From 10b7de23dbbc6f3ba3a210eadb02ad6fa7f02b60 Mon Sep 17 00:00:00 2001 From: Giancarlo Rubio Date: Thu, 9 Mar 2017 22:43:53 +0100 Subject: [PATCH] prometheus metrics improvements --- .../nginx/pkg/cmd/controller/metrics.go | 159 +- .../nginx/pkg/cmd/controller/metrics_test.go | 1 - controllers/nginx/pkg/cmd/controller/nginx.go | 10 +- .../nginx/pkg/cmd/controller/status.go | 13 +- .../nginx/pkg/cmd/controller/status_test.go | 20 +- controllers/nginx/pkg/template/template.go | 5 +- controllers/nginx/rootfs/etc/nginx/nginx.conf | 4399 +---------------- .../rootfs/etc/nginx/template/nginx.tmpl | 88 +- 8 files changed, 142 insertions(+), 4553 deletions(-) delete mode 100644 controllers/nginx/pkg/cmd/controller/metrics_test.go diff --git a/controllers/nginx/pkg/cmd/controller/metrics.go b/controllers/nginx/pkg/cmd/controller/metrics.go index 0fc76ea9d..1b6903018 100644 --- a/controllers/nginx/pkg/cmd/controller/metrics.go +++ b/controllers/nginx/pkg/cmd/controller/metrics.go @@ -25,10 +25,10 @@ import ( "github.com/ncabatoff/process-exporter/proc" "github.com/prometheus/client_golang/prometheus" "reflect" - "strings" ) - +// TODO add current namespace +// TODO add ingress class var ( // descriptions borrow from https://github.com/vozlt/nginx-module-vts @@ -192,7 +192,6 @@ var ( type exeMatcher struct { name string args []string - enableVtsCollector bool } func (em exeMatcher) MatchAndName(nacl common.NameAndCmdline) (bool, string) { @@ -203,28 +202,24 @@ func (em exeMatcher) MatchAndName(nacl common.NameAndCmdline) (bool, string) { return em.name == cmd, "" } -func (n *NGINXController) setupMonitor(args[] string, vtsCollector bool) { - glog.Warning("vtsCollector now is ", vtsCollector) - pc, err := newProcessCollector(true, exeMatcher{"nginx", args, vtsCollector}) +func (n *NGINXController) setupMonitor(args []string, vtsCollector bool) { + + pc, err := newProcessCollector(true, exeMatcher{"nginx", args}, vtsCollector) if err != nil { - glog.Warningf("unexpected error registering nginx collector: %v", err) + glog.Fatalf("unexpected error registering nginx collector: %v", err) } err = prometheus.Register(pc) if err != nil { - if reg, ok := err.(prometheus.AlreadyRegisteredError); ok { - *reg.ExistingCollector.(prometheus.Collector).(*namedProcessCollector) = *pc - - }else{ + if _, ok := err.(prometheus.AlreadyRegisteredError); !ok { glog.Warningf("unexpected error registering nginx collector: %v", err) } } } - type ( scrapeRequest struct { results chan<- prometheus.Metric @@ -232,32 +227,32 @@ type ( } namedProcessCollector struct { - scrapeChan chan scrapeRequest - grouper *proc.Grouper + scrapeChan chan scrapeRequest + *proc.Grouper fs *proc.FS - //enableVtsCollector *bool + enableVtsCollector bool } ) func newProcessCollector( children bool, - n common.MatchNamer) (*namedProcessCollector, error) { + n common.MatchNamer, + enableVtsCollector bool) (*namedProcessCollector, error) { - //fs, err := proc.NewFS("/proc") - //if err != nil { - // return nil, err - //} - p := &namedProcessCollector{ - scrapeChan: make(chan scrapeRequest), - grouper: proc.NewGrouper(children, n), - //fs: fs, - //enableVtsCollector: vtsCollector, + fs, err := proc.NewFS("/proc") + if err != nil { + return nil, err + } + p := &namedProcessCollector{ + scrapeChan: make(chan scrapeRequest), + Grouper: proc.NewGrouper(children, n), + fs: fs, + enableVtsCollector: enableVtsCollector, + } + _, err = p.Update(p.fs.AllProcs()) + if err != nil { + return nil, err } - -// p.Update(p.fs.AllProcs()) - //if err != nil { - // return nil, err - //} go p.start() @@ -274,28 +269,25 @@ func (p *namedProcessCollector) Describe(ch chan<- *prometheus.Desc) { ch <- memResidentbytesDesc ch <- memVirtualbytesDesc ch <- startTimeDesc - x := p.grouper.(exeMatcher) - if true { //x.(execMatcher) == nil { //.(exeMatcher).enableVtsCollector { - glog.Info("registering vts describe") - ch <- vtsBytesDesc - ch <- vtsCacheDesc - ch <- vtsConnectionsDesc - ch <- vtsRequestDesc - ch <- vtsResponseDesc - ch <- vtsUpstreamBackupDesc - ch <- vtsUpstreamBytesDesc - ch <- vtsUpstreamDownDesc - ch <- vtsUpstreamFailTimeoutDesc - ch <- vtsUpstreamMaxFailsDesc - ch <- vtsUpstreamRequestDesc - ch <- vtsUpstreamResponseMsecDesc - ch <- vtsUpstreamResponsesDesc - ch <- vtsUpstreamWeightDesc - ch <- vtsFilterZoneBytesDesc - ch <- vtsFilterZoneCacheDesc - ch <- vtsFilterZoneResponseDesc - } + //vts metrics + ch <- vtsBytesDesc + ch <- vtsCacheDesc + ch <- vtsConnectionsDesc + ch <- vtsRequestDesc + ch <- vtsResponseDesc + ch <- vtsUpstreamBackupDesc + ch <- vtsUpstreamBytesDesc + ch <- vtsUpstreamDownDesc + ch <- vtsUpstreamFailTimeoutDesc + ch <- vtsUpstreamMaxFailsDesc + ch <- vtsUpstreamRequestDesc + ch <- vtsUpstreamResponseMsecDesc + ch <- vtsUpstreamResponsesDesc + ch <- vtsUpstreamWeightDesc + ch <- vtsFilterZoneBytesDesc + ch <- vtsFilterZoneCacheDesc + ch <- vtsFilterZoneResponseDesc } @@ -308,26 +300,25 @@ func (p *namedProcessCollector) Collect(ch chan<- prometheus.Metric) { func (p *namedProcessCollector) start() { - for req := range p.scrapeChan { ch := req.results p.scrapeNginxStatus(ch) p.scrapeProcs(ch) p.scrapeVts(ch) - req.done <- struct{}{} } } +// scrapeNginxStatus scrap the nginx status func (p *namedProcessCollector) scrapeNginxStatus(ch chan<- prometheus.Metric) { s, err := getNginxStatus() + if err != nil { glog.Warningf("unexpected error obtaining nginx status info: %v", err) return } - ch <- prometheus.MustNewConstMetric(activeDesc, prometheus.GaugeValue, float64(s.Active)) ch <- prometheus.MustNewConstMetric(acceptedDesc, @@ -345,14 +336,9 @@ func (p *namedProcessCollector) scrapeNginxStatus(ch chan<- prometheus.Metric) { } +// scrapeVts scrape nginx vts metrics func (p *namedProcessCollector) scrapeVts(ch chan<- prometheus.Metric) { - if ! true { - glog.V(3).Info("vts metrics not enabled") - return - } - - glog.V(3).Info("starting scrap on vts") nginxMetrics, err := getNginxVtsMetrics() if err != nil { glog.Warningf("unexpected error obtaining nginx status info: %v", err) @@ -417,8 +403,6 @@ func (p *namedProcessCollector) scrapeVts(ch chan<- prometheus.Metric) { for country, zone := range countries { - serverZone = strings.Replace(serverZone, "country::", "", 1) - reflectMetrics(&zone.Responses, vtsFilterZoneResponseDesc, ch, serverZone, country) reflectMetrics(&zone.Cache, vtsFilterZoneCacheDesc, ch, serverZone, country) @@ -432,35 +416,34 @@ func (p *namedProcessCollector) scrapeVts(ch chan<- prometheus.Metric) { } - } func (p *namedProcessCollector) scrapeProcs(ch chan<- prometheus.Metric) { - return - //_, err := p.Update(p.fs.AllProcs()) - //if err != nil { - // glog.Warningf("unexpected error obtaining nginx process info: %v", err) - // return - //} - // - //for gname, gcounts := range p.Groups() { - // glog.Infof("%v", gname) - // glog.Infof("%v", gcounts) - // ch <- prometheus.MustNewConstMetric(numprocsDesc, - // prometheus.GaugeValue, float64(gcounts.Procs)) - // ch <- prometheus.MustNewConstMetric(memResidentbytesDesc, - // prometheus.GaugeValue, float64(gcounts.Memresident)) - // ch <- prometheus.MustNewConstMetric(memVirtualbytesDesc, - // prometheus.GaugeValue, float64(gcounts.Memvirtual)) - // ch <- prometheus.MustNewConstMetric(startTimeDesc, - // prometheus.GaugeValue, float64(gcounts.OldestStartTime.Unix())) - // ch <- prometheus.MustNewConstMetric(cpuSecsDesc, - // prometheus.CounterValue, gcounts.Cpu) - // ch <- prometheus.MustNewConstMetric(readBytesDesc, - // prometheus.CounterValue, float64(gcounts.ReadBytes)) - // ch <- prometheus.MustNewConstMetric(writeBytesDesc, - // prometheus.CounterValue, float64(gcounts.WriteBytes)) - //} + + _, err := p.Update(p.fs.AllProcs()) + if err != nil { + glog.Warningf("unexpected error obtaining nginx process info: %v", err) + return + } + + for gname, gcounts := range p.Groups() { + glog.Infof("%v", gname) + glog.Infof("%v", gcounts) + ch <- prometheus.MustNewConstMetric(numprocsDesc, + prometheus.GaugeValue, float64(gcounts.Procs)) + ch <- prometheus.MustNewConstMetric(memResidentbytesDesc, + prometheus.GaugeValue, float64(gcounts.Memresident)) + ch <- prometheus.MustNewConstMetric(memVirtualbytesDesc, + prometheus.GaugeValue, float64(gcounts.Memvirtual)) + ch <- prometheus.MustNewConstMetric(startTimeDesc, + prometheus.GaugeValue, float64(gcounts.OldestStartTime.Unix())) + ch <- prometheus.MustNewConstMetric(cpuSecsDesc, + prometheus.CounterValue, gcounts.Cpu) + ch <- prometheus.MustNewConstMetric(readBytesDesc, + prometheus.CounterValue, float64(gcounts.ReadBytes)) + ch <- prometheus.MustNewConstMetric(writeBytesDesc, + prometheus.CounterValue, float64(gcounts.WriteBytes)) + } } func reflectMetrics(value interface{}, desc *prometheus.Desc, ch chan<- prometheus.Metric, labels ...string) { diff --git a/controllers/nginx/pkg/cmd/controller/metrics_test.go b/controllers/nginx/pkg/cmd/controller/metrics_test.go deleted file mode 100644 index 06ab7d0f9..000000000 --- a/controllers/nginx/pkg/cmd/controller/metrics_test.go +++ /dev/null @@ -1 +0,0 @@ -package main diff --git a/controllers/nginx/pkg/cmd/controller/nginx.go b/controllers/nginx/pkg/cmd/controller/nginx.go index ca0230f4c..d4dc1d369 100644 --- a/controllers/nginx/pkg/cmd/controller/nginx.go +++ b/controllers/nginx/pkg/cmd/controller/nginx.go @@ -51,7 +51,7 @@ const ( var ( tmplPath = "/etc/nginx/template/nginx.tmpl" cfgPath = "/etc/nginx/nginx.conf" - binary = "/usr/local/bin/nginx" + binary = "/usr/sbin/nginx" defIngressClass = "nginx" ) @@ -107,8 +107,6 @@ type NGINXController struct { storeLister ingress.StoreLister binary string - - namedProcessCollector *namedProcessCollector } // Start start a new NGINX master process running in foreground. @@ -159,7 +157,7 @@ func (n *NGINXController) start(cmd *exec.Cmd, done chan error) { return } cfg := ngx_template.ReadConfig(n.configmap.Data) - n.setupMonitor(cmd.Args, cfg.EnableVtsStatus) + n.setupMonitor(cmd.Args, cfg.EnableVtsStatus) go func() { done <- cmd.Wait() @@ -208,9 +206,6 @@ func (n NGINXController) isReloadRequired(data []byte) bool { if !bytes.Equal(src, data) { - cfg := ngx_template.ReadConfig(n.configmap.Data) - n.setupMonitor([]string{""}, &cfg.EnableVtsStatus) - tmpfile, err := ioutil.TempFile("", "nginx-cfg-diff") if err != nil { glog.Errorf("error creating temporal file: %s", err) @@ -319,6 +314,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) ([]byte, er } cfg := ngx_template.ReadConfig(n.configmap.Data) + n.setupMonitor([]string{""}, cfg.EnableVtsStatus) // NGINX cannot resize the has tables used to store server names. // For this reason we check if the defined size defined is correct diff --git a/controllers/nginx/pkg/cmd/controller/status.go b/controllers/nginx/pkg/cmd/controller/status.go index b3bb324d1..b286e3bfb 100644 --- a/controllers/nginx/pkg/cmd/controller/status.go +++ b/controllers/nginx/pkg/cmd/controller/status.go @@ -76,9 +76,9 @@ type ServerZone struct { } type FilterZone struct { - RequestCounter float64 `json:"requestCounter"` - InBytes float64 `json:"inBytes"` - OutBytes float64 `json:"outBytes"` + RequestCounter float64 `json:"requestCounter"` + InBytes float64 `json:"inBytes"` + OutBytes float64 `json:"outBytes"` Cache Cache `json:"responses"` Responses Response `json:"responses"` } @@ -143,7 +143,7 @@ func (bit BoolToFloat64) UnmarshalJSON(data []byte) error { func getNginxStatus() (*nginxStatus, error) { url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxStatusPath) - glog.V(3).Infof("scrapping url: %v", url) + glog.V(3).Infof("start scrapping url: %v", url) data, err := httpBody(url) @@ -172,9 +172,10 @@ func httpBody(url string) ([]byte, error) { return data, nil } + func getNginxVtsMetrics() (*Vts, error) { url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxVtsPath) - glog.V(3).Infof("scrapping url: %v", url) + glog.V(3).Infof("start scrapping url: %v", url) data, err := httpBody(url) @@ -188,6 +189,8 @@ func getNginxVtsMetrics() (*Vts, error) { return nil, fmt.Errorf("unexpected error json unmarshal (%v)", err) } + glog.V(3).Infof("scrap returned : %v", vts) + return &vts, nil } diff --git a/controllers/nginx/pkg/cmd/controller/status_test.go b/controllers/nginx/pkg/cmd/controller/status_test.go index 9a4fd4c45..9d52e0691 100644 --- a/controllers/nginx/pkg/cmd/controller/status_test.go +++ b/controllers/nginx/pkg/cmd/controller/status_test.go @@ -67,22 +67,4 @@ func TestToint(t *testing.T) { t.Fatalf("expected %v but returned %v", test.exp, v) } } -} -// -//func TestUnmarshalJSON (t *testing.T){ -// tests := []struct{ -// in []byte -// exp float64 -// error error -// }{ -// {in: "false",exp: 0}, -// {"0", 0}, -// {"true", 1}, -// {"1", 1}, -// {" errr", error}, -// } -// -// for _,test := range tests -// -// -//} \ No newline at end of file +} \ No newline at end of file diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go index 4a1deed02..8262a5873 100644 --- a/controllers/nginx/pkg/template/template.go +++ b/controllers/nginx/pkg/template/template.go @@ -213,8 +213,11 @@ func buildLocation(input interface{}) string { func buildAuthLocation(input interface{}) string { location, ok := input.(*ingress.Location) + if !ok { + return "" + } - if !ok || location.ExternalAuth.URL == "" { + if location.ExternalAuth.URL == "" { return "" } diff --git a/controllers/nginx/rootfs/etc/nginx/nginx.conf b/controllers/nginx/rootfs/etc/nginx/nginx.conf index 0fd3b7fc8..bb36624ce 100644 --- a/controllers/nginx/rootfs/etc/nginx/nginx.conf +++ b/controllers/nginx/rootfs/etc/nginx/nginx.conf @@ -1,4397 +1,6 @@ - -daemon off; - -worker_processes 4; +# A very simple nginx configuration file that forces nginx to start. pid /run/nginx.pid; -worker_rlimit_nofile 2305843009213692927; -events { - multi_accept on; - worker_connections 16384; -} - -http { - set_real_ip_from 10.50.0.0/16; - real_ip_header proxy_protocol; - - real_ip_recursive on; - - geoip_country /etc/nginx/GeoIP.dat; - geoip_city /etc/nginx/GeoLiteCity.dat; - geoip_proxy_recursive on; - - # - #vhost_traffic_status_zone shared:vhost_traffic_status:10m; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; - # - - # lua section to return proper error codes when custom pages are used - #lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;'; - #init_by_lua_block { - # require("error_page") - #} - - sendfile on; - #aio threads; - tcp_nopush on; - tcp_nodelay on; - - log_subrequest on; - - reset_timedout_connection on; - - keepalive_timeout 75s; - - client_header_buffer_size 1k; - large_client_header_buffers 4 8k; - - types_hash_max_size 2048; - server_names_hash_max_size 1024; - server_names_hash_bucket_size 64; - map_hash_bucket_size 64; - - include /etc/nginx/mime.types; - default_type text/html; - gzip on; - gzip_comp_level 5; - gzip_http_version 1.1; - gzip_min_length 256; - gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; - gzip_proxied any; - - server_tokens on; - - map $request_uri $loggable { - default 1; - } - error_log /var/log/nginx/error.log notice; - - resolver 10.52.0.10 valid=30s; - - # Retain the default nginx handling of requests without a "Connection" header - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - # trust http_x_forwarded_proto headers correctly indicate ssl offloading - map $http_x_forwarded_proto $pass_access_scheme { - default $http_x_forwarded_proto; - '' $scheme; - } - - map $http_x_forwarded_port $pass_server_port { - default $http_x_forwarded_port; - '' $server_port; - } - - # map