ingress-nginx-helm/controllers/nginx/nginx.tmpl

{{ $cfg := .cfg }}
daemon off;

worker_processes {{ $cfg.workerProcesses }};

pid /run/nginx.pid;

worker_rlimit_nofile 131072;

pcre_jit on;

events {
    multi_accept        on;
    worker_connections  {{ $cfg.maxWorkerConnections }};
    use                 epoll; 
}

http {
    {{/* databases used to determine the country depending on the client IP address */}}
    {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
    {{/* this is require to calculate traffic for individual country using GeoIP in the status page */}}
    geoip_country       /etc/nginx/GeoIP.dat;
    geoip_city          /etc/nginx/GeoLiteCity.dat;

    {{- if $cfg.enableVtsStatus }}
    vhost_traffic_status_zone shared:vhost_traffic_status:{{ $cfg.vtsStatusZoneSize }};
    vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;
    {{ end -}}

    # lus sectrion to return proper error codes when custom pages are used
    lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;';
    init_by_lua_block {        
        require("error_page")
    }

    sendfile            on;
    aio                 threads;
    tcp_nopush          on;
    tcp_nodelay         on;
    
    log_subrequest      on;

    reset_timedout_connection on;

    keepalive_timeout {{ $cfg.keepAlive }}s;

    types_hash_max_size 2048;
    server_names_hash_max_size {{ $cfg.serverNameHashMaxSize }};
    server_names_hash_bucket_size {{ $cfg.serverNameHashBucketSize }};

    include /etc/nginx/mime.types;
    default_type text/html;
    {{ if $cfg.useGzip -}}
    gzip on;
    gzip_comp_level 5;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_types {{ $cfg.gzipTypes }};    
    gzip_proxied any;
    {{- end }}

    client_max_body_size "{{ $cfg.bodySize }}";

    {{ if $cfg.useProxyProtocol -}}
    set_real_ip_from    {{ $cfg.proxyRealIpCidr }};
    real_ip_header      proxy_protocol;
    {{ end -}}

    log_format upstreaminfo '{{ if $cfg.useProxyProtocol }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - '
        '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
        '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';

    access_log /var/log/nginx/access.log upstreaminfo;
    error_log  /var/log/nginx/error.log {{ $cfg.errorLogLevel }};

    {{ if not (empty .defResolver) }}# Custom dns resolver.
    resolver {{ .defResolver }} valid=30s;
    {{ end }}

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # trust http_x_forwarded_proto headers correctly indicate ssl offloading
    map $http_x_forwarded_proto $pass_access_scheme {
      default $http_x_forwarded_proto;
      ''      $scheme;
    }

    # Map a response error watching the header Content-Type
    map $http_accept $httpAccept {
        default          html;
        application/json json;
        application/xml  xml;
        text/plain       text;
    }

    map $httpAccept $httpReturnType {
        default          text/html;
        json             application/json;
        xml              application/xml;
        text             text/plain;
    }

    server_name_in_redirect off;
    port_in_redirect off;

    ssl_protocols {{ $cfg.sslProtocols }};

    # turn on session caching to drastically improve performance
    {{ if $cfg.sslSessionCache }}
    ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.sslSessionCacheSize }};
    ssl_session_timeout {{ $cfg.sslSessionTimeout }};
    {{ end }}

    # allow configuring ssl session tickets
    ssl_session_tickets {{ if $cfg.sslSessionTickets }}on{{ else }}off{{ end }};

    # slightly reduce the time-to-first-byte
    ssl_buffer_size {{ $cfg.sslBufferSize }};

    {{ if not (empty $cfg.sslCiphers) }}
    # allow configuring custom ssl ciphers
    ssl_ciphers '{{ $cfg.sslCiphers }}';
    ssl_prefer_server_ciphers on;
    {{ end }}

    {{ if not (empty .sslDHParam) }}
    # allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
    ssl_dhparam {{ .sslDHParam }};
    {{ end }}

