|
|
|
func buildOpentracing(input interface{}) string {
|
|
|
|
|
cfg, ok := input.(config.Configuration)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a 'config.Configuration' type but %T was returned", input)
|
2018-02-13 00:08:49 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !cfg.EnableOpentracing {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buf := bytes.NewBufferString("")
|
|
|
|
|
if cfg.ZipkinCollectorHost != "" {
|
2018-06-21 22:15:18 +00:00
|
|
|
buf.WriteString("opentracing_load_tracer /usr/local/lib/libzipkin_opentracing.so /etc/nginx/opentracing.json;")
|
2018-02-13 00:08:49 +00:00
|
|
|
} else if cfg.JaegerCollectorHost != "" {
|
2019-06-26 12:12:00 +00:00
|
|
|
if runtime.GOARCH == "arm" {
|
|
|
|
|
buf.WriteString("# Jaeger tracer is not available for ARM https://github.com/jaegertracing/jaeger-client-cpp/issues/151")
|
|
|
|
|
} else {
|
|
|
|
|
buf.WriteString("opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/nginx/opentracing.json;")
|
|
|
|
|
}
|
2019-02-15 20:20:10 +00:00
|
|
|
} else if cfg.DatadogCollectorHost != "" {
|
|
|
|
|
buf.WriteString("opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;")
|
2018-02-13 00:08:49 +00:00
|
|
|
}
|
|
|
|
|
|
2018-02-24 21:09:23 +00:00
|
|
|
buf.WriteString("\r\n")
|
2018-06-21 22:15:18 +00:00
|
|
|
|
2018-02-13 00:08:49 +00:00
|
|
|
return buf.String()
|
|
|
|
|
}
|
2018-05-17 12:35:11 +00:00
|
|
|
|
2018-05-17 23:49:47 +00:00
|
|
|
// buildInfluxDB produces the single line configuration
|
|
|
|
|
// needed by the InfluxDB module to send request's metrics
|
|
|
|
|
// for the current resource
|
|
|
|
|
func buildInfluxDB(input interface{}) string {
|
|
|
|
|
cfg, ok := input.(influxdb.Config)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected an 'influxdb.Config' type but %T was returned", input)
|
2018-05-17 23:49:47 +00:00
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !cfg.InfluxDBEnabled {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf(
|
|
|
|
|
"influxdb server_name=%s host=%s port=%s measurement=%s enabled=true;",
|
|
|
|
|
cfg.InfluxDBServerName,
|
|
|
|
|
cfg.InfluxDBHost,
|
|
|
|
|
cfg.InfluxDBPort,
|
|
|
|
|
cfg.InfluxDBMeasurement,
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-17 12:35:11 +00:00
|
|
|
func proxySetHeader(loc interface{}) string {
|
|
|
|
|
location, ok := loc.(*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '*ingress.Location' type but %T was returned", loc)
|
2018-05-17 12:35:11 +00:00
|
|
|
return "proxy_set_header"
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-08 15:26:06 +00:00
|
|
|
if location.BackendProtocol == "GRPC" || location.BackendProtocol == "GRPCS" {
|
2018-05-17 12:35:11 +00:00
|
|
|
return "grpc_set_header"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return "proxy_set_header"
|
|
|
|
|
}
|
2018-10-25 16:35:48 +00:00
|
|
|
|
|
|
|
|
// buildCustomErrorDeps is a utility function returning a struct wrapper with
|
|
|
|
|
// the data required to build the 'CUSTOM_ERRORS' template
|
2019-02-05 14:28:37 +00:00
|
|
|
func buildCustomErrorDeps(upstreamName string, errorCodes []int, enableMetrics bool) interface{} {
|
2018-10-25 16:35:48 +00:00
|
|
|
return struct {
|
2019-02-05 14:28:37 +00:00
|
|
|
UpstreamName string
|
|
|
|
|
ErrorCodes []int
|
|
|
|
|
EnableMetrics bool
|
2018-10-25 16:35:48 +00:00
|
|
|
}{
|
2019-02-05 14:28:37 +00:00
|
|
|
UpstreamName: upstreamName,
|
|
|
|
|
ErrorCodes: errorCodes,
|
|
|
|
|
EnableMetrics: enableMetrics,
|
2018-10-25 16:35:48 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-05 14:28:37 +00:00
|
|
|
type errorLocation struct {
|
|
|
|
|
UpstreamName string
|
|
|
|
|
Codes []int
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// buildCustomErrorLocationsPerServer is a utility function which will collect all
|
2018-10-25 16:35:48 +00:00
|
|
|
// custom error codes for all locations of a server block, deduplicates them,
|
2019-02-05 14:28:37 +00:00
|
|
|
// and returns a set which is unique by default-upstream and error code. It returns an array
|
|
|
|
|
// of errorLocations, each of which contain the upstream name and a list of
|
|
|
|
|
// error codes for that given upstream, so that sufficiently unique
|
|
|
|
|
// @custom error location blocks can be created in the template
|
|
|
|
|
func buildCustomErrorLocationsPerServer(input interface{}) interface{} {
|
2018-10-25 16:35:48 +00:00
|
|
|
server, ok := input.(*ingress.Server)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '*ingress.Server' type but %T was returned", input)
