2016-06-05 13:36:00 +00:00
|
|
|
|
/*
|
2016-09-08 11:02:39 +00:00
|
|
|
|
Copyright 2016 The Kubernetes Authors.
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
|
limitations under the License.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
package config
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2017-03-04 19:46:45 +00:00
|
|
|
|
"fmt"
|
2016-06-05 13:36:00 +00:00
|
|
|
|
"runtime"
|
2017-03-28 16:39:44 +00:00
|
|
|
|
"strconv"
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
"github.com/golang/glog"
|
2016-11-16 18:24:26 +00:00
|
|
|
|
|
|
|
|
|
|
"k8s.io/ingress/core/pkg/ingress"
|
|
|
|
|
|
"k8s.io/ingress/core/pkg/ingress/defaults"
|
2016-06-05 13:36:00 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
|
|
|
|
|
|
// Sets the maximum allowed size of the client request body
|
|
|
|
|
|
bodySize = "1m"
|
|
|
|
|
|
|
|
|
|
|
|
// http://nginx.org/en/docs/ngx_core_module.html#error_log
|
|
|
|
|
|
// Configures logging level [debug | info | notice | warn | error | crit | alert | emerg]
|
|
|
|
|
|
// Log levels above are listed in the order of increasing severity
|
|
|
|
|
|
errorLevel = "notice"
|
|
|
|
|
|
|
|
|
|
|
|
// HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header)
|
|
|
|
|
|
// that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
|
|
|
|
|
|
// https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
|
|
|
|
|
|
// max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
|
|
|
|
|
|
hstsMaxAge = "15724800"
|
|
|
|
|
|
|
|
|
|
|
|
// If UseProxyProtocol is enabled defIPCIDR defines the default the IP/network address of your external load balancer
|
|
|
|
|
|
defIPCIDR = "0.0.0.0/0"
|
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
|
gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component"
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2017-05-11 18:04:19 +00:00
|
|
|
|
logFormatUpstream = `%v - [$the_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`
|
2017-02-27 10:00:31 +00:00
|
|
|
|
|
2017-04-09 23:51:38 +00:00
|
|
|
|
logFormatStream = `[$time_local] $protocol $status $bytes_sent $bytes_received $session_time`
|
2017-02-27 10:00:31 +00:00
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
|
|
|
|
|
|
// Sets the size of the buffer used for sending data.
|
|
|
|
|
|
// 4k helps NGINX to improve TLS Time To First Byte (TTTFB)
|
|
|
|
|
|
// https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
|
|
|
|
|
|
sslBufferSize = "4k"
|
|
|
|
|
|
|
|
|
|
|
|
// Enabled ciphers list to enabled. The ciphers are specified in the format understood by the OpenSSL library
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
|
|
|
|
|
|
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
|
|
|
|
|
|
|
|
|
|
|
// SSL enabled protocols to use
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
|
|
|
|
|
|
sslProtocols = "TLSv1 TLSv1.1 TLSv1.2"
|
|
|
|
|
|
|
|
|
|
|
|
// Time during which a client may reuse the session parameters stored in a cache.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
|
|
|
|
|
|
sslSessionTimeout = "10m"
|
|
|
|
|
|
|
|
|
|
|
|
// Size of the SSL shared cache between all worker processes.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
|
|
|
|
|
|
sslSessionCacheSize = "10m"
|
2017-04-28 20:41:53 +00:00
|
|
|
|
|
|
|
|
|
|
// Default setting for load balancer algorithm
|
|
|
|
|
|
defaultLoadBalancerAlgorithm = "least_conn"
|
2016-06-05 13:36:00 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// Configuration represents the content of nginx.conf file
|
|
|
|
|
|
type Configuration struct {
|
2016-12-28 13:08:02 +00:00
|
|
|
|
defaults.Backend `json:",squash"`
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
2017-05-28 21:40:25 +00:00
|
|
|
|
// AllowBackendServerHeader enables the return of the header Server from the backend
|
|
|
|
|
|
// instead of the generic nginx string.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
|
|
|
|
|
|
// By default this is disabled
|
|
|
|
|
|
AllowBackendServerHeader bool `json:"allow-backend-server-header"`
|
|
|
|
|
|
|
2016-06-18 21:03:27 +00:00
|
|
|
|
// EnableDynamicTLSRecords enables dynamic TLS record sizes
|
|
|
|
|
|
// https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency
|
|
|
|
|
|
// By default this is enabled
