Continue go crossplane (#11964)

go.mod

@@ -50,8 +50,8 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/jstemmer/go-junit-report v1.0.0 // indirect
 	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/maxbrunsfeld/counterfeiter/v6 v6.10.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
-	github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/otel v1.31.0 // indirect
 	go.opentelemetry.io/otel/trace v1.31.0 // indirect

go.sum

@@ -129,8 +129,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1 h1:NicmruxkeqHjDv03SfSxqmaLuisddudfP3h5wdXFbhM=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.10.0 h1:9WsegDYiSKtZXru+NcOB4z7iqb00n4atjmQlyy5TRXI=
-github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1/go.mod h1:eyp4DdUJAKkr9tvxR3jWhw2mDK7CWABMG5r9uyaKC7I=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.10.0/go.mod h1:TeVdzh+5QB5IpWDJAU/uviXA6kOg9yXzLrrjeLKJXqY=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=

go.work.sum

@@ -25,6 +25,7 @@ github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1Ig
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
 github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
+github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
@@ -82,6 +83,7 @@ github.com/nwaples/rardecode v1.1.3/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWk
 github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
+github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
 github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
@@ -160,5 +162,6 @@ google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojt
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/kms v0.32.0/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=

images/kube-webhook-certgen/rootfs/go.mod

@@ -14,7 +14,7 @@ require (
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.11.3 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect

images/kube-webhook-certgen/rootfs/go.sum

@@ -3,8 +3,7 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/emicklei/go-restful/v3 v3.11.3 h1:yagOQz/38xJmcNeZJtrUcKjkHRltIaIFXKWeG1SkWGE=
+github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
-github.com/emicklei/go-restful/v3 v3.11.3/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=

internal/ingress/controller/template/crossplane/config.go

@@ -44,5 +44,19 @@ func (c *Template) buildConfig() {
 		)
 	}
 
+	if shouldLoadAuthDigestModule(c.tplConfig.Servers) {
+		config.Parsed = append(config.Parsed, buildDirective("load_module", "/etc/nginx/modules/ngx_http_auth_digest_module.so"))
+	}
+
+	if c.tplConfig.Cfg.EnableOpentelemetry || shouldLoadOpentelemetryModule(c.tplConfig.Servers) {
+		config.Parsed = append(config.Parsed, buildDirective("load_module", "/etc/nginx/modules/otel_ngx_module.so"))
+	}
+
+	if c.tplConfig.Cfg.UseGeoIP2 {
+		config.Parsed = append(config.Parsed,
+			buildDirective("load_module", "/etc/nginx/modules/ngx_http_geoip2_module.so"),
+		)
+	}
+
 	c.config = config
 }

internal/ingress/controller/template/crossplane/crossplane_test.go

@@ -53,7 +53,7 @@ func TestCrossplaneTemplate(t *testing.T) {
 		IgnoreDirectives:         []string{"more_clear_headers", "more_set_headers"}, // TODO: Add more_set_headers
 		DirectiveSources: []ngx_crossplane.MatchFunc{
 			ngx_crossplane.DefaultDirectivesMatchFunc,
-			ngx_crossplane.LuaDirectivesMatchFn,
+			ngx_crossplane.MatchLuaLatest,
 			extramodules.BrotliMatchFn,
 		},
 		LexOptions: ngx_crossplane.LexOptions{

internal/ingress/controller/template/crossplane/http.go

@@ -28,9 +28,11 @@ func (c *Template) initHTTPDirectives() ngx_crossplane.Directives {
 	cfg := c.tplConfig.Cfg
 	httpBlock := ngx_crossplane.Directives{
 		buildDirective("lua_package_path", "/etc/nginx/lua/?.lua;;"),
+		buildDirective("lua_shared_dict", "luaconfig", "5m"),
+		buildDirective("init_by_lua_file", "/etc/nginx/lua/ngx_conf_init.lua"),
+		buildDirective("init_worker_by_lua_file", "/etc/nginx/lua/ngx_conf_init_worker.lua"),
 		buildDirective("include", c.mimeFile),
 		buildDirective("default_type", cfg.DefaultType),
-		buildDirective("real_ip_recursive", "on"),
 		buildDirective("aio", "threads"),
 		buildDirective("aio_write", cfg.EnableAioWrite),
 		buildDirective("server_tokens", cfg.ShowServerTokens),
@@ -85,8 +87,11 @@ func (c *Template) initHTTPDirectives() ngx_crossplane.Directives {
 func (c *Template) buildHTTP() {
 	cfg := c.tplConfig.Cfg
 	httpBlock := c.initHTTPDirectives()
-	httpBlock = append(httpBlock, buildLuaSharedDictionaries(&c.tplConfig.Cfg)...)
+	httpBlock = append(httpBlock, buildLuaSharedDictionaries(&cfg)...)
 