port 442 to 443 for header X-Forwarded-Port - map $pass_server_port $pass_port { - 442 443; - default $pass_server_port; - } - - # Map a response error watching the header Content-Type - map $http_accept $httpAccept { - default html; - application/json json; - application/xml xml; - text/plain text; - } - - map $httpAccept $httpReturnType { - default text/html; - json application/json; - xml application/xml; - text text/plain; - } - - server_name_in_redirect off; - port_in_redirect off; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - # turn on session caching to drastically improve performance - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_session_timeout 10m; - - # allow configuring ssl session tickets - ssl_session_tickets on; - - # slightly reduce the time-to-first-byte - ssl_buffer_size 4k; - - # allow configuring custom ssl ciphers - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_prefer_server_ciphers on; - - # In case of errors try the next upstream server before returning an error - proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; - - upstream gitlab-deploys-80 { - least_conn; - server 10.51.72.11:3000 max_fails=0 fail_timeout=0; - server 10.51.77.20:3000 max_fails=0 fail_timeout=0; - } - upstream gitlab-gitlab-80 { - least_conn; - server 10.51.56.14:80 max_fails=0 fail_timeout=0; - } - upstream kube-system-kube-lego-nginx-8080 { - least_conn; - server 10.51.42.2:8080 max_fails=0 fail_timeout=0; - } - upstream logging-kibana-80 { - least_conn; - server 10.51.72.8:5601 max_fails=0 fail_timeout=0; - } - upstream monitoring-alertmanager-9093 { - least_conn; - server 10.51.22.4:9093 max_fails=0 fail_timeout=0; - server 10.51.36.5:9093 max_fails=0 fail_timeout=0; - server 10.51.56.4:9093 max_fails=0 fail_timeout=0; - } - upstream monitoring-grafana-3000 { - least_conn; - server 10.51.99.11:3000 max_fails=0 fail_timeout=0; - } - upstream monitoring-prometheus-k8s-9090 { - least_conn; - server 10.51.56.3:9090 max_fails=0 fail_timeout=0; - } - upstream prd-babel-80 { - least_conn; - server 10.51.42.13:3000 max_fails=0 fail_timeout=0; - server 10.51.77.19:3000 max_fails=0 fail_timeout=0; - } - upstream prd-mockphone-80 { - least_conn; - server 10.51.22.7:3000 max_fails=0 fail_timeout=0; - server 10.51.42.12:3000 max_fails=0 fail_timeout=0; - } - upstream sentry-sentry-80 { - least_conn; - server 10.51.77.4:9000 max_fails=0 fail_timeout=0; - } - upstream staging-auditlogs-80 { - least_conn; - server 10.51.72.14:20081 max_fails=0 fail_timeout=0; - } - upstream staging-authbox-80 { - least_conn; - server 10.51.42.18:3000 max_fails=0 fail_timeout=0; - server 10.51.72.17:3000 max_fails=0 fail_timeout=0; - } - upstream staging-authorizationmanager-80 { - least_conn; - server 10.51.72.6:3000 max_fails=0 fail_timeout=0; - server 10.51.77.17:3000 max_fails=0 fail_timeout=0; - } - upstream staging-backoffice-80 { - least_conn; - server 10.51.46.9:3000 max_fails=0 fail_timeout=0; - server 10.51.99.14:3000 max_fails=0 fail_timeout=0; - } - upstream staging-companymanager-80 { - least_conn; - server 10.51.36.8:3000 max_fails=0 fail_timeout=0; - server 10.51.46.7:3000 max_fails=0 fail_timeout=0; - } - upstream staging-default-http-backend-80 { - least_conn; - server 10.51.72.12:8080 max_fails=0 fail_timeout=0; - server 10.51.77.6:8080 max_fails=0 fail_timeout=0; - } - upstream staging-eid-80 { - least_conn; - server 10.51.104.9:3000 max_fails=0 fail_timeout=0; - server 10.51.72.15:3000 max_fails=0 fail_timeout=0; - } - upstream staging-esign2-80 { - least_conn; - server 10.51.42.17:3000 max_fails=0 fail_timeout=0; - } - upstream staging-evidencemanager-80 { - least_conn; - server 10.51.22.5:3000 max_fails=0 fail_timeout=0; - server 10.51.36.6:3000 max_fails=0 fail_timeout=0; - } - upstream staging-gateway-80 { - least_conn; - server 10.51.104.11:3000 max_fails=0 fail_timeout=0; - server 10.51.72.5:3000 max_fails=0 fail_timeout=0; - } - upstream staging-idin-80 { - least_conn; - server 10.51.46.3:3000 max_fails=0 fail_timeout=0; - server 10.51.99.12:3000 max_fails=0 fail_timeout=0; - } - upstream staging-invoicemanager-80 { - least_conn; - server 10.51.22.3:3000 max_fails=0 fail_timeout=0; - server 10.51.46.12:3000 max_fails=0 fail_timeout=0; - } - upstream staging-mockphone-80 { - least_conn; - server 10.51.72.13:3000 max_fails=0 fail_timeout=0; - server 10.51.77.22:3000 max_fails=0 fail_timeout=0; - } - upstream staging-mydigidentity-80 { - least_conn; - server 10.51.36.10:3000 max_fails=0 fail_timeout=0; - server 10.51.99.4:3000 max_fails=0 fail_timeout=0; - } - upstream staging-profilemanager-80 { - least_conn; - server 10.51.104.8:3000 max_fails=0 fail_timeout=0; - server 10.51.46.10:3000 max_fails=0 fail_timeout=0; - } - upstream staging-selfserviceportal-80 { - least_conn; - server 10.51.72.3:3000 max_fails=0 fail_timeout=0; - server 10.51.77.3:3000 max_fails=0 fail_timeout=0; - } - upstream staging-serviceprovider-80 { - least_conn; - server 10.51.104.3:3000 max_fails=0 fail_timeout=0; - server 10.51.72.16:3000 max_fails=0 fail_timeout=0; - } - upstream staging-smartcardmanager-80 { - least_conn; - server 10.51.72.14:20080 max_fails=0 