|
2016-12-28 13:08:02 +00:00
|
|
|
|
EnableDynamicTLSRecords bool `json:"enable-dynamic-tls-records"`
|
2016-06-18 21:03:27 +00:00
|
|
|
|
|
2017-01-20 22:14:59 +00:00
|
|
|
|
// ClientHeaderBufferSize allows to configure a custom buffer
|
|
|
|
|
|
// size for reading client request header
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
|
|
|
|
|
|
ClientHeaderBufferSize string `json:"client-header-buffer-size"`
|
|
|
|
|
|
|
2017-05-17 06:23:18 +00:00
|
|
|
|
// Sets buffer size for reading client request body
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
|
|
|
|
|
|
ClientBodyBufferSize string `json:"client-body-buffer-size,omitempty"`
|
|
|
|
|
|
|
2017-02-09 23:20:12 +00:00
|
|
|
|
// DisableAccessLog disables the Access Log globally from NGINX ingress controller
|
|
|
|
|
|
//http://nginx.org/en/docs/http/ngx_http_log_module.html
|
|
|
|
|
|
DisableAccessLog bool `json:"disable-access-log,omitempty"`
|
|
|
|
|
|
|
2017-03-03 20:58:33 +00:00
|
|
|
|
// DisableIpv6 disable listening on ipv6 address
|
|
|
|
|
|
DisableIpv6 bool `json:"disable-ipv6,omitempty"`
|
|
|
|
|
|
|
2017-04-20 21:12:16 +00:00
|
|
|
|
// EnableUnderscoresInHeaders enables underscores in header names
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
|
|
|
|
|
|
// By default this is disabled
|
|
|
|
|
|
EnableUnderscoresInHeaders bool `json:"enable-underscores-in-headers"`
|
|
|
|
|
|
|
|
|
|
|
|
// IgnoreInvalidHeaders set if header fields with invalid names should be ignored
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
|
|
|
|
|
|
// By default this is enabled
|
|
|
|
|
|
IgnoreInvalidHeaders bool `json:"ignore-invalid-headers"`
|
|
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// EnableVtsStatus allows the replacement of the default status page with a third party module named
|
|
|
|
|
|
// nginx-module-vts - https://github.com/vozlt/nginx-module-vts
|
|
|
|
|
|
// By default this is disabled
|
2016-12-28 13:08:02 +00:00
|
|
|
|
EnableVtsStatus bool `json:"enable-vts-status,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2016-12-28 13:08:02 +00:00
|
|
|
|
VtsStatusZoneSize string `json:"vts-status-zone-size,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// RetryNonIdempotent since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH)
|
|
|
|
|
|
// in case of an error. The previous behavior can be restored using the value true
|
2016-12-28 13:08:02 +00:00
|
|
|
|
RetryNonIdempotent bool `json:"retry-non-idempotent"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// http://nginx.org/en/docs/ngx_core_module.html#error_log
|
|
|
|
|
|
// Configures logging level [debug | info | notice | warn | error | crit | alert | emerg]
|
|
|
|
|
|
// Log levels above are listed in the order of increasing severity
|
2016-12-28 13:08:02 +00:00
|
|
|
|
ErrorLogLevel string `json:"error-log-level,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2017-03-08 23:00:16 +00:00
|
|
|
|
// https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size
|
|
|
|
|
|
// HTTP2MaxFieldSize Limits the maximum size of an HPACK-compressed request header field
|
|
|
|
|
|
HTTP2MaxFieldSize string `json:"http2-max-field-size,omitempty"`
|
|
|
|
|
|
|
|
|
|
|
|
// https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size
|
|
|
|
|
|
// HTTP2MaxHeaderSize Limits the maximum size of the entire request header list after HPACK decompression
|
|
|
|
|
|
HTTP2MaxHeaderSize string `json:"http2-max-header-size,omitempty"`
|
|
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// Enables or disables the header HSTS in servers running SSL
|
2016-12-28 13:08:02 +00:00
|
|
|
|
HSTS bool `json:"hsts,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Enables or disables the use of HSTS in all the subdomains of the servername
|
|
|
|
|
|
// Default: true
|
2016-12-28 13:08:02 +00:00
|
|
|
|
HSTSIncludeSubdomains bool `json:"hsts-include-subdomains,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header)
|
|
|
|
|
|
// that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
|
|
|
|
|
|
// https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
|
|
|
|
|
|
// max-age is the time, in seconds, that the browser should remember that this site is only to be
|
|
|
|
|
|
// accessed using HTTPS.