+	if c.tplConfig.Cfg.EnableOpentelemetry || shouldLoadOpentelemetryModule(c.tplConfig.Servers) {
+		httpBlock = append(httpBlock, buildDirective("opentelemetry_config", cfg.OpentelemetryConfig))
+	}
 	// Real IP dealing
 	if (cfg.UseForwardedHeaders || cfg.UseProxyProtocol) || cfg.EnableRealIP {
 		if cfg.UseProxyProtocol {
@@ -94,7 +99,7 @@ func (c *Template) buildHTTP() {
 		} else {
 			httpBlock = append(httpBlock, buildDirective("real_ip_header", cfg.ForwardedForHeader))
 		}
-
+		httpBlock = append(httpBlock, buildDirective("real_ip_recursive", "on"))
 		for k := range cfg.ProxyRealIPCIDR {
 			httpBlock = append(httpBlock, buildDirective("set_real_ip_from", cfg.ProxyRealIPCIDR[k]))
 		}
@@ -128,10 +133,25 @@ func (c *Template) buildHTTP() {
 		}
 	}
 
+	if cfg.EnableBrotli {
+		httpBlock = append(httpBlock, buildDirective("brotli", "on"))
+		httpBlock = append(httpBlock, buildDirective("brotli_comp_level", cfg.BrotliLevel))
+		httpBlock = append(httpBlock, buildDirective("brotli_min_length", cfg.BrotliMinLength))
+		httpBlock = append(httpBlock, buildDirective("brotli_types", cfg.BrotliTypes))
+	}
+
 	if !cfg.ShowServerTokens {
 		httpBlock = append(httpBlock, buildDirective("more_clear_headers", "Server"))
 	}
 
+	httpBlock = append(httpBlock, buildBlockDirective(
+		"geo",
+		[]string{"$literal_dollar"},
+		ngx_crossplane.Directives{
+			buildDirective("default", "$"),
+		},
+	))
+
 	if len(c.tplConfig.AddHeaders) > 0 {
 		additionalHeaders := make([]string, 0)
 		for headerName, headerValue := range c.tplConfig.AddHeaders {
@@ -206,6 +226,8 @@ func (c *Template) buildHTTP() {
 	httpUpgradeMap := ngx_crossplane.Directives{buildDirective("default", "upgrade")}
 	if cfg.UpstreamKeepaliveConnections < 1 {
 		httpUpgradeMap = append(httpUpgradeMap, buildDirective("", "close"))
+	} else {
+		httpUpgradeMap = append(httpUpgradeMap, buildDirective("", ""))
 	}
 	httpBlock = append(httpBlock, buildMapDirective("$http_upgrade", "$connection_upgrade", httpUpgradeMap))
 
@@ -220,7 +242,7 @@ func (c *Template) buildHTTP() {
 		if cfg.UseProxyProtocol {
 			forwardForMap = append(forwardForMap,
 				buildDirective("default", "$http_x_forwarded_for, $proxy_protocol_addr"),
-				buildDirective("", "$http_x_forwarded_for, $proxy_protocol_addr"),
+				buildDirective("", "$proxy_protocol_addr"),
 			)
 		} else {
 			forwardForMap = append(forwardForMap,
@@ -244,15 +266,13 @@ func (c *Template) buildHTTP() {
 		)
 	}
 
-	if len(cfg.HideHeaders) > 0 {
+	for k := range cfg.HideHeaders {
-		for k := range cfg.HideHeaders {
+		httpBlock = append(httpBlock, buildDirective("proxy_hide_header", cfg.HideHeaders[k]))
-			httpBlock = append(httpBlock, buildDirective("proxy_hide_header", cfg.HideHeaders[k]))
-		}
 	}
 
 	blockUpstreamDirectives := ngx_crossplane.Directives{
 		buildDirective("server", "0.0.0.1"),
-		buildBlockDirective("balancer_by_lua_block", nil, ngx_crossplane.Directives{buildDirective("balancer.balance()")}),
+		buildDirective("balancer_by_lua_file", "/etc/nginx/lua/nginx/ngx_conf_balancer.lua"),
 	}
 	if c.tplConfig.Cfg.UpstreamKeepaliveConnections > 0 {
 		blockUpstreamDirectives = append(blockUpstreamDirectives,

internal/ingress/controller/template/crossplane/testdata/nginx-new-orig.tmpl

@@ -7,11 +7,16 @@
 {{ $proxyHeaders := .ProxySetHeaders }}
 {{ $addHeaders := .AddHeaders }}
 
-# MIGRATED
+# Configuration checksum: {{ $all.Cfg.Checksum }}
-pid {{ .PID }};
 
-# MODULES ARE NOT MIGRATED YET!
+# setup custom paths that do not require root access
-{{ if $cfg.EnableBrotli }}
+pid {{ .PID }}; # OK
+
+{{ if $cfg.UseGeoIP2 }} #OK
+load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
+{{ end }}
+
+{{ if $cfg.EnableBrotli }} #OK
 load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
 load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
 {{ end }}
@@ -20,114 +25,56 @@ load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
 load_module /etc/nginx/modules/ngx_http_auth_digest_module.so;
 {{ end }}
 
+{{ if (shouldLoadModSecurityModule $cfg $servers) }}
+load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
+{{ end }}
+
 {{ if (shouldLoadOpentelemetryModule $cfg $servers) }}
 load_module /etc/nginx/modules/otel_ngx_module.so;
 {{ end }}
 
-# MIGRATED 1
+daemon off; # OK
-daemon off;
 
-worker_processes {{ $cfg.WorkerProcesses }};
+worker_processes {{ $cfg.WorkerProcesses }}; # OK
-{{ if gt (len $cfg.WorkerCPUAffinity) 0 }}
+{{ if gt (len $cfg.WorkerCPUAffinity) 0 }} # OK 
 worker_cpu_affinity {{ $cfg.WorkerCPUAffinity }};
 {{ end }}
 
-worker_rlimit_nofile {{ $cfg.MaxWorkerOpenFiles }};
+worker_rlimit_nofile {{ $cfg.MaxWorkerOpenFiles }}; # OK
 