fail_timeout=0; - } - upstream staging-sppp-80 { - least_conn; - server 10.51.42.11:3000 max_fails=0 fail_timeout=0; - server 10.51.46.6:3000 max_fails=0 fail_timeout=0; - } - upstream upstream-default-backend { - least_conn; - server 10.51.104.5:8080 max_fails=0 fail_timeout=0; - server 10.51.42.8:8080 max_fails=0 fail_timeout=0; - server 10.51.72.7:8080 max_fails=0 fail_timeout=0; - server 10.51.77.9:8080 max_fails=0 fail_timeout=0; - } - server { - server_name _; - listen [::]:8080 proxy_protocol ipv6only=off default_server reuseport backlog=511; - listen [::]:4430 proxy_protocol ipv6only=off default_server reuseport backlog=511 ssl ; #http2; - # PEM sha: b23676658d28c219471e2200501312d7d188404c - ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; - ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - # health checks in cloud providers require the use of port 80 - location /healthz { - access_log off; - return 200; - } - - # this is required to avoid error if nginx is being monitored - # with an external software (like sysdig) - location /nginx_status { - allow 127.0.0.1; - allow ::1; - deny all; - - access_log off; - #stub_status on; - } - - } - - server { - server_name alertmanager.dta.ddy.systems; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: e7872a3b955e82f9fc2f865792bc6fdd025333ed - ssl_certificate /ingress-controller/ssl/monitoring-alertmanager.dta.ddy.systems.pem; - ssl_certificate_key /ingress-controller/ssl/monitoring-alertmanager.dta.ddy.systems.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "monitoring-alertmanager-9093"; - - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://monitoring-alertmanager-9093; - } - - } - - server { - server_name asentry.ddy.systems; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: b23676658d28c219471e2200501312d7d188404c - ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; - ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location / { - set $proxy_upstream_name "sentry-sentry-80"; - - allow 10.50.0.0/16; - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 83.85.75.129/32; - allow 83.86.66.59/32; - allow 84.104.29.40/32; - allow 90.145.204.66/32; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://sentry-sentry-80; - } - - } - - server { - server_name audit-logs.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-auditlogs-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-auditlogs-80; - } - - } - - server { - server_name auth.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 92115ea63b369c26de6da3154618a1c042a294d8 - ssl_certificate /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-authbox-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-authbox-80; - } - - } - - server { - server_name backoffice.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-backoffice-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-backoffice-80; - } - - } - - server { - server_name be.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /profiles { - set $proxy_upstream_name "staging-profilemanager-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-profilemanager-80; - } - location /invoices { - set $proxy_upstream_name "staging-invoicemanager-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-invoicemanager-80; - } - location /evidences { - set $proxy_upstream_name "staging-evidencemanager-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-evidencemanager-80; - } - location /companies { - set $proxy_upstream_name "staging-companymanager-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-companymanager-80; - } - location /authorizations { - set $proxy_upstream_name "staging-authorizationmanager-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-authorizationmanager-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name cauth.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name cauth2.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: b23676658d28c219471e2200501312d7d188404c - ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; - ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location / { - set $proxy_upstream_name "staging-authbox-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-authbox-80; - } - - } - - server { - server_name cdn.auth.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: d377fdb3299b80661314481c6e49342fa8e9288b - ssl_certificate /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /assets { - set $proxy_upstream_name "staging-authbox-80"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-authbox-80; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name cdn.my.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: e1c751d9b7a289c0e54c4b534aaae54406f0bc66 - ssl_certificate /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /assets { - set $proxy_upstream_name "staging-mydigidentity-80"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-mydigidentity-80; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name dash.ddy.systems; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 13353f306e25526e1eaa8d0b85473d211c4264dd - ssl_certificate /ingress-controller/ssl/gitlab-dash.ddy.systems.pem; - ssl_certificate_key /ingress-controller/ssl/gitlab-dash.ddy.systems.