|
2018-10-25 16:35:48 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-05 14:28:37 +00:00
|
|
|
codesMap := make(map[string]map[int]bool)
|
2018-10-25 16:35:48 +00:00
|
|
|
for _, loc := range server.Locations {
|
2019-02-05 14:28:37 +00:00
|
|
|
backendUpstream := loc.DefaultBackendUpstreamName
|
|
|
|
|
|
|
|
|
|
var dedupedCodes map[int]bool
|
|
|
|
|
if existingMap, ok := codesMap[backendUpstream]; ok {
|
|
|
|
|
dedupedCodes = existingMap
|
|
|
|
|
} else {
|
|
|
|
|
dedupedCodes = make(map[int]bool)
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-25 16:35:48 +00:00
|
|
|
for _, code := range loc.CustomHTTPErrors {
|
2019-02-05 14:28:37 +00:00
|
|
|
dedupedCodes[code] = true
|
2018-10-25 16:35:48 +00:00
|
|
|
}
|
2019-02-05 14:28:37 +00:00
|
|
|
codesMap[backendUpstream] = dedupedCodes
|
2018-10-25 16:35:48 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-05 14:28:37 +00:00
|
|
|
errorLocations := []errorLocation{}
|
|
|
|
|
|
|
|
|
|
for upstream, dedupedCodes := range codesMap {
|
|
|
|
|
codesForUpstream := []int{}
|
|
|
|
|
for code := range dedupedCodes {
|
|
|
|
|
codesForUpstream = append(codesForUpstream, code)
|
|
|
|
|
}
|
|
|
|
|
sort.Ints(codesForUpstream)
|
|
|
|
|
errorLocations = append(errorLocations, errorLocation{
|
|
|
|
|
UpstreamName: upstream,
|
|
|
|
|
Codes: codesForUpstream,
|
|
|
|
|
})
|
2018-10-25 16:35:48 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-05 14:28:37 +00:00
|
|
|
sort.Slice(errorLocations, func(i, j int) bool {
|
|
|
|
|
return errorLocations[i].UpstreamName < errorLocations[j].UpstreamName
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
return errorLocations
|
2018-10-25 16:35:48 +00:00
|
|
|
}
|
2018-11-27 13:35:29 +00:00
|
|
|
|
|
|
|
|
func opentracingPropagateContext(loc interface{}) string {
|
|
|
|
|
location, ok := loc.(*ingress.Location)
|
|
|
|
|
if !ok {
|
2018-12-05 16:27:55 +00:00
|
|
|
klog.Errorf("expected a '*ingress.Location' type but %T was returned", loc)
|
2018-11-27 13:35:29 +00:00
|
|
|
return "opentracing_propagate_context"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if location.BackendProtocol == "GRPC" || location.BackendProtocol == "GRPCS" {
|
|
|
|
|
return "opentracing_grpc_propagate_context"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return "opentracing_propagate_context"
|
|
|
|
|
}
|
2019-05-25 21:32:13 +00:00
|
|
|
|
|
|
|
|
// shouldLoadModSecurityModule determines whether or not the ModSecurity module needs to be loaded.
|
|
|
|
|
// First, it checks if `enable-modsecurity` is set in the ConfigMap. If it is not, it iterates over all locations to
|
|
|
|
|
// check if ModSecurity is enabled by the annotation `nginx.ingress.kubernetes.io/enable-modsecurity`.
|
|
|
|
|
func shouldLoadModSecurityModule(c interface{}, s interface{}) bool {
|
|
|
|
|
cfg, ok := c.(config.Configuration)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'config.Configuration' type but %T was returned", c)
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
servers, ok := s.([]*ingress.Server)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s)
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Determine if ModSecurity is enabled globally.
|
|
|
|
|
if cfg.EnableModsecurity {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If ModSecurity is not enabled globally, check if any location has it enabled via annotation.
|
|
|
|
|
for _, server := range servers {
|
|
|
|
|
for _, location := range server.Locations {
|
|
|
|
|
if location.ModSecurity.Enable {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Not enabled globally nor via annotation on a location, no need to load the module.
|
|
|
|
|
return false
|
|
|
|
|
}
|
2019-08-13 18:04:31 +00:00
|
|
|
|
|
|
|
|
func buildHTTPListener(t interface{}, s interface{}) string {
|
|
|
|
|
var out []string
|
|
|
|
|
|
|
|
|
|
tc, ok := t.(config.TemplateConfig)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'config.TemplateConfig' type but %T was returned", t)
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hostname, ok := s.(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'string' type but %T was returned", s)
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
addrV4 := []string{""}
|
|
|
|
|
if len(tc.Cfg.BindAddressIpv4) > 0 {
|
|
|
|
|
addrV4 = tc.Cfg.BindAddressIpv4
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
co := commonListenOptions(tc, hostname)
|
|
|
|
|
|
|
|
|
|
out = append(out, httpListener(addrV4, co, tc)...)