 {{/* http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout */}}
 {{/* avoid waiting too long during a reload */}}
-worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ;
+worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ; # OK
+
+# REMOVED
+# {{ if not (empty $cfg.MainSnippet) }}
+# {{ $cfg.MainSnippet }}
+# {{ end }}
 
 events {
-    multi_accept        {{ if $cfg.EnableMultiAccept }}on{{ else }}off{{ end }};
+    multi_accept        {{ if $cfg.EnableMultiAccept }}on{{ else }}off{{ end }}; # OK
-    worker_connections  {{ $cfg.MaxWorkerConnections }};
+    worker_connections  {{ $cfg.MaxWorkerConnections }}; # OK
-    use                 epoll;
+    use                 epoll; # OK
-    {{ range $index , $v := $cfg.DebugConnections }}
+    {{ range $index , $v := $cfg.DebugConnections }} # OK
-    debug_connection    {{ $v }};
+    debug_connection    {{ $v }}; # OK
     {{ end }}
 }
 
-# END MIGRATED 1
-
 http {
     {{ if (shouldLoadOpentelemetryModule $cfg $servers) }}
     opentelemetry_config {{ $cfg.OpentelemetryConfig }};
     {{ end }}
 
-    # MIGRATED
+    lua_package_path "/etc/nginx/lua/?.lua;;"; # OK
-    lua_package_path "/etc/nginx/lua/?.lua;;";
 
-    # MIGRATED
+    {{ buildLuaSharedDictionaries $cfg $servers }} # OK
-    {{ buildLuaSharedDictionaries $cfg $servers }}
 
-    # NOT MIGRATED
+    lua_shared_dict luaconfig 5m; # OK
-    init_by_lua_block {
-        collectgarbage("collect")
 
-        -- init modules
+    init_by_lua_file /etc/nginx/lua/ngx_conf_init.lua; # OK
-        local ok, res
 
-        ok, res = pcall(require, "lua_ingress")
+    init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; # OK
-        if not ok then
-          error("require failed: " .. tostring(res))
-        else
-          lua_ingress = res
-          lua_ingress.set_config({{ configForLua $all }})
-        end
 
-        ok, res = pcall(require, "configuration")
-        if not ok then
-          error("require failed: " .. tostring(res))
-        else
-          configuration = res
-          configuration.prohibited_localhost_port = '{{ .StatusPort }}'
-        end
-
-        ok, res = pcall(require, "balancer")
-        if not ok then
-          error("require failed: " .. tostring(res))
-        else
-          balancer = res
-        end
-
-        {{ if $all.EnableMetrics }}
-        ok, res = pcall(require, "monitor")
-        if not ok then
-          error("require failed: " .. tostring(res))
-        else
-          monitor = res
-        end
-        {{ end }}
-
-        ok, res = pcall(require, "certificate")
-        if not ok then
-          error("require failed: " .. tostring(res))
-        else
-          certificate = res
-          certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }}
-        end
-
-        ok, res = pcall(require, "plugins")
-        if not ok then
-          error("require failed: " .. tostring(res))
-        else
-          plugins = res
-        end
-        -- load all plugins that'll be used here
-        plugins.init({ {{ range  $idx, $plugin := $cfg.Plugins }}{{ if $idx }},{{ end }}{{ $plugin | quote }}{{ end }} })
-    }
-
-    init_worker_by_lua_block {
-        lua_ingress.init_worker()
-        balancer.init_worker()
-        {{ if $all.EnableMetrics }}
-        monitor.init_worker({{ $all.MonitorMaxBatchSize }})
-        {{ end }}
-
-        plugins.run()
-    }
-
-    # MIGRATED VARIOUS 1
     {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
     {{/* we use the value of the real IP for the geo_ip module */}}
     {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }}
@@ -143,6 +90,162 @@ http {
     {{ end }}
     {{ end }}
 