|
2016-12-28 13:08:02 +00:00
|
|
|
|
HSTSMaxAge string `json:"hsts-max-age,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2017-04-06 01:48:43 +00:00
|
|
|
|
// Enables or disables the preload attribute in HSTS feature
|
|
|
|
|
|
HSTSPreload bool `json:"hsts-preload,omitempty"`
|
|
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// Time during which a keep-alive client connection will stay open on the server side.
|
|
|
|
|
|
// The zero value disables keep-alive client connections
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
|
2016-12-28 13:08:02 +00:00
|
|
|
|
KeepAlive int `json:"keep-alive,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2017-05-17 06:23:18 +00:00
|
|
|
|
// Sets the maximum number of requests that can be served through one keep-alive connection.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests
|
|
|
|
|
|
KeepAliveRequests int `json:"keep-alive-requests,omitempty"`
|
|
|
|
|
|
|
2017-01-20 22:14:59 +00:00
|
|
|
|
// LargeClientHeaderBuffers Sets the maximum number and size of buffers used for reading
|
|
|
|
|
|
// large client request header.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
|
|
|
|
|
|
// Default: 4 8k
|
|
|
|
|
|
LargeClientHeaderBuffers string `json:"large-client-header-buffers"`
|
|
|
|
|
|
|
Make log format json escaping configurable
This will allow json logging in nginx ingress controllers which greatly
improves ease of log indexing and searching via elasticsearch.
After this change is made, users could set the following property in the
ingress configmap to enable json logging:
log-format-upstream: '{"proxy_protocol_addr": "$proxy_protocol_addr", "proxy_add_x_forwarded_for": "$proxy_add_x_forwarded_for", "remote_user": "$remote_user", "time_iso8601": "$time_iso8601", "request": "$request", "status": "$status", "body_bytes_sent": "$body_bytes_sent", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "request_length": "$request_length", "request_time": "$request_time", "proxy_upstream_name": "$proxy_upstream_name", "upstream_addr": "$upstream_addr", "upstream_response_length": "$upstream_response_length", "upstream_response_time": "$upstream_response_time", "upstream_status": "$upstream_status"}'
2017-05-30 22:36:24 +00:00
|
|
|
|
// Enable json escaping
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
|
|
|
|
|
|
LogFormatEscapeJson bool `json:"log-format-escape-json,omitempty"`
|
|
|
|
|
|
|
2017-02-27 10:00:31 +00:00
|
|
|
|
// Customize upstream log_format
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
|
|
|
|
|
|
LogFormatUpstream string `json:"log-format-upstream,omitempty"`
|
|
|
|
|
|
|
|
|
|
|
|
// Customize stream log_format
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
|
|
|
|
|
|
LogFormatStream string `json:"log-format-stream,omitempty"`
|
|
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// Maximum number of simultaneous connections that can be opened by each worker process
|
|
|
|
|
|
// http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
2016-12-28 13:08:02 +00:00
|
|
|
|
MaxWorkerConnections int `json:"max-worker-connections,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2016-10-14 18:20:34 +00:00
|
|
|
|
// Sets the bucket size for the map variables hash tables.
|
|
|
|
|
|
// Default value depends on the processor’s cache line size.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size
|
2016-12-28 13:08:02 +00:00
|
|
|
|
MapHashBucketSize int `json:"map-hash-bucket-size,omitempty"`
|
2016-10-14 18:20:34 +00:00
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address
|
|
|
|
|
|
// of your external load balancer
|
2016-12-28 13:08:02 +00:00
|
|
|
|
ProxyRealIPCIDR string `json:"proxy-real-ip-cidr,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2017-02-07 18:13:08 +00:00
|
|
|
|
// Sets the name of the configmap that contains the headers to pass to the backend
|
|
|
|
|
|
ProxySetHeaders string `json:"proxy-set-headers,omitempty"`
|
|
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// Maximum size of the server names hash tables used in server names, map directive’s values,
|
|
|
|
|
|
// MIME types, names of request header strings, etcd.
|
|
|
|
|
|
// http://nginx.org/en/docs/hash.html
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size
|
2016-12-28 13:08:02 +00:00
|
|
|
|
ServerNameHashMaxSize int `json:"server-name-hash-max-size,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2016-08-26 22:30:56 +00:00
|
|
|
|
// Size of the bucket for the server names hash tables
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// http://nginx.org/en/docs/hash.html
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size
|
2016-12-28 13:08:02 +00:00
|
|
|
|
ServerNameHashBucketSize int `json:"server-name-hash-bucket-size,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2016-12-29 15:37:37 +00:00
|
|
|
|
// Enables or disables emitting nginx version in error messages and in the “Server” response header field.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
|
|
|
|
|
|
// Default: true
|
|
|
|
|
|
ShowServerTokens bool `json:"server-tokens"`
|
|
|
|
|
|
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// Enabled ciphers list to enabled. The ciphers are specified in the format understood by
|
|
|
|
|
|
// the OpenSSL library
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLCiphers string `json:"ssl-ciphers,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2017-03-31 02:23:14 +00:00
|
|
|
|
// Specifies a curve for ECDHE ciphers.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve
|
|
|
|
|
|
SSLECDHCurve string `json:"ssl-ecdh-curve,omitempty"`
|
|
|
|
|
|
|
2017-03-08 13:41:55 +00:00
|
|
|
|
// The secret that contains Diffie-Hellman key to help with "Perfect Forward Secrecy"
|
2016-06-05 13:36:00 +00:00
|
|
|
|
// https://www.openssl.org/docs/manmaster/apps/dhparam.html
|
|
|
|
|
|
// https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLDHParam string `json:"ssl-dh-param,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// SSL enabled protocols to use
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLProtocols string `json:"ssl-protocols,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Enables or disables the use of shared SSL cache among worker processes.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLSessionCache bool `json:"ssl-session-cache,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Size of the SSL shared cache between all worker processes.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLSessionCacheSize string `json:"ssl-session-cache-size,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Enables or disables session resumption through TLS session tickets.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLSessionTickets bool `json:"ssl-session-tickets,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Time during which a client may reuse the session parameters stored in a cache.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLSessionTimeout string `json:"ssl-session-timeout,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
|
|
|
|
|
|
// Sets the size of the buffer used for sending data.
|
|
|
|
|
|
// 4k helps NGINX to improve TLS Time To First Byte (TTTFB)
|
|
|
|
|
|
// https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
|
2016-12-28 13:08:02 +00:00
|
|
|
|
SSLBufferSize string `json:"ssl-buffer-size,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Enables or disables the use of the PROXY protocol to receive client connection
|
|
|
|
|
|
// (real IP address) information passed through proxy servers and load balancers
|
|
|
|
|
|
// such as HAproxy and Amazon Elastic Load Balancer (ELB).
|
|
|
|
|
|
// https://www.nginx.com/resources/admin-guide/proxy-protocol/
|
2016-12-28 13:08:02 +00:00
|
|
|
|
UseProxyProtocol bool `json:"use-proxy-protocol,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Enables or disables the use of the nginx module that compresses responses using the "gzip" method
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_gzip_module.html
|
2016-12-28 13:08:02 +00:00
|
|
|
|
UseGzip bool `json:"use-gzip,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Enables or disables the HTTP/2 support in secure connections
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_v2_module.html
|
|
|
|
|
|
// Default: true
|
2016-12-28 13:08:02 +00:00
|
|
|
|
UseHTTP2 bool `json:"use-http2,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// MIME types in addition to "text/html" to compress. The special value “*” matches any MIME type.
|
|
|
|
|
|
// Responses with the “text/html” type are always compressed if UseGzip is enabled
|
2016-12-28 13:08:02 +00:00
|
|
|
|
GzipTypes string `json:"gzip-types,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
|
|
|
|
|
|
// Defines the number of worker processes. By default auto means number of available CPU cores
|
|
|
|
|
|
// http://nginx.org/en/docs/ngx_core_module.html#worker_processes
|
2017-03-28 16:39:44 +00:00
|
|
|
|
WorkerProcesses string `json:"worker-processes,omitempty"`
|
2017-04-28 20:41:53 +00:00
|
|
|
|
|
|
|
|
|
|
// Defines the load balancing algorithm to use. The deault is round-robin
|
|
|
|
|
|
LoadBalanceAlgorithm string `json:"load-balance,omitempty"`
|
2017-05-28 20:05:49 +00:00
|
|
|
|
|
|
|
|
|
|
// Sets the bucket size for the variables hash table.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size
|
|
|
|
|
|
VariablesHashBucketSize int `json:"variables-hash-bucket-size,omitempty"`
|
|
|
|
|
|
|
|
|
|
|
|
// Sets the maximum size of the variables hash table.