|
|
|
|
|
|
|
|
|
|
if !tc.IsIPV6Enabled {
|
|
|
|
|
return strings.Join(out, "\n")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
addrV6 := []string{"[::]"}
|
|
|
|
|
if len(tc.Cfg.BindAddressIpv6) > 0 {
|
|
|
|
|
addrV6 = tc.Cfg.BindAddressIpv6
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out = append(out, httpListener(addrV6, co, tc)...)
|
|
|
|
|
|
|
|
|
|
return strings.Join(out, "\n")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func buildHTTPSListener(t interface{}, s interface{}) string {
|
|
|
|
|
var out []string
|
|
|
|
|
|
|
|
|
|
tc, ok := t.(config.TemplateConfig)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'config.TemplateConfig' type but %T was returned", t)
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hostname, ok := s.(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
klog.Errorf("expected a 'string' type but %T was returned", s)
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-13 21:14:55 +00:00
|
|
|
/*
|
|
|
|
|
if server.SSLCert == nil && server.Hostname != "_" {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
*/
|
|
|
|
|
|
2019-08-13 18:04:31 +00:00
|
|
|
co := commonListenOptions(tc, hostname)
|
|
|
|
|
|
|
|
|
|
addrV4 := []string{""}
|
|
|
|
|
if len(tc.Cfg.BindAddressIpv4) > 0 {
|
|
|
|
|
addrV4 = tc.Cfg.BindAddressIpv4
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out = append(out, httpsListener(addrV4, co, tc)...)
|
|
|
|
|
|
|
|
|
|
if !tc.IsIPV6Enabled {
|
|
|
|
|
return strings.Join(out, "\n")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
addrV6 := []string{"[::]"}
|
|
|
|
|
if len(tc.Cfg.BindAddressIpv6) > 0 {
|
|
|
|
|
addrV6 = tc.Cfg.BindAddressIpv6
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out = append(out, httpsListener(addrV6, co, tc)...)
|
|
|
|
|
|
|
|
|
|
return strings.Join(out, "\n")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func commonListenOptions(template config.TemplateConfig, hostname string) string {
|
|
|
|
|
var out []string
|
|
|
|
|
|
|
|
|
|
if template.Cfg.UseProxyProtocol {
|
|
|
|
|
out = append(out, "proxy_protocol")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if hostname != "_" {
|
|
|
|
|
return strings.Join(out, " ")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setup options that are valid only once per port
|
|
|
|
|
|
|
|
|
|
out = append(out, "default_server")
|
|
|
|
|
|
|
|
|
|
if template.Cfg.ReusePort {
|
|
|
|
|
out = append(out, "reuseport")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out = append(out, fmt.Sprintf("backlog=%v", template.BacklogSize))
|
|
|
|
|
|
|
|
|
|
return strings.Join(out, " ")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func httpListener(addresses []string, co string, tc config.TemplateConfig) []string {
|
|
|
|
|
out := make([]string, 0)
|
|
|
|
|
for _, address := range addresses {
|
|
|
|
|
l := make([]string, 0)
|
|
|
|
|
l = append(l, "listen")
|
|
|
|
|
|
|
|
|
|
if address == "" {
|
|
|
|
|
l = append(l, fmt.Sprintf("%v", tc.ListenPorts.HTTP))
|
|
|
|
|
} else {
|
|
|
|
|
l = append(l, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTP))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
l = append(l, co)
|
|
|
|
|
l = append(l, ";")
|
|
|
|
|
out = append(out, strings.Join(l, " "))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return out
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func httpsListener(addresses []string, co string, tc config.TemplateConfig) []string {
|
|
|
|
|
out := make([]string, 0)
|
|
|
|
|
for _, address := range addresses {
|
|
|
|
|
l := make([]string, 0)
|
|
|
|
|
l = append(l, "listen")
|
|
|
|
|
|
|
|
|
|
if tc.IsSSLPassthroughEnabled {
|
|
|
|
|
if address == "" {
|
|
|
|
|
l = append(l, fmt.Sprintf("%v", tc.ListenPorts.SSLProxy))
|
|
|
|
|
} else {
|
|
|
|
|
l = append(l, fmt.Sprintf("%v:%v", address, tc.ListenPorts.SSLProxy))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
l = append(l, "proxy_protocol")
|
|
|
|
|
} else {
|
|
|
|
|
if address == "" {
|
|
|
|
|
l = append(l, fmt.Sprintf("%v", tc.ListenPorts.HTTPS))
|
|
|
|
|
} else {
|
|
|
|
|
l = append(l, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTPS))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if tc.Cfg.UseProxyProtocol {
|
|
|
|
|
l = append(l, "proxy_protocol")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
l = append(l, co)
|
|
|
|
|
l = append(l, "ssl")
|
|
|
|
|
|
|
|
|
|
if tc.Cfg.UseHTTP2 {
|
|
|
|
|
l = append(l, "http2")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
l = append(l, ";")
|
|
|
|
|
out = append(out, strings.Join(l, " "))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return out
|
|
|
|
|
}
|