+    {{ if $all.Cfg.EnableModsecurity }}
+    modsecurity on;
+
+    {{ if (not (empty $all.Cfg.ModsecuritySnippet)) }}
+    modsecurity_rules '
+      {{ $all.Cfg.ModsecuritySnippet }}
+    ';
+    {{ else }}
+    modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
+    {{ end }}
+
+    {{ if $all.Cfg.EnableOWASPCoreRules }}
+    modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
+    {{ end }}
+
+    {{ end }}
+
+    {{ if $cfg.UseGeoIP2 }}
+    # https://github.com/leev/ngx_http_geoip2_module#example-usage
+
+    {{ range $index, $file := $all.MaxmindEditionFiles }}
+    {{ if eq $file "GeoLite2-Country.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoLite2-Country.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_country_code source=$remote_addr country iso_code;
+        $geoip2_country_name source=$remote_addr country names en;
+        $geoip2_country_geoname_id source=$remote_addr country geoname_id;
+        $geoip2_continent_code source=$remote_addr continent code;
+        $geoip2_continent_name source=$remote_addr continent names en;
+        $geoip2_continent_geoname_id source=$remote_addr continent geoname_id;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoIP2-Country.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoIP2-Country.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_country_code source=$remote_addr country iso_code;
+        $geoip2_country_name source=$remote_addr country names en;
+        $geoip2_country_geoname_id source=$remote_addr country geoname_id;
+        $geoip2_continent_code source=$remote_addr continent code;
+        $geoip2_continent_name source=$remote_addr continent names en;
+        $geoip2_continent_geoname_id source=$remote_addr continent geoname_id;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoLite2-City.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoLite2-City.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_city_country_code source=$remote_addr country iso_code;
+        $geoip2_city_country_name source=$remote_addr country names en;
+        $geoip2_city_country_geoname_id source=$remote_addr country geoname_id;
+        $geoip2_city source=$remote_addr city names en;
+        $geoip2_city_geoname_id source=$remote_addr city geoname_id;
+        $geoip2_postal_code source=$remote_addr postal code;
+        $geoip2_dma_code source=$remote_addr location metro_code;
+        $geoip2_latitude source=$remote_addr location latitude;
+        $geoip2_longitude source=$remote_addr location longitude;
+        $geoip2_time_zone source=$remote_addr location time_zone;
+        $geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
+        $geoip2_region_name source=$remote_addr subdivisions 0 names en;
+        $geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id;
+        $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
+        $geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
+        $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id;
+        $geoip2_city_continent_code source=$remote_addr continent code;
+        $geoip2_city_continent_name source=$remote_addr continent names en;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoIP2-City.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoIP2-City.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_city_country_code source=$remote_addr country iso_code;
+        $geoip2_city_country_name source=$remote_addr country names en;
+        $geoip2_city_country_geoname_id source=$remote_addr country geoname_id;
+        $geoip2_city source=$remote_addr city names en;
+        $geoip2_city_geoname_id source=$remote_addr city geoname_id;
+        $geoip2_postal_code source=$remote_addr postal code;
+        $geoip2_dma_code source=$remote_addr location metro_code;
+        $geoip2_latitude source=$remote_addr location latitude;
+        $geoip2_longitude source=$remote_addr location longitude;
+        $geoip2_time_zone source=$remote_addr location time_zone;
+        $geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
+        $geoip2_region_name source=$remote_addr subdivisions 0 names en;
+        $geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id;
+        $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
+        $geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
+        $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id;
+        $geoip2_city_continent_code source=$remote_addr continent code;
+        $geoip2_city_continent_name source=$remote_addr continent names en;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoLite2-ASN.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoLite2-ASN.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_asn source=$remote_addr autonomous_system_number;
+        $geoip2_org source=$remote_addr autonomous_system_organization;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoIP2-ASN.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoIP2-ASN.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_asn source=$remote_addr autonomous_system_number;
+        $geoip2_org source=$remote_addr autonomous_system_organization;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoIP2-ISP.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoIP2-ISP.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_isp source=$remote_addr isp;
+        $geoip2_isp_org source=$remote_addr organization;
+        $geoip2_asn source=$remote_addr default=0 autonomous_system_number;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoIP2-Connection-Type.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoIP2-Connection-Type.mmdb {
+        $geoip2_connection_type connection_type;
+    }
+    {{ end }}
+
+    {{ if eq $file "GeoIP2-Anonymous-IP.mmdb" }}
+    geoip2 /etc/ingress-controller/geoip/GeoIP2-Anonymous-IP.mmdb {
+        {{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
+        auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
+        {{ end }}
+        $geoip2_is_anon source=$remote_addr is_anonymous;
+        $geoip2_is_anonymous source=$remote_addr default=0 is_anonymous;
+        $geoip2_is_anonymous_vpn source=$remote_addr default=0 is_anonymous_vpn;
+        $geoip2_is_hosting_provider source=$remote_addr default=0 is_hosting_provider;
+        $geoip2_is_public_proxy source=$remote_addr default=0 is_public_proxy;
+        $geoip2_is_tor_exit_node source=$remote_addr default=0 is_tor_exit_node;
+    }
+    {{ end }}
+
+    {{ end }}
+
+    {{ end }}
+
     aio                 threads;
 
     {{ if $cfg.EnableAioWrite }}
@@ -201,9 +304,18 @@ http {
     limit_req_status                {{ $cfg.LimitReqStatusCode }};
     limit_conn_status               {{ $cfg.LimitConnStatusCode }};
 
+    {{ buildOpentelemetry $cfg $servers }}
+
     include /etc/nginx/mime.types;
     default_type {{ $cfg.DefaultType }};
 
+    {{ if $cfg.EnableBrotli }}
+    brotli on;
+    brotli_comp_level {{ $cfg.BrotliLevel }};
+    brotli_min_length {{ $cfg.BrotliMinLength }};
+    brotli_types {{ $cfg.BrotliTypes }};
+    {{ end }}
+
     {{ if $cfg.UseGzip }}
     gzip on;
     gzip_comp_level {{ $cfg.GzipLevel }};
@@ -263,26 +375,6 @@ http {
 
     {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
 
-    server_name_in_redirect off;
-    port_in_redirect        off;
-
-    ssl_protocols {{ $cfg.SSLProtocols }};
-
-    ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }};
-
-    # allow configuring ssl session tickets
-    ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
-
-    # slightly reduce the time-to-first-byte
-    ssl_buffer_size {{ $cfg.SSLBufferSize }};
-
-    ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
-    # PEM sha: {{ $cfg.DefaultSSLCertificate.PemSHA }}
-    ssl_certificate     {{ $cfg.DefaultSSLCertificate.PemFileName }};
-    ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }};
-    
-    proxy_ssl_session_reuse on;
-
     # See https://www.nginx.com/blog/websocket-nginx
     map $http_upgrade $connection_upgrade {
         default          upgrade;
@@ -303,9 +395,6 @@ http {
         {{ end }}
     }
 