|
|
|
|
|
|
// http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size
|
|
|
|
|
|
VariablesHashMaxSize int `json:"variables-hash-max-size,omitempty"`
|
2016-06-05 13:36:00 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
|
// NewDefault returns the default nginx configuration
|
2016-06-05 13:36:00 +00:00
|
|
|
|
func NewDefault() Configuration {
|
|
|
|
|
|
cfg := Configuration{
|
2017-05-28 21:40:25 +00:00
|
|
|
|
AllowBackendServerHeader: false,
|
2017-04-20 21:12:16 +00:00
|
|
|
|
ClientHeaderBufferSize: "1k",
|
2017-05-17 06:23:18 +00:00
|
|
|
|
ClientBodyBufferSize: "8k",
|
2017-04-20 21:12:16 +00:00
|
|
|
|
EnableDynamicTLSRecords: true,
|
|
|
|
|
|
EnableUnderscoresInHeaders: false,
|
|
|
|
|
|
ErrorLogLevel: errorLevel,
|
|
|
|
|
|
HTTP2MaxFieldSize: "4k",
|
|
|
|
|
|
HTTP2MaxHeaderSize: "16k",
|
|
|
|
|
|
HSTS: true,
|
2016-06-05 13:36:00 +00:00
|
|
|
|
HSTSIncludeSubdomains: true,
|
|
|
|
|
|
HSTSMaxAge: hstsMaxAge,
|
2017-04-06 01:48:43 +00:00
|
|
|
|
HSTSPreload: false,
|
2017-04-20 21:12:16 +00:00
|
|
|
|
IgnoreInvalidHeaders: true,
|
2016-06-05 13:36:00 +00:00
|
|
|
|
GzipTypes: gzipTypes,
|
|
|
|
|
|
KeepAlive: 75,
|
2017-05-17 06:23:18 +00:00
|
|
|
|
KeepAliveRequests: 100,
|
2017-01-20 22:14:59 +00:00
|
|
|
|
LargeClientHeaderBuffers: "4 8k",
|
Make log format json escaping configurable
This will allow json logging in nginx ingress controllers which greatly
improves ease of log indexing and searching via elasticsearch.
After this change is made, users could set the following property in the
ingress configmap to enable json logging:
log-format-upstream: '{"proxy_protocol_addr": "$proxy_protocol_addr", "proxy_add_x_forwarded_for": "$proxy_add_x_forwarded_for", "remote_user": "$remote_user", "time_iso8601": "$time_iso8601", "request": "$request", "status": "$status", "body_bytes_sent": "$body_bytes_sent", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "request_length": "$request_length", "request_time": "$request_time", "proxy_upstream_name": "$proxy_upstream_name", "upstream_addr": "$upstream_addr", "upstream_response_length": "$upstream_response_length", "upstream_response_time": "$upstream_response_time", "upstream_status": "$upstream_status"}'
2017-05-30 22:36:24 +00:00
|
|
|
|
LogFormatEscapeJson: false,
|
2017-02-27 10:00:31 +00:00
|
|
|
|
LogFormatStream: logFormatStream,
|
2017-03-04 19:46:45 +00:00
|
|
|
|
LogFormatUpstream: logFormatUpstream,
|
2016-06-05 13:36:00 +00:00
|
|
|
|
MaxWorkerConnections: 16384,
|
2016-10-14 18:20:34 +00:00
|
|
|
|
MapHashBucketSize: 64,
|
2016-06-05 13:36:00 +00:00
|
|
|
|
ProxyRealIPCIDR: defIPCIDR,
|
2017-05-24 00:02:12 +00:00
|
|
|
|
ServerNameHashMaxSize: 1024,
|
2016-12-29 15:37:37 +00:00
|
|
|
|
ShowServerTokens: true,
|
2016-06-05 13:36:00 +00:00
|
|
|
|
SSLBufferSize: sslBufferSize,
|
|
|
|
|
|
SSLCiphers: sslCiphers,
|
2017-03-31 02:23:14 +00:00
|
|
|
|
SSLECDHCurve: "secp384r1",
|
2016-06-05 13:36:00 +00:00
|
|
|
|
SSLProtocols: sslProtocols,