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "gitlab-deploys-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 83.85.75.129/32; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://gitlab-deploys-80; - } - - } - - server { - server_name eid.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: a342af52002527fa15e351d8dae40e1cf79318a3 - ssl_certificate /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-eid-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-eid-80; - } - - } - - server { - server_name esign2.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 0701c2076c52e17e64b7b8928f22483d04e7b937 - ssl_certificate /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-esign2-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-esign2-80; - } - - } - - server { - server_name gate.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 381a5918528e4b3a4660755ef9ad39f655ec0dea - ssl_certificate /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-gateway-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-gateway-80; - } - - } - - server { - server_name gateway.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: faac8a7a8c2a62b8d8e098d00132e4e58611f46f - ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name gitlab.dmtw.nl; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: cb796ae5a3ada39619752170afc88da389c7fe4a - ssl_certificate /ingress-controller/ssl/gitlab-gitlab.dmtw.nl.pem; - ssl_certificate_key /ingress-controller/ssl/gitlab-gitlab.dmtw.nl.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "gitlab-gitlab-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 83.84.117.190/32; - allow 83.85.75.129/32; - allow 83.86.66.59/32; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "100m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://gitlab-gitlab-80; - } - - } - - server { - server_name grafana.dta.ddy.systems; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 59324865d0393cf34e51510acd2e65087d871053 - ssl_certificate /ingress-controller/ssl/monitoring-grafana.dta.ddy.systems.pem; - ssl_certificate_key /ingress-controller/ssl/monitoring-grafana.dta.ddy.systems.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "monitoring-grafana-3000"; - - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://monitoring-grafana-3000; - } - - } - - server { - server_name idin.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: faac8a7a8c2a62b8d8e098d00132e4e58611f46f - ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-idin-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-idin-80; - } - - } - - server { - server_name kibana.dta.ddy.systems; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 08de7f1098864931d5a0b59f027f3fae5686dc0f - ssl_certificate /ingress-controller/ssl/logging-kibana.dta.ddy.systems.pem; - ssl_certificate_key /ingress-controller/ssl/logging-kibana.dta.ddy.systems.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "logging-kibana-80"; - - allow 10.50.0.0/16; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://logging-kibana-80; - } - - } - - server { - server_name mock.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /serviceprovider { - set $proxy_upstream_name "staging-serviceprovider-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-serviceprovider-80; - } - location /phone { - set $proxy_upstream_name "staging-mockphone-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-mockphone-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name my.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 8750503f72e9e522ea87d0d7bfb39c12832abe40 - ssl_certificate /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-mydigidentity-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-mydigidentity-80; - } - - } - - server { - server_name prd.dmtw.nl; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 7134d20604308601dab72387837394ce69c6e788 - ssl_certificate /ingress-controller/ssl/prd-prd.dmtw.nl.pem; - ssl_certificate_key /ingress-controller/ssl/prd-prd.dmtw.nl.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /mock_phone { - set $proxy_upstream_name "prd-mockphone-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 95.238.110.237/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://prd-mockphone-80; - } - location /babel { - set $proxy_upstream_name "prd-babel-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 95.238.110.237/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://prd-babel-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name prometheus.dta.ddy.systems; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 6b2f2a7135b51b6b79f6634cbf65b22a64693dee - ssl_certificate /ingress-controller/ssl/monitoring-prometheus.dta.ddy.systems.pem; - ssl_certificate_key /ingress-controller/ssl/monitoring-prometheus.dta.ddy.systems.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "monitoring-prometheus-k8s-9090"; - - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://monitoring-prometheus-k8s-9090; - } - - } - - server { - server_name selfserviceportal.