-    # Cache for internal auth checks
-    proxy_cache_path /tmp/nginx/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
-
     {{ if and $cfg.UseForwardedHeaders $cfg.ComputeFullForwardedFor }}
     # We can't use $proxy_add_x_forwarded_for because the realip module
     # replaces the remote_addr too soon
@@ -321,16 +410,35 @@ http {
 
     {{ end }}
 
-        # turn on session caching to drastically improve performance
+    # Create a variable that contains the literal $ character.
+    # This works because the geo module will not resolve variables.
+    geo $literal_dollar {
+        default "$";
+    }
+
+    server_name_in_redirect off;
+    port_in_redirect        off;
+
+    ssl_protocols {{ $cfg.SSLProtocols }};
+
+    ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }};
+
+    # turn on session caching to drastically improve performance
     {{ if $cfg.SSLSessionCache }}
     ssl_session_cache shared:SSL:{{ $cfg.SSLSessionCacheSize }};
     ssl_session_timeout {{ $cfg.SSLSessionTimeout }};
     {{ end }}
 
+    # allow configuring ssl session tickets
+    ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
+
     {{ if not (empty $cfg.SSLSessionTicketKey ) }}
     ssl_session_ticket_key /etc/ingress-controller/tickets.key;
     {{ end }}
 
+    # slightly reduce the time-to-first-byte
+    ssl_buffer_size {{ $cfg.SSLBufferSize }};
+
     {{ if not (empty $cfg.SSLCiphers) }}
     # allow configuring custom ssl ciphers
     ssl_ciphers '{{ $cfg.SSLCiphers }}';
@@ -342,16 +450,20 @@ http {
     ssl_dhparam {{ $cfg.SSLDHParam }};
     {{ end }}
 
+    ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
+
+    # PEM sha: {{ $cfg.DefaultSSLCertificate.PemSHA }}
+    ssl_certificate     {{ $cfg.DefaultSSLCertificate.PemFileName }};
+    ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }};
+
     {{ if and $cfg.CustomHTTPErrors (not $cfg.DisableProxyInterceptErrors) }}
     proxy_intercept_errors on;
     {{ end }}
 
-    {{ if $cfg.EnableBrotli }}
+    {{ range $errCode := $cfg.CustomHTTPErrors }}
-    brotli on;
+    error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
-    brotli_comp_level {{ $cfg.BrotliLevel }};
+
-    brotli_min_length {{ $cfg.BrotliMinLength }};
+    proxy_ssl_session_reuse on;
-    brotli_types {{ $cfg.BrotliTypes }};
-    {{ end }}
 
     {{ if $cfg.AllowBackendServerHeader }}
     proxy_pass_header Server;
@@ -360,6 +472,59 @@ http {
     {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
     {{ end }}
 
+    {{ if not (empty $cfg.HTTPSnippet) }}
+    # Custom code snippet configured in the configuration configmap
+    {{ $cfg.HTTPSnippet }}
+    {{ end }}
+
+    upstream upstream_balancer {
+        ### Attention!!!
+        #
+        # We no longer create "upstream" section for every backend.
+        # Backends are handled dynamically using Lua. If you would like to debug
+        # and see what backends ingress-nginx has in its memory you can
+        # install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
+        # Once you have the plugin you can use "kubectl ingress-nginx backends" command to
+        # inspect current backends.
+        #
+        ###
+
+        server 0.0.0.1; # placeholder
+
+        balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua;
+
+        {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
+        keepalive {{ $cfg.UpstreamKeepaliveConnections }};
+        keepalive_time {{ $cfg.UpstreamKeepaliveTime }};
+        keepalive_timeout  {{ $cfg.UpstreamKeepaliveTimeout }}s;
+        keepalive_requests {{ $cfg.UpstreamKeepaliveRequests }};
+        {{ end }}
+    }
+
+    {{ range $rl := (filterRateLimits $servers ) }}
+    # Ratelimit {{ $rl.Name }}
+    geo $remote_addr $allowlist_{{ $rl.ID }} {
+        default 0;
+        {{ range $ip := $rl.Allowlist }}
+        {{ $ip }} 1;{{ end }}
+    }
+
+    # Ratelimit {{ $rl.Name }}
+    map $allowlist_{{ $rl.ID }} $limit_{{ $rl.ID }} {
+        0 {{ $cfg.LimitConnZoneVariable }};
+        1 "";
+    }
+    {{ end }}
+
+    {{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
+    {{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
+    {{ range $zone := (buildRateLimitZones $servers) }}
+    {{ $zone }}
+    {{ end }}
+
+    # Cache for internal auth checks
+    proxy_cache_path /tmp/nginx/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
+
     # Global filters
     {{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }};
     {{ end }}
@@ -382,57 +547,6 @@ http {
     }
     {{ end }}
 