    {{- if .customErrors }}
    # Custom error pages
    proxy_intercept_errors on;
    {{ end -}}

    {{- range $errCode := $cfg.customHttpErrors }}
    error_page {{ $errCode }} = @custom_{{ $errCode }};
    {{ end }}

    # In case of errors try the next upstream server before returning an error
    proxy_next_upstream                     error timeout invalid_header http_502 http_503 http_504 {{ if $cfg.retryNonIdempotent }}non_idempotent{{ end }};

    {{range $name, $upstream := .upstreams}}
    upstream {{$upstream.Name}} {
        {{ if $cfg.enableStickySessions -}}
        sticky hash=sha1 httponly;
        {{ else -}}
        least_conn;
        {{- end }}
        {{ range $server := $upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }} max_fails={{ $server.MaxFails }} fail_timeout={{ $server.FailTimeout }};

        {{ end }}
    }
    {{ end }}

    {{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
    {{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
    {{ $zone := range (buildRateLimitZones .servers) }}
    {{ $zone }}
    {{ end }}

    {{ range $server := .servers }}
    server {
        server_name {{ $server.Name }};
        listen 80{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }};
        {{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.useHttp2 }}http2{{ end }};
        {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
        # PEM sha: {{ $server.SSLPemChecksum }}        
        ssl_certificate {{ $server.SSLCertificate }};
        ssl_certificate_key {{ $server.SSLCertificateKey }};
        {{ end }}

        {{ if (and $server.SSL $cfg.hsts) -}}
        if ($scheme = http) {
            return 301 https://$host$request_uri;
        }

        more_set_headers                            "Strict-Transport-Security: max-age={{ $cfg.hstsMaxAge }}{{ if $cfg.hstsIncludeSubdomains }}; includeSubDomains{{ end }}; preload";
        {{ end -}}

        {{ if $cfg.enableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }}

        {{- range $location := $server.Locations }}
        {{- $path := buildLocation $location }}
        location {{ $path }} {
        location {{ $path }} {        
            proxy_set_header Host                   $host;

            # Pass Real IP
            proxy_set_header X-Real-IP              $remote_addr;

            # Allow websocket connections
            proxy_set_header                        Upgrade           $http_upgrade;
            proxy_set_header                        Connection        $connection_upgrade;

            proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host       $host;
            proxy_set_header X-Forwarded-Port       $server_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

            proxy_connect_timeout                   {{ $cfg.proxyConnectTimeout }}s;
            proxy_send_timeout                      {{ $cfg.proxySendTimeout }}s;
            proxy_read_timeout                      {{ $cfg.proxyReadTimeout }}s;

            proxy_redirect                          off;
            proxy_buffering                         off;

            proxy_http_version                      1.1;

            {{/* rewrite only works if the content is not compressed */}}
            {{ if $location.Redirect.AddBaseURL -}}
            proxy_set_header                        Accept-Encoding     "";
            {{- end }}

            {{- buildProxyPass $location }}
        }
        {{ end }}

        {{ if eq $server.Name "_" }}
        # this is required to avoid error if nginx is being monitored
        # with an external software (like sysdig)
        location /nginx_status {
            allow 127.0.0.1;
            deny all;

            access_log off;
            stub_status on;
        }
        {{ end }}
        {{ template "CUSTOM_ERRORS" $cfg }}
    }
    {{ end }}

    # default server, including healthcheck
    server {
        listen 8080 default_server reuseport;

        location /healthz {
            access_log off;
            return 200;
        }
       
        location /nginx_status {
            {{ if $cfg.enableVtsStatus -}}
            vhost_traffic_status_display;
            vhost_traffic_status_display_format html;
            {{ else }}
            access_log off;
            stub_status on;
            {{- end }}
        }

        location / {
            proxy_pass             http://upstream-default-backend;
        }
        {{- template "CUSTOM_ERRORS" $cfg }}
    }

    # default server for services without endpoints
    server {
        listen 8181;

        location / {
            {{ if .customErrors }}
            content_by_lua_block {
                openURL(503)
            }
            {{ else }}
            return 503;
            {{ end }}
        }        
    }    
}

stream {
# TCP services
{{ range $i, $tcpServer := .tcpUpstreams }}
    upstream tcp-{{ $tcpServer.Upstream.Name }} {
        {{ range $server := $tcpServer.Upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }};
        {{ end }}
    }

    server {
        listen {{ $tcpServer.Path }};
        proxy_connect_timeout  {{ $cfg.proxyConnectTimeout }};
        proxy_timeout          {{ $cfg.proxyReadTimeout }};
        proxy_pass             tcp-{{ $tcpServer.Upstream.Name }};
    }
{{ end }}

# UDP services
{{ range $i, $udpServer := .udpUpstreams }}
    upstream udp-{{ $udpServer.Upstream.Name }} {
        {{ range $server := $udpServer.Upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }};
        {{ end }}
    }

    server {
        listen {{ $udpServer.Path }} udp;
        proxy_timeout          10s;
        proxy_responses        1;
        proxy_pass             udp-{{ $udpServer.Upstream.Name }};
    }
{{ end }}
}

{{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }}
        {{ range $errCode := .customHttpErrors }}
        location @custom_{{ $errCode }} {
            internal;
            content_by_lua_block {
                openURL({{ $errCode }})
            }
        }    
        {{ end }}
{{ end }}
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`{{ $cfg := .cfg }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`daemon off;`

Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`worker_processes {{ $cfg.workerProcesses }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`pid /run/nginx.pid;`

			`worker_rlimit_nofile 131072;`

Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`pcre_jit on;`

git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`events {`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`multi_accept on;`
			`worker_connections {{ $cfg.maxWorkerConnections }};`
			`use epoll;`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`

			`http {`
Add support for geoip in stats 2016-05-30 18:44:02 +00:00			`{{/* databases used to determine the country depending on the client IP address */}}`
			`{{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}`
			`{{/* this is require to calculate traffic for individual country using GeoIP in the status page */}}`
			`geoip_country /etc/nginx/GeoIP.dat;`
			`geoip_city /etc/nginx/GeoLiteCity.dat;`

			`{{- if $cfg.enableVtsStatus }}`
			`vhost_traffic_status_zone shared:vhost_traffic_status:{{ $cfg.vtsStatusZoneSize }};`
			`vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;`
			`{{ end -}}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`# lus sectrion to return proper error codes when custom pages are used`
Use nginx upstreams and reload only if configuration changes 2016-03-15 02:29:13 +00:00			`lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;';`
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`init_by_lua_block {`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`require("error_page")`
			`}`

Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`sendfile on;`
			`aio threads;`
			`tcp_nopush on;`
			`tcp_nodelay on;`

			`log_subrequest on;`

			`reset_timedout_connection on;`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`keepalive_timeout {{ $cfg.keepAlive }}s;`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`types_hash_max_size 2048;`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`server_names_hash_max_size {{ $cfg.serverNameHashMaxSize }};`
			`server_names_hash_bucket_size {{ $cfg.serverNameHashBucketSize }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`include /etc/nginx/mime.types;`
Allow traffic to default server _ 2016-04-02 20:41:41 +00:00			`default_type text/html;`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ if $cfg.useGzip -}}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`gzip on;`
			`gzip_comp_level 5;`
			`gzip_http_version 1.1;`
			`gzip_min_length 256;`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`gzip_types {{ $cfg.gzipTypes }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`gzip_proxied any;`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{- end }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`client_max_body_size "{{ $cfg.bodySize }}";`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ if $cfg.useProxyProtocol -}}`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`set_real_ip_from {{ $cfg.proxyRealIpCidr }};`
			`real_ip_header proxy_protocol;`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ end -}}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`log_format upstreaminfo '{{ if $cfg.useProxyProtocol }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - '`
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`'[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`'$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';`

			`access_log /var/log/nginx/access.log upstreaminfo;`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`error_log /var/log/nginx/error.log {{ $cfg.errorLogLevel }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`{{ if not (empty .defResolver) }}# Custom dns resolver.`
			`resolver {{ .defResolver }} valid=30s;`
			`{{ end }}`

			`map $http_upgrade $connection_upgrade {`
			`default upgrade;`
			`'' close;`
			`}`

			`# trust http_x_forwarded_proto headers correctly indicate ssl offloading`
Improve documentation. Add flag to enable vts status module 2016-03-26 21:25:51 +00:00			`map $http_x_forwarded_proto $pass_access_scheme {`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`default $http_x_forwarded_proto;`
			`'' $scheme;`
			`}`

			`# Map a response error watching the header Content-Type`
			`map $http_accept $httpAccept {`
			`default html;`
			`application/json json;`
			`application/xml xml;`
			`text/plain text;`
			`}`

			`map $httpAccept $httpReturnType {`
			`default text/html;`
			`json application/json;`
			`xml application/xml;`
			`text text/plain;`
			`}`

			`server_name_in_redirect off;`
			`port_in_redirect off;`

Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`ssl_protocols {{ $cfg.sslProtocols }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`# turn on session caching to drastically improve performance`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`{{ if $cfg.sslSessionCache }}`
			`ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.sslSessionCacheSize }};`
			`ssl_session_timeout {{ $cfg.sslSessionTimeout }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`{{ end }}`

			`# allow configuring ssl session tickets`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`ssl_session_tickets {{ if $cfg.sslSessionTickets }}on{{ else }}off{{ end }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`# slightly reduce the time-to-first-byte`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`ssl_buffer_size {{ $cfg.sslBufferSize }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`{{ if not (empty $cfg.sslCiphers) }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`# allow configuring custom ssl ciphers`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`ssl_ciphers '{{ $cfg.sslCiphers }}';`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`ssl_prefer_server_ciphers on;`
			`{{ end }}`

			`{{ if not (empty .sslDHParam) }}`
			`# allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam`
			`ssl_dhparam {{ .sslDHParam }};`
			`{{ end }}`

Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`{{- if .customErrors }}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`# Custom error pages`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`proxy_intercept_errors on;`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`{{ end -}}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`{{- range $errCode := $cfg.customHttpErrors }}`
			`error_page {{ $errCode }} = @custom_{{ $errCode }};`
			`{{ end }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`# In case of errors try the next upstream server before returning an error`
Add configuration for retries in non-idempotent requests 2016-03-30 03:47:20 +00:00			`proxy_next_upstream error timeout invalid_header http_502 http_503 http_504 {{ if $cfg.retryNonIdempotent }}non_idempotent{{ end }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`{{range $name, $upstream := .upstreams}}`
			`upstream {{$upstream.Name}} {`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ if $cfg.enableStickySessions -}}`
Add support for sticky sessions 2016-04-28 04:03:59 +00:00			`sticky hash=sha1 httponly;`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ else -}}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`least_conn;`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{- end }}`
			`{{ range $server := $upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }} max_fails={{ $server.MaxFails }} fail_timeout={{ $server.FailTimeout }};`

Add support for sticky sessions 2016-04-28 04:03:59 +00:00			`{{ end }}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`}`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ end }}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00
Add support for rate limiting in ingress rule locations 2016-05-27 21:03:54 +00:00			`{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}`
			`{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}`
			`{{ $zone := range (buildRateLimitZones .servers) }}`
			`{{ $zone }}`
			`{{ end }}`