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: b23676658d28c219471e2200501312d7d188404c - ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; - ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-selfserviceportal-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-selfserviceportal-80; - } - - } - - server { - server_name serviceprovider.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 - ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; - ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-serviceprovider-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 77.250.52.167/32; - allow 83.85.75.129/32; - allow 84.104.29.40/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-serviceprovider-80; - } - - } - - server { - server_name smartcards.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-smartcardmanager-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-smartcardmanager-80; - } - - } - - server { - server_name sns.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 7f4e396f628630573c27cb3883f0b2428a210378 - ssl_certificate /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /invoices/api/v1/email_notifications { - set $proxy_upstream_name "staging-invoicemanager-80"; - - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-invoicemanager-80; - } - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "upstream-default-backend"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; - } - - } - - server { - server_name sppp.digidentity-staging.eu; - listen [::]:8080 proxy_protocol; - listen [::]:4430 proxy_protocol ssl ; #http2; - # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 - ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; - ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; - - #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; - - location /.well-known/acme-challenge { - set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; - - port_in_redirect off; - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://kube-system-kube-lego-nginx-8080; - } - location / { - set $proxy_upstream_name "staging-sppp-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 77.250.52.167/32; - allow 83.85.75.129/32; - allow 84.104.29.40/32; - deny all; - port_in_redirect off; - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass the extracted client certificate to the backend - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 16s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - proxy_buffers 4 "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-sppp-80; - } - - } - # default server, used for NGINX healthcheck and access to nginx stats - server { - # Use the port 18080 (random value just to avoid known ports) as default port for nginx. - # Changing this value requires a change in: - # https://github.com/kubernetes/contrib/blob/master/ingress/controllers/nginx/nginx/command.go#L104 - listen [::]:18080 ipv6only=off default_server reuseport backlog=511; - - location /healthz { - access_log off; - return 200; - } - - location /nginx_status { - proxy_pass http://localhost:18089; - #vhost_traffic_status_display; - #vhost_traffic_status_display_format html; - } - - # this location is used to extract nginx metrics - # using prometheus. - # TODO: enable extraction for vts module. - location /internal_nginx_status { - allow 127.0.0.1; - allow ::1; - deny all; - - access_log off; - # stub_status on; - } - - location / { - set $proxy_upstream_name "upstream-default-backend"; - proxy_pass http://upstream-default-backend; - } - } - # default server for services without endpoints - server { - listen 8181; - set $proxy_upstream_name "-"; - - location / { - return 503; - } - } -} +events {} +http {} +daemon off; \ No newline at end of file diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index f86375ee1..c00e53448 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -61,9 +61,6 @@ http { client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }}; large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }}; - http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }}; - http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }}; - types_hash_max_size 2048; server_names_hash_max_size {{ $cfg.ServerNameHashMaxSize }}; server_names_hash_bucket_size {{ $cfg.ServerNameHashBucketSize }}; @@ -82,7 +79,7 @@ http { server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }}; - log_format upstreaminfo '{{ buildLogFormatUpstream $cfg }}'; + log_format upstreaminfo {{ buildLogFormatUpstream $cfg }}; {{/* map urls that should not appear in access.log */}} {{/* http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}} @@ -210,14 +207,10 @@ http { {{ range $index, $server := .Servers }} server { server_name {{ $server.Hostname }}; - listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}}; + listen [::]:80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $index 0 }} ipv6only=off{{end}}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}}; {{/* Listen on 442 because port 443 is used in the stream section */}} - {{/* This listen on port 442 cannot contains proxy_protocol directive because port 443 is in charge of decoding the protocol */}} -<<<<<<< HEAD - {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}{{ if not $cfg.DisableIpv6 }}[::]:{{ end }}443 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }}; -======= - {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}4420{{ else }}[::]:4430 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $index 0 }} ipv6only=off{{end}} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl ; #{{ if $cfg.UseHTTP2 }}http2{{ end }}; ->>>>>>> run e2e + {{/* This listen cannot contains proxy_protocol directive because port 443 is in charge of decoding the protocol */}} + {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}[::]:443 {{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }}; {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}} # PEM sha: {{ $server.SSLPemChecksum }} ssl_certificate {{ $server.SSLCertificate }}; @@ -225,7 +218,7 @@ http { {{ end }} {{ if (and (not (empty $server.SSLCertificate)) $cfg.HSTS) }} - #more_set_headers "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload"; + more_set_headers "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload"; {{ end }} {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }} @@ -250,8 +243,6 @@ http { {{ end }} {{ if not (empty $location.ExternalAuth.Method) }} proxy_method {{ $location.ExternalAuth.Method }}; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Scheme $pass_access_scheme; {{ end }} proxy_set_header Host $host; proxy_pass_request_headers on; @@ -277,13 +268,9 @@ http { auth_request {{ $authPath }}; {{ end }} - {{ if not (empty $location.ExternalAuth.SigninURL) }} - error_page 401 = {{ $location.ExternalAuth.SigninURL }}; - {{ end }} - - {{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }} + {{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }} # enforce ssl on server side - if ($pass_access_scheme = http) { + if ($scheme = http) { return 301 https://$host$request_uri; } {{ end }} @@ -327,8 +314,6 @@ http { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Scheme $pass_access_scheme; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ @@ -346,7 +331,6 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "{{ $location.Proxy.BufferSize }}"; - proxy_buffers 4 "{{ $location.Proxy.BufferSize }}"; proxy_http_version 1.1; @@ -380,7 +364,7 @@ http { # with an external software (like sysdig) location /nginx_status { allow 127.0.0.1; - {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }} + allow ::1; deny all; access_log off; @@ -388,6 +372,7 @@ http { } {{ end }} + {{ template "CUSTOM_ERRORS" $cfg }} } {{ end }} @@ -397,7 +382,7 @@ http { # Use the port 18080 (random value just to avoid known ports) as default port for nginx. # Changing this value requires a change in: # https://github.com/kubernetes/contrib/blob/master/ingress/controllers/nginx/nginx/command.go#L104 - listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}18080 {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} default_server reuseport backlog={{ .BacklogSize }}; + listen [::]:18080 ipv6only=off default_server reuseport backlog={{ .BacklogSize }}; location {{ $healthzURI }} { access_log off; @@ -419,7 +404,7 @@ http { # TODO: enable extraction for vts module. location /internal_nginx_status { allow 127.0.0.1; - {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }} + allow ::1; deny all; access_log off; @@ -430,9 +415,9 @@ http { set $proxy_upstream_name "upstream-default-backend"; proxy_pass http://upstream-default-backend; } + {{ template "CUSTOM_ERRORS" $cfg }} } - # default server for services without endpoints server { listen 8181; @@ -440,7 +425,6 @@ http { location / { {{ if .CustomErrors }} -<<<<<<< HEAD content_by_lua_block { openURL(ngx.req.get_headers(0), 503) } @@ -480,7 +464,7 @@ stream { {{ buildSSLPassthroughUpstreams $backends .PassthroughBackends }} server { - listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}443 {{ if not $cfg.DisableIpv6 }}ipv6only=off{{ end }}{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}; + listen [::]:443 ipv6only=off{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}; proxy_pass $stream_upstream; ssl_preread on; } @@ -521,14 +505,44 @@ stream { {{ range $errCode := .CustomHTTPErrors }} location @custom_{{ $errCode }} { internal; -======= ->>>>>>> run e2e content_by_lua_block { - openURL(ngx.req.get_headers(0), 503) + openURL(ngx.req.get_headers(0), {{ $errCode }}) } - {{ else }} - return 503; - {{ end }} } - } -} \ No newline at end of file + {{ end }} +{{ end }} + +{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}} +{{ define "CORS" }} + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + # + # Om nom nom cookies + # + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # + # Custom headers and headers various browsers *should* be OK with but aren't + # + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + # + # Tell client that this pre-flight info is valid for 20 days + # + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + if ($request_method = 'POST') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + } + if ($request_method = 'GET') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + } +{{ end }}