-    upstream upstream_balancer {
-        server 0.0.0.1; # placeholder
-
-        balancer_by_lua_block {
-          balancer.balance()
-        }
-
-        {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
-        keepalive {{ $cfg.UpstreamKeepaliveConnections }};
-        keepalive_time {{ $cfg.UpstreamKeepaliveTime }};
-        keepalive_timeout  {{ $cfg.UpstreamKeepaliveTimeout }}s;
-        keepalive_requests {{ $cfg.UpstreamKeepaliveRequests }};
-        {{ end }}
-    }
-
-    # END MIGRATED VARIOUS 1
-
-    {{ buildOpentelemetry $cfg $servers }}
-
-    # Create a variable that contains the literal $ character.
-    # This works because the geo module will not resolve variables.
-    geo $literal_dollar {
-        default "$";
-    }
-
-    # MIGRATED
-    {{ range $errCode := $cfg.CustomHTTPErrors }}
-    error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
-
-    {{ range $rl := (filterRateLimits $servers ) }}
-    # Ratelimit {{ $rl.Name }}
-    geo $remote_addr $allowlist_{{ $rl.ID }} {
-        default 0;
-        {{ range $ip := $rl.Allowlist }}
-        {{ $ip }} 1;{{ end }}
-    }
-
-    # Ratelimit {{ $rl.Name }}
-    map $allowlist_{{ $rl.ID }} $limit_{{ $rl.ID }} {
-        0 {{ $cfg.LimitConnZoneVariable }};
-        1 "";
-    }
-    {{ end }}
-
-    {{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
-    {{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
-    {{ range $zone := (buildRateLimitZones $servers) }}
-    {{ $zone }}
-    {{ end }}
-
-
     {{/* Build server redirects (from/to www) */}}
     {{ range $redirect := .RedirectServers }}
     ## start server {{ $redirect.From }}
@@ -442,9 +556,7 @@ http {
         {{ buildHTTPListener  $all $redirect.From }}
         {{ buildHTTPSListener $all $redirect.From }}
 
-        ssl_certificate_by_lua_block {
+        ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
-            certificate.call()
-        }
 
         {{ if gt (len $cfg.BlockUserAgents) 0 }}
         if ($block_ua) {
@@ -457,30 +569,7 @@ http {
         }
         {{ end }}
 
-        set_by_lua_block $redirect_to {
+        set_by_lua_file $redirect_to /etc/nginx/lua/nginx/ngx_srv_redirect.lua {{ $redirect.To }}; 
-            local request_uri = ngx.var.request_uri
-            if string.sub(request_uri, -1) == "/" then
-                request_uri = string.sub(request_uri, 1, -2)
-            end
-
-            {{ if $cfg.UseForwardedHeaders }}
-            local redirectScheme
-            if not ngx.var.http_x_forwarded_proto then
-                redirectScheme = ngx.var.scheme
-            else
-                redirectScheme = ngx.var.http_x_forwarded_proto
-            end
-            {{ else }}
-            local redirectScheme = ngx.var.scheme
-            {{ end }}
-
-            {{ if ne $all.ListenPorts.HTTPS 443 }}
-            {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
-            return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
-            {{ else }}
-            return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri)
-            {{ end }}
-        }
 
         return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to;
     }
@@ -528,7 +617,12 @@ http {
 
         {{ template "SERVER" serverConfig $all $server }}
 
-        {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics) }}
+        {{ if not (empty $cfg.ServerSnippet) }}
+        # Custom code snippet configured in the configuration configmap
+        {{ $cfg.ServerSnippet }}
+        {{ end }}
+
+        {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics $cfg.EnableModsecurity) }}
     }
     ## end server {{ $server.Hostname }}
 
@@ -549,6 +643,11 @@ http {
 
     # default server, used for NGINX healthcheck and access to nginx stats
     server {
+        # Ensure that modsecurity will not run on an internal location as this is not accessible from outside
+        {{ if $all.Cfg.EnableModsecurity }}
+        modsecurity off;
+        {{ end }}
+
         listen 127.0.0.1:{{ .StatusPort }};
         set $proxy_upstream_name "internal";
 
@@ -565,17 +664,7 @@ http {
         }
 
         location /is-dynamic-lb-initialized {
-            content_by_lua_block {
+            content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua;
-                local configuration = require("configuration")
-                local backend_data = configuration.get_backends_data()
-                if not backend_data then
-                    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
-                    return
-                end
-
-                ngx.say("OK")
-                ngx.exit(ngx.HTTP_OK)
-            }
         }
 
         location {{ .StatusPath }} {
@@ -587,27 +676,136 @@ http {
             client_body_buffer_size                 {{ luaConfigurationRequestBodySize $cfg }};
             proxy_buffering                         off;
 
-            content_by_lua_block {
+            content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_configuration.lua;
-              configuration.call()
-            }
         }
 
         location / {
-            content_by_lua_block {
+            return 404;
-                ngx.exit(ngx.HTTP_NOT_FOUND)
-            }
         }
     }
 }
 