|
|
|
|
|
|
SSLSessionCache: true,
|
|
|
|
|
|
SSLSessionCacheSize: sslSessionCacheSize,
|
|
|
|
|
|
SSLSessionTickets: true,
|
|
|
|
|
|
SSLSessionTimeout: sslSessionTimeout,
|
|
|
|
|
|
UseGzip: true,
|
2017-03-28 16:39:44 +00:00
|
|
|
|
WorkerProcesses: strconv.Itoa(runtime.NumCPU()),
|
2017-04-28 20:41:53 +00:00
|
|
|
|
LoadBalanceAlgorithm: defaultLoadBalancerAlgorithm,
|
2016-06-05 13:36:00 +00:00
|
|
|
|
VtsStatusZoneSize: "10m",
|
2017-05-28 20:05:49 +00:00
|
|
|
|
VariablesHashBucketSize: 64,
|
|
|
|
|
|
VariablesHashMaxSize: 2048,
|
2016-06-05 13:36:00 +00:00
|
|
|
|
UseHTTP2: true,
|
2016-11-10 22:56:29 +00:00
|
|
|
|
Backend: defaults.Backend{
|
2017-01-20 21:53:32 +00:00
|
|
|
|
ProxyBodySize: bodySize,
|
2016-11-10 22:56:29 +00:00
|
|
|
|
ProxyConnectTimeout: 5,
|
|
|
|
|
|
ProxyReadTimeout: 60,
|
|
|
|
|
|
ProxySendTimeout: 60,
|
|
|
|
|
|
ProxyBufferSize: "4k",
|
2016-12-27 09:52:04 +00:00
|
|
|
|
ProxyCookieDomain: "off",
|
|
|
|
|
|
ProxyCookiePath: "off",
|
2016-11-10 22:56:29 +00:00
|
|
|
|
SSLRedirect: true,
|
|
|
|
|
|
CustomHTTPErrors: []int{},
|
|
|
|
|
|
WhitelistSourceRange: []string{},
|
|
|
|
|
|
SkipAccessLogURLs: []string{},
|
|
|
|
|
|
},
|
2016-06-05 13:36:00 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if glog.V(5) {
|
|
|
|
|
|
cfg.ErrorLogLevel = "debug"
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return cfg
|
|
|
|
|
|
}
|
2016-11-16 18:24:26 +00:00
|
|
|
|
|
2017-03-04 19:46:45 +00:00
|
|
|
|
// BuildLogFormatUpstream format the log_format upstream using
|
|
|
|
|
|
// proxy_protocol_addr as remote client address if UseProxyProtocol
|
|
|
|
|
|
// is enabled.
|
|
|
|
|
|
func (cfg Configuration) BuildLogFormatUpstream() string {
|
2017-03-06 15:06:56 +00:00
|
|
|
|
if cfg.LogFormatUpstream == logFormatUpstream {
|
2017-05-11 18:04:19 +00:00
|
|
|
|
return fmt.Sprintf(cfg.LogFormatUpstream, "$the_x_forwarded_for")
|
2017-02-27 10:00:31 +00:00
|
|
|
|
}
|
2017-03-06 15:06:56 +00:00
|
|
|
|
|
|
|
|
|
|
return cfg.LogFormatUpstream
|
2017-02-27 10:00:31 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-01-19 02:31:33 +00:00
|
|
|
|
// TemplateConfig contains the nginx configuration to render the file nginx.conf
|
2016-11-16 18:24:26 +00:00
|
|
|
|
type TemplateConfig struct {
|
2017-02-07 18:13:08 +00:00
|
|
|
|
ProxySetHeaders map[string]string
|
2017-01-19 02:31:33 +00:00
|
|
|
|
MaxOpenFiles int
|
2016-12-29 15:37:37 +00:00
|
|
|
|
BacklogSize int
|
|
|
|
|
|
Backends []*ingress.Backend
|
2016-12-29 22:57:51 +00:00
|
|
|
|
PassthroughBackends []*ingress.SSLPassthroughBackend
|
2016-12-29 15:37:37 +00:00
|
|
|
|
Servers []*ingress.Server
|
2017-02-24 21:46:39 +00:00
|
|
|
|
TCPBackends []ingress.L4Service
|
|
|
|
|
|
UDPBackends []ingress.L4Service
|
2016-12-29 15:37:37 +00:00
|
|
|
|
HealthzURI string
|
|
|
|
|
|
CustomErrors bool
|
|
|
|
|
|
Cfg Configuration
|
2017-04-09 18:03:27 +00:00
|
|
|
|
IsIPV6Enabled bool
|
2016-11-16 18:24:26 +00:00
|
|
|
|
}
|