Use nginx upstreams and reload only if configuration changes 2016-03-15 02:29:13 +00:00			`{{ range $server := .servers }}`
			`server {`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`server_name {{ $server.Name }};`
Fix HSTS 2016-04-16 22:36:45 +00:00			`listen 80{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }};`
Enable configuration to disable http2 2016-05-12 10:48:37 +00:00			`{{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.useHttp2 }}http2{{ end }};`
Add ssl certificate checksum to template 2016-05-24 14:02:29 +00:00			`{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}`
			`# PEM sha: {{ $server.SSLPemChecksum }}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`ssl_certificate {{ $server.SSLCertificate }};`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`ssl_certificate_key {{ $server.SSLCertificateKey }};`
			`{{ end }}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ if (and $server.SSL $cfg.hsts) -}}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`if ($scheme = http) {`
			`return 301 https://$host$request_uri;`
			`}`
Make optional redirect to SSL 2016-04-15 12:35:39 +00:00
Fix HSTS 2016-04-16 22:36:45 +00:00			`more_set_headers "Strict-Transport-Security: max-age={{ $cfg.hstsMaxAge }}{{ if $cfg.hstsIncludeSubdomains }}; includeSubDomains{{ end }}; preload";`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ end -}}`
Allow traffic to default server _ 2016-04-02 20:41:41 +00:00
Add support for geoip in stats 2016-05-30 18:44:02 +00:00			`{{ if $cfg.enableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }}`

Add option to append a base tag in the head 2016-05-27 14:58:13 +00:00			`{{- range $location := $server.Locations }}`
			`{{- $path := buildLocation $location }}`
			`location {{ $path }} {`
			`location {{ $path }} {`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`proxy_set_header Host $host;`

			`# Pass Real IP`
			`proxy_set_header X-Real-IP $remote_addr;`

			`# Allow websocket connections`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`

Add ump load balancing and naxsi as WAF. Update nginx to 1.9.13 2016-03-29 23:30:44 +00:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`proxy_set_header X-Forwarded-Host $host;`
Fix HSTS 2016-04-16 22:36:45 +00:00			`proxy_set_header X-Forwarded-Port $server_port;`
Improve documentation. Add flag to enable vts status module 2016-03-26 21:25:51 +00:00			`proxy_set_header X-Forwarded-Proto $pass_access_scheme;`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00
			`proxy_connect_timeout {{ $cfg.proxyConnectTimeout }}s;`
			`proxy_send_timeout {{ $cfg.proxySendTimeout }}s;`
			`proxy_read_timeout {{ $cfg.proxyReadTimeout }}s;`

			`proxy_redirect off;`
			`proxy_buffering off;`

			`proxy_http_version 1.1;`

Add option to append a base tag in the head 2016-05-27 14:58:13 +00:00			`{{/* rewrite only works if the content is not compressed */}}`
			`{{ if $location.Redirect.AddBaseURL -}}`
			`proxy_set_header Accept-Encoding "";`
			`{{- end }}`

			`{{- buildProxyPass $location }}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`}`
			`{{ end }}`
Wait until the pod it's running before getting information about it 2016-04-05 18:15:59 +00:00
			`{{ if eq $server.Name "_" }}`
			`# this is required to avoid error if nginx is being monitored`
			`# with an external software (like sysdig)`
			`location /nginx_status {`
			`allow 127.0.0.1;`
			`deny all;`

			`access_log off;`
			`stub_status on;`
			`}`
			`{{ end }}`
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`{{ template "CUSTOM_ERRORS" $cfg }}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00			`}`
			`{{ end }}`
Use nginx upstreams and reload only if configuration changes 2016-03-15 02:29:13 +00:00
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`# default server, including healthcheck`
			`server {`
Fix HSTS 2016-04-16 22:36:45 +00:00			`listen 8080 default_server reuseport;`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00
			`location /healthz {`
			`access_log off;`
			`return 200;`
			`}`
Add helper to verify if the configuration file changed 2016-03-15 15:31:39 +00:00
Improve documentation. Add flag to enable vts status module 2016-03-26 21:25:51 +00:00			`location /nginx_status {`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{ if $cfg.enableVtsStatus -}}`
Improve documentation. Add flag to enable vts status module 2016-03-26 21:25:51 +00:00			`vhost_traffic_status_display;`
			`vhost_traffic_status_display_format html;`
			`{{ else }}`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`access_log off;`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`stub_status on;`
Allow custom health checks 2016-05-16 20:29:33 +00:00			`{{- end }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`

			`location / {`
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`proxy_pass http://upstream-default-backend;`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`{{- template "CUSTOM_ERRORS" $cfg }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`
Remove custom ssl code and add TLS support in Ingress rules 2016-03-16 14:12:45 +00:00
			`# default server for services without endpoints`
			`server {`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`listen 8181;`
Remove custom ssl code and add TLS support in Ingress rules 2016-03-16 14:12:45 +00:00
			`location / {`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`{{ if .customErrors }}`
Remove custom ssl code and add TLS support in Ingress rules 2016-03-16 14:12:45 +00:00			`content_by_lua_block {`
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`openURL(503)`
Remove custom ssl code and add TLS support in Ingress rules 2016-03-16 14:12:45 +00:00			`}`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`{{ else }}`
			`return 503;`
			`{{ end }}`
Remove custom ssl code and add TLS support in Ingress rules 2016-03-16 14:12:45 +00:00			`}`
			`}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`

			`stream {`
Add ump load balancing and naxsi as WAF. Update nginx to 1.9.13 2016-03-29 23:30:44 +00:00			`# TCP services`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`{{ range $i, $tcpServer := .tcpUpstreams }}`
			`upstream tcp-{{ $tcpServer.Upstream.Name }} {`
			`{{ range $server := $tcpServer.Upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }};`
Remove dns from nginx. Use upstreams for default backend service 2016-03-19 20:17:58 +00:00			`{{ end }}`
			`}`

git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`server {`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`listen {{ $tcpServer.Path }};`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`proxy_connect_timeout {{ $cfg.proxyConnectTimeout }};`
			`proxy_timeout {{ $cfg.proxyReadTimeout }};`
Configure nginx using a ConfigMap 2016-03-19 23:29:29 +00:00			`proxy_pass tcp-{{ $tcpServer.Upstream.Name }};`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`
			`{{ end }}`
Add ump load balancing and naxsi as WAF. Update nginx to 1.9.13 2016-03-29 23:30:44 +00:00
			`# UDP services`
			`{{ range $i, $udpServer := .udpUpstreams }}`
			`upstream udp-{{ $udpServer.Upstream.Name }} {`
Add configuration for retries in non-idempotent requests 2016-03-30 03:47:20 +00:00			`{{ range $server := $udpServer.Upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }};`
Add ump load balancing and naxsi as WAF. Update nginx to 1.9.13 2016-03-29 23:30:44 +00:00			`{{ end }}`
			`}`

			`server {`
Add configuration for retries in non-idempotent requests 2016-03-30 03:47:20 +00:00			`listen {{ $udpServer.Path }} udp;`
			`proxy_timeout 10s;`
Add ump load balancing and naxsi as WAF. Update nginx to 1.9.13 2016-03-29 23:30:44 +00:00			`proxy_responses 1;`
Add configuration for retries in non-idempotent requests 2016-03-30 03:47:20 +00:00			`proxy_pass udp-{{ $udpServer.Upstream.Name }};`
Add ump load balancing and naxsi as WAF. Update nginx to 1.9.13 2016-03-29 23:30:44 +00:00			`}`
			`{{ end }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`

			`{{/* definition of templates to avoid repetitions */}}`
			`{{ define "CUSTOM_ERRORS" }}`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`{{ range $errCode := .customHttpErrors }}`
			`location @custom_{{ $errCode }} {`
Improve event handling using a workqueue 2016-03-22 18:01:04 +00:00			`internal;`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`content_by_lua_block {`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`openURL({{ $errCode }})`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`}`
Change errors to a list of codes 2016-05-23 23:15:13 +00:00			`}`
			`{{ end }}`
git mv Ingress ingress 2016-02-22 00:13:08 +00:00			`{{ end }}`