+stream {
+    lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
+
+    lua_shared_dict tcp_udp_configuration_data 5M;
+    
+    {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
+
+    init_by_lua_file /etc/nginx/lua/ngx_conf_init_stream.lua;
+
+    init_worker_by_lua_file /etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua;
+
+    lua_add_variable $proxy_upstream_name;
+
+    log_format log_stream '{{ $cfg.LogFormatStream }}';
+
+    {{ if or $cfg.DisableAccessLog $cfg.DisableStreamAccessLog }}
+    access_log off;
+    {{ else }}
+    access_log {{ or $cfg.StreamAccessLogPath $cfg.AccessLogPath }} log_stream {{ $cfg.AccessLogParams }};
+    {{ end }}
+
+
+    error_log  {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
+    {{ if $cfg.EnableRealIP }}
+    {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
+    set_real_ip_from    {{ $trusted_ip }};
+    {{ end }}
+    {{ end }}
+
+    upstream upstream_balancer {
+        server 0.0.0.1:1234; # placeholder
+        balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua;
+    }
+
+    server {
+        listen 127.0.0.1:{{ .StreamPort }};
+
+        access_log off;
+
+        content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua;
+    }
+
+    # TCP services
+    {{ range $tcpServer := .TCPBackends }}
+    server {
+        preread_by_lua_block {
+            ngx.var.proxy_upstream_name="tcp-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }}";
+        }
+
+        {{ range $address := $all.Cfg.BindAddressIpv4 }}
+        listen                  {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
+        {{ else }}
+        listen                  {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
+        {{ end }}
+        {{ if $IsIPV6Enabled }}
+        {{ range $address := $all.Cfg.BindAddressIpv6 }}
+        listen                  {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
+        {{ else }}
+        listen                  [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
+        {{ end }}
+        {{ end }}
+        proxy_timeout           {{ $cfg.ProxyStreamTimeout }};
+        proxy_next_upstream     {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
+        proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
+        proxy_next_upstream_tries   {{ $cfg.ProxyStreamNextUpstreamTries }};
+
+        proxy_pass              upstream_balancer;
+        {{ if $tcpServer.Backend.ProxyProtocol.Encode }}
+        proxy_protocol          on;
+        {{ end }}
+    }
+    {{ end }}
+
+    # UDP services
+    {{ range $udpServer := .UDPBackends }}
+    server {
+        preread_by_lua_block {
+            ngx.var.proxy_upstream_name="udp-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }}";
+        }
+
+        {{ range $address := $all.Cfg.BindAddressIpv4 }}
+        listen                  {{ $address }}:{{ $udpServer.Port }} udp;
+        {{ else }}
+        listen                  {{ $udpServer.Port }} udp;
+        {{ end }}
+        {{ if $IsIPV6Enabled }}
+        {{ range $address := $all.Cfg.BindAddressIpv6 }}
+        listen                  {{ $address }}:{{ $udpServer.Port }} udp;
+        {{ else }}
+        listen                  [::]:{{ $udpServer.Port }} udp;
+        {{ end }}
+        {{ end }}
+        proxy_responses         {{ $cfg.ProxyStreamResponses }};
+        proxy_timeout           {{ $cfg.ProxyStreamTimeout }};
+        proxy_next_upstream     {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
+        proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
+        proxy_next_upstream_tries   {{ $cfg.ProxyStreamNextUpstreamTries }};
+        proxy_pass              upstream_balancer;
+    }
+    {{ end }}
+
+    # Stream Snippets
+    {{ range $snippet := .StreamSnippets }}
+    {{ $snippet }}
+    {{ end }}
+}
+
 {{/* definition of templates to avoid repetitions */}}
 {{ define "CUSTOM_ERRORS" }}
         {{ $enableMetrics := .EnableMetrics }}
+        {{ $modsecurityEnabled := .ModsecurityEnabled }}
         {{ $upstreamName := .UpstreamName }}
         {{ range $errCode := .ErrorCodes }}
         location @custom_{{ $upstreamName }}_{{ $errCode }} {
             internal;
 
+            # Ensure that modsecurity will not run on custom error pages or they might be blocked
+            {{ if $modsecurityEnabled }}
+            modsecurity off;
+            {{ end }}
+
             proxy_intercept_errors off;
 
             proxy_set_header       X-Code             {{ $errCode }};
@@ -626,11 +824,9 @@ http {
             rewrite                (.*) / break;
 
             proxy_pass            http://upstream_balancer;
-            log_by_lua_block {
+            {{ if $enableMetrics }}
-                {{ if $enableMetrics }}
+            log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log.lua;
-                monitor.call()
+            {{ end }}
-                {{ end }}
-            }
         }
         {{ end }}
 {{ end }}
@@ -690,9 +886,7 @@ http {
         ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }};
         {{ end }}
 
-        ssl_certificate_by_lua_block {
+        ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
-            certificate.call()
-        }
 
         {{ if not (empty $server.AuthTLSError) }}
         # {{ $server.AuthTLSError }}
@@ -741,8 +935,13 @@ http {
         ssl_prefer_server_ciphers               {{ $server.SSLPreferServerCiphers }};
         {{ end }}
 
+        {{ if not (empty $server.ServerSnippet) }}
+        # Custom code snippet configured for host {{ $server.Hostname }}
+        {{ $server.ServerSnippet }}
+        {{ end }}
+
         {{ range $errorLocation := (buildCustomErrorLocationsPerServer $server) }}
-        {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics) }}
+        {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics $all.Cfg.EnableModsecurity) }}
         {{ end }}
 
         {{ buildMirrorLocations $server.Locations }}
@@ -779,13 +978,16 @@ http {
             access_log off;
             {{ end }}
 
+            # Ensure that modsecurity will not run on an internal location as this is not accessible from outside
+            {{ if $all.Cfg.EnableModsecurity }}
+            modsecurity off;
+            {{ end }}
+
             {{ if $externalAuth.AuthCacheKey }}
             set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
             set $cache_key '';
 
-            rewrite_by_lua_block {
+            rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua;
-                ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))
-            }
 
             proxy_cache auth_cache;
 
@@ -861,6 +1063,10 @@ http {
             {{ $line }}
             {{- end }}
 
+            {{ if not (empty $externalAuth.AuthSnippet) }}
+            {{ $externalAuth.AuthSnippet }}
+            {{ end }}
+
             {{ if and (eq $applyAuthUpstream true) (eq $applyGlobalAuth false) }}
             {{ $authUpstreamName := buildAuthUpstreamName $location $server.Hostname }}
             # The target is an upstream with HTTP keepalive, that is why the
@@ -889,6 +1095,11 @@ http {
             {{ template "CORS" $location }}
             {{ end }}
 
+            # Ensure that modsecurity will not run on an internal location as this is not accessible from outside
+            {{ if $all.Cfg.EnableModsecurity }}
+            modsecurity off;
+            {{ end }}
+
             return 302 {{ buildAuthSignURL $externalAuth.SigninURL $externalAuth.SigninURLRedirectParam }};
         }
         {{ end }}
@@ -901,7 +1112,6 @@ http {
             set $service_name   {{ $ing.Service | quote }};
             set $service_port   {{ $ing.ServicePort | quote }};
             set $location_path  {{ $ing.Path | escapeLiteralDollar | quote }};
-            set $global_rate_limit_exceeding n;
 
             {{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }}
 
@@ -910,35 +1120,13 @@ http {
             mirror_request_body {{ $location.Mirror.RequestBody }};
             {{ end }}
 
-            rewrite_by_lua_block {
+            {{ locationConfigForLua $location $all }}
-                lua_ingress.rewrite({{ locationConfigForLua $location $all }})
-                balancer.rewrite()
-                plugins.run()
-            }
 
-            # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
+            rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_rewrite.lua;
-            # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
-            # other authentication method such as basic auth or external auth useless - all requests will be allowed.
-            #access_by_lua_block {
-            #}
 
-            header_filter_by_lua_block {
+            header_filter_by_lua_file /etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua;
-                lua_ingress.header()
-                plugins.run()
-            }
 
-            body_filter_by_lua_block {
+            log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log_block.lua;
-                plugins.run()
-            }
-
-            log_by_lua_block {
-                balancer.log()
-                {{ if $all.EnableMetrics }}
-                monitor.call()
-                {{ end }}
-
-                plugins.run()
-            }
 
             {{ if not $location.Logs.Access }}
             access_log off;
@@ -970,6 +1158,8 @@ http {
 
             set $proxy_alternative_upstream_name "";
 
+            {{ buildModSecurityForLocation $all.Cfg $location }}
+
             {{ if isLocationAllowed $location }}
             {{ if gt (len $location.Denylist.CIDR) 0 }}
             {{ range $ip := $location.Denylist.CIDR }}
@@ -1134,6 +1324,14 @@ http {
             grpc_read_timeout                       {{ $location.Proxy.ReadTimeout }}s;
             {{ end }}
 
+            {{/* Add any additional configuration defined */}}
+            {{ $location.ConfigurationSnippet }}
+
+            {{ if not (empty $all.Cfg.LocationSnippet) }}
+            # Custom code snippet configured in the configuration configmap
+            {{ $all.Cfg.LocationSnippet }}
+            {{ end }}
+
             {{ if $location.CustomHeaders }}
             # Custom Response Headers
             {{ range $k, $v := $location.CustomHeaders.Headers }}

internal/ingress/controller/template/crossplane/utils.go

@@ -25,6 +25,7 @@ import (
 
 	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 	ing_net "k8s.io/ingress-nginx/internal/net"
+	"k8s.io/ingress-nginx/pkg/apis/ingress"
 )
 
 type seconds int
@@ -112,3 +113,31 @@ func dictKbToStr(size int) string {
 	}
 	return fmt.Sprintf("%dK", size)
 }
+
+func shouldLoadAuthDigestModule(servers []*ingress.Server) bool {
+	for _, server := range servers {
+		for _, location := range server.Locations {
+			if !location.BasicDigestAuth.Secured {
+				continue
+			}
+
+			if location.BasicDigestAuth.Type == "digest" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// shouldLoadOpentelemetryModule determines whether or not the Opentelemetry module needs to be loaded.
+// It checks if `enable-opentelemetry` is set in the ConfigMap.
+func shouldLoadOpentelemetryModule(servers []*ingress.Server) bool {
+	for _, server := range servers {
+		for _, location := range server.Locations {
+			if location.Opentelemetry.Enabled {
+				return true
+			}
+		}
+	}
+	return false
+}

magefiles/go.mod

@@ -8,23 +8,23 @@ require (
 	github.com/helm/helm v2.17.0+incompatible
 	github.com/magefile/mage v1.15.0
 	github.com/vmware-labs/yaml-jsonpath v0.3.2
-	golang.org/x/oauth2 v0.22.0
+	golang.org/x/oauth2 v0.23.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.4 // indirect
 	github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
-	github.com/onsi/gomega v1.34.1 // indirect
+	github.com/onsi/gomega v1.34.2 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
@@ -32,6 +32,6 @@ require (
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apimachinery v0.31.0 // indirect
+	k8s.io/apimachinery v0.31.2 // indirect
 	k8s.io/helm v2.17.0+incompatible // indirect
 )

magefiles/go.sum

@@ -5,8 +5,7 @@ github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF0
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -14,8 +13,7 @@ github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 h1:aRd8M7HJVZOqn/v
 github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960/go.mod h1:9HQzr9D/0PGwMEbC3d5AB7oi67+h4TsQqItC1GVYG58=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
@@ -64,7 +62,7 @@ github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
+github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
@@ -91,8 +89,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -149,6 +147,6 @@ gopkg.in/yaml.v3 v3.0.0-20191026110619-0b21df46bc1d/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc=
+k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
 k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao=
 k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI=