diff --git a/controllers/nginx/pkg/cmd/controller/metrics.go b/controllers/nginx/pkg/cmd/controller/metrics.go index d4c76fa27..c2b91d191 100644 --- a/controllers/nginx/pkg/cmd/controller/metrics.go +++ b/controllers/nginx/pkg/cmd/controller/metrics.go @@ -41,10 +41,10 @@ func (em exeMatcher) MatchAndName(nacl common.NameAndCmdline) (bool, string) { return em.name == cmd, "" } -func (n *NGINXController) setupMonitor(args []string) { +func (n *NGINXController) setupMonitor(args []string, vtsCollector *bool) { // TODO fix true - pc, err := newProcessCollector(true, exeMatcher{"nginx", args}, false) + pc, err := newProcessCollector(true, exeMatcher{"nginx", args}, vtsCollector) if err != nil { glog.Warningf("unexpected error registering nginx collector: %v", err) } @@ -58,7 +58,14 @@ func (n *NGINXController) setupMonitor(args []string) { } func (n *NGINXController) reloadMonitor(enableVts *bool) { - n.namedProcessCollector.vtsCollector = enableVts + + if enableVts == nil { + falseVar := false + n.namedProcessCollector.vtsCollector = &falseVar + return + } + falseVar := true + n.namedProcessCollector.vtsCollector = &falseVar } var ( @@ -238,7 +245,7 @@ type ( func newProcessCollector( children bool, n common.MatchNamer, - vtsCollector bool) (*namedProcessCollector, error) { + vtsCollector *bool) (*namedProcessCollector, error) { //fs, err := proc.NewFS("/proc") //if err != nil { @@ -248,7 +255,7 @@ func newProcessCollector( scrapeChan: make(chan scrapeRequest), Grouper: proc.NewGrouper(children, n), //fs: fs, - vtsCollector: &vtsCollector, + vtsCollector: vtsCollector, } //_, err = p.Update(p.fs.AllProcs()) @@ -272,7 +279,7 @@ func (p *namedProcessCollector) Describe(ch chan<- *prometheus.Desc) { ch <- memVirtualbytesDesc ch <- startTimeDesc - if p.vtsCollector == true { + if *p.vtsCollector { ch <- vtsBytesDesc ch <- vtsCacheDesc @@ -312,7 +319,7 @@ func (p *namedProcessCollector) start() { ch := req.results p.scrapeNginxStatus(ch) - if &p.vtsCollector { + if *p.vtsCollector { p.scrapeVts(ch) } @@ -471,3 +478,4 @@ func reflectMetrics(value interface{}, desc *prometheus.Desc, ch chan<- promethe } } + diff --git a/controllers/nginx/pkg/cmd/controller/nginx.go b/controllers/nginx/pkg/cmd/controller/nginx.go index 61c6a5191..5592e01e6 100644 --- a/controllers/nginx/pkg/cmd/controller/nginx.go +++ b/controllers/nginx/pkg/cmd/controller/nginx.go @@ -159,8 +159,8 @@ func (n *NGINXController) start(cmd *exec.Cmd, done chan error) { done <- err return } - - n.setupMonitor(cmd.Args) + falseVar := false + n.setupMonitor(cmd.Args, &falseVar) go func() { done <- cmd.Wait() diff --git a/controllers/nginx/rootfs/etc/nginx/nginx.conf b/controllers/nginx/rootfs/etc/nginx/nginx.conf index 1b6ed9abe..4f90fb49c 100644 --- a/controllers/nginx/rootfs/etc/nginx/nginx.conf +++ b/controllers/nginx/rootfs/etc/nginx/nginx.conf @@ -58,16 +58,14 @@ http { server_tokens on; - log_format upstreaminfo '$remote_addr - ' - '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ' - '$request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; + log_format upstreaminfo '$remote_addr - [$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; map $request_uri $loggable { default 1; } access_log /var/log/nginx/access.log upstreaminfo if=$loggable; - error_log /var/log/nginx/error.log debug; + error_log /var/log/nginx/error.log notice; resolver 10.52.0.10 valid=30s; @@ -131,124 +129,39 @@ http { # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; - upstream staging-auditlogs-80 { + upstream kube-system-kube-lego-nginx-8080 { least_conn; - server 10.51.77.7:20081 max_fails=0 fail_timeout=0; - } - upstream staging-authbox-80 { - least_conn; - server 10.51.36.10:3000 max_fails=0 fail_timeout=0; - server 10.51.99.4:3000 max_fails=0 fail_timeout=0; - } - upstream staging-authorizationmanager-80 { - least_conn; - server 10.51.72.6:3000 max_fails=0 fail_timeout=0; - server 10.51.77.17:3000 max_fails=0 fail_timeout=0; - } - upstream staging-backoffice-80 { - least_conn; - server 10.51.46.9:3000 max_fails=0 fail_timeout=0; - server 10.51.99.14:3000 max_fails=0 fail_timeout=0; - } - upstream staging-companymanager-80 { - least_conn; - server 10.51.36.8:3000 max_fails=0 fail_timeout=0; - server 10.51.46.7:3000 max_fails=0 fail_timeout=0; - } - upstream staging-default-http-backend-80 { - least_conn; - server 10.51.72.12:8080 max_fails=0 fail_timeout=0; - server 10.51.77.6:8080 max_fails=0 fail_timeout=0; - } - upstream staging-eid-80 { - least_conn; - server 10.51.104.9:3000 max_fails=0 fail_timeout=0; - server 10.51.72.15:3000 max_fails=0 fail_timeout=0; - } - upstream staging-esign2-80 { - least_conn; - server 10.51.22.3:3000 max_fails=0 fail_timeout=0; - } - upstream staging-evidencemanager-80 { - least_conn; - server 10.51.22.5:3000 max_fails=0 fail_timeout=0; - server 10.51.36.6:3000 max_fails=0 fail_timeout=0; - } - upstream staging-gateway-80 { - least_conn; - server 10.51.42.9:3000 max_fails=0 fail_timeout=0; - server 10.51.77.21:3000 max_fails=0 fail_timeout=0; - } - upstream staging-idin-80 { - least_conn; - server 10.51.46.3:3000 max_fails=0 fail_timeout=0; - server 10.51.99.12:3000 max_fails=0 fail_timeout=0; - } - upstream staging-idscan-80 { - least_conn; - server 127.0.0.1:8181 max_fails=0 fail_timeout=0; - } - upstream staging-invoicemanager-80 { - least_conn; - server 10.51.36.11:3000 max_fails=0 fail_timeout=0; - server 10.51.99.10:3000 max_fails=0 fail_timeout=0; - } - upstream staging-mockphone-80 { - least_conn; - server 10.51.72.13:3000 max_fails=0 fail_timeout=0; - server 10.51.77.22:3000 max_fails=0 fail_timeout=0; - } - upstream staging-mydigidentity-80 { - least_conn; - server 10.51.56.7:3000 max_fails=0 fail_timeout=0; - server 10.51.99.5:3000 max_fails=0 fail_timeout=0; - } - upstream staging-profilemanager-80 { - least_conn; - server 10.51.104.8:3000 max_fails=0 fail_timeout=0; - server 10.51.46.10:3000 max_fails=0 fail_timeout=0; - } - upstream staging-selfserviceportal-80 { - least_conn; - server 10.51.72.3:3000 max_fails=0 fail_timeout=0; - server 10.51.77.3:3000 max_fails=0 fail_timeout=0; - } - upstream staging-serviceprovider-80 { - least_conn; - server 10.51.104.3:3000 max_fails=0 fail_timeout=0; - server 10.51.72.16:3000 max_fails=0 fail_timeout=0; - } - upstream staging-smartcardmanager-80 { - least_conn; - server 10.51.77.7:20080 max_fails=0 fail_timeout=0; - } - upstream staging-sppp-80 { - least_conn; - server 10.51.42.11:3000 max_fails=0 fail_timeout=0; - server 10.51.46.6:3000 max_fails=0 fail_timeout=0; + server 10.51.42.2:8080 max_fails=0 fail_timeout=0; } upstream upstream-default-backend { least_conn; - server 127.0.0.1:8181 max_fails=0 fail_timeout=0; + server 10.51.104.5:8080 max_fails=0 fail_timeout=0; + server 10.51.42.8:8080 max_fails=0 fail_timeout=0; + server 10.51.72.7:8080 max_fails=0 fail_timeout=0; + server 10.51.77.9:8080 max_fails=0 fail_timeout=0; } server { server_name _; listen [::]:8080 ipv6only=off default_server reuseport backlog=511; - listen 8442 default_server reuseport backlog=511 ssl ; + listen [::]:4430 ipv6only=off default_server reuseport backlog=511 ssl ; #http2; # PEM sha: b23676658d28c219471e2200501312d7d188404c ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; # location / { set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -274,11 +187,11 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; proxy_pass http://upstream-default-backend; } - # health checks in cloud providers require the use of port 80 location /healthz { access_log off; @@ -295,111 +208,26 @@ http { access_log off; #stub_status on; } - } - - server { - server_name audit-logs.digidentity-staging.eu; - listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - - # - - location / { - set $proxy_upstream_name "staging-auditlogs-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-auditlogs-80; - } } server { - server_name auth.digidentity-staging.eu; + server_name alertmanager.dta.ddy.systems; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 92115ea63b369c26de6da3154618a1c042a294d8 - ssl_certificate /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; # - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -425,559 +253,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location / { - set $proxy_upstream_name "staging-authbox-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-authbox-80; - } - - } - - server { - server_name backoffice.digidentity-staging.eu; - listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - - # - - location / { - set $proxy_upstream_name "staging-backoffice-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-backoffice-80; - } - - } - - server { - server_name be.digidentity-staging.eu; - listen [::]:8080; - listen 8442 ssl ; - # PEM sha: b23676658d28c219471e2200501312d7d188404c - ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; - ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; - - # - - location /profiles { - set $proxy_upstream_name "staging-profilemanager-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-profilemanager-80; - } - location /invoices { - set $proxy_upstream_name "staging-invoicemanager-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-invoicemanager-80; - } - location /idscan { - set $proxy_upstream_name "staging-idscan-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-idscan-80; - } - location /evidences { - set $proxy_upstream_name "staging-evidencemanager-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-evidencemanager-80; - } - location /companies { - set $proxy_upstream_name "staging-companymanager-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-companymanager-80; - } - location /authorizations { - set $proxy_upstream_name "staging-authorizationmanager-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-authorizationmanager-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1003,6 +294,7 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; proxy_pass http://upstream-default-backend; @@ -1011,46 +303,22 @@ http { } server { - server_name cauth2.digidentity-staging.eu; + server_name audit-logs.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: b23676658d28c219471e2200501312d7d188404c - ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; - ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; # - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - #Location denied, reason: an empty string is not a valid secret name - return 503; - } - location / { - set $proxy_upstream_name "staging-authbox-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1076,52 +344,72 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-authbox-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } server { - server_name cdn.auth.digidentity-staging.eu; + server_name auth.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 68caaa6d34f7d66875adb214e4c4a41ab2163c01 - ssl_certificate /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; # - location / { - set $proxy_upstream_name "staging-authbox-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1147,48 +435,72 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-authbox-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } server { - server_name cdn.my.digidentity-staging.eu; + server_name backoffice.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: ccc3acf6b424b944785e6b685394db7c0409abb3 - ssl_certificate /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; # - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1214,93 +526,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "staging-mydigidentity-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + set $proxy_upstream_name "upstream-default-backend"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1326,9 +567,283 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-mydigidentity-80; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name be.digidentity-staging.eu; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name cauth.digidentity-staging.eu; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name dash.ddy.systems; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -1336,42 +851,20 @@ http { server { server_name eid.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: a342af52002527fa15e351d8dae40e1cf79318a3 - ssl_certificate /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; # - location / { - set $proxy_upstream_name "staging-eid-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1397,9 +890,51 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-eid-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -1407,34 +942,20 @@ http { server { server_name esign2.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 0701c2076c52e17e64b7b8928f22483d04e7b937 - ssl_certificate /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; # - location / { - set $proxy_upstream_name "staging-esign2-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1460,9 +981,51 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-esign2-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -1470,38 +1033,20 @@ http { server { server_name gate.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 381a5918528e4b3a4660755ef9ad39f655ec0dea - ssl_certificate /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; # - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1527,93 +1072,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "staging-gateway-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + set $proxy_upstream_name "upstream-default-backend"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1639,9 +1113,10 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-gateway-80; + proxy_pass http://upstream-default-backend; } } @@ -1649,38 +1124,20 @@ http { server { server_name gateway.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: ac978850271a8aaffd3c27ab39283d7b888f6357 - ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; # - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1706,72 +1163,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1797,6 +1204,189 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name gitlab.dmtw.nl; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name grafana.dta.ddy.systems; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; proxy_pass http://upstream-default-backend; @@ -1807,38 +1397,20 @@ http { server { server_name idin.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: ac978850271a8aaffd3c27ab39283d7b888f6357 - ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; # - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1864,93 +1436,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "staging-idin-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + set $proxy_upstream_name "upstream-default-backend"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -1976,9 +1477,101 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-idin-80; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name kibana.dta.ddy.systems; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -1986,39 +1579,20 @@ http { server { server_name mock.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; # - location /serviceprovider { - set $proxy_upstream_name "staging-serviceprovider-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2044,73 +1618,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-serviceprovider-80; - } - location /phone { - set $proxy_upstream_name "staging-mockphone-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-mockphone-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2136,6 +1659,7 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; proxy_pass http://upstream-default-backend; @@ -2146,38 +1670,20 @@ http { server { server_name my.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 8750503f72e9e522ea87d0d7bfb39c12832abe40 - ssl_certificate /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; # - location /health-check { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2203,93 +1709,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; - } - location /checks { - set $proxy_upstream_name "staging-default-http-backend-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; - - port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } - - client_max_body_size "1m"; - - proxy_set_header Host $host; - - # Pass Real IP - proxy_set_header X-Real-IP $remote_addr; - - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; - - # Custom headers - - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "4k"; - - proxy_http_version 1.1; - proxy_pass http://staging-default-http-backend-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "staging-mydigidentity-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + set $proxy_upstream_name "upstream-default-backend"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2315,9 +1750,192 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-mydigidentity-80; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name prd.dmtw.nl; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name prometheus.dta.ddy.systems; + listen [::]:8080; + + # + + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -2325,42 +1943,20 @@ http { server { server_name selfserviceportal.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: b23676658d28c219471e2200501312d7d188404c - ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; - ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; # - location / { - set $proxy_upstream_name "staging-selfserviceportal-80"; - - allow 213.125.23.194/32; - allow 34.195.0.0/16; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 82.169.78.168/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - allow 95.211.121.65/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2386,9 +1982,51 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-selfserviceportal-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -2396,33 +2034,20 @@ http { server { server_name serviceprovider.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 - ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; - ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; # - location / { - set $proxy_upstream_name "staging-serviceprovider-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 77.250.52.167/32; - allow 83.85.75.129/32; - allow 84.104.29.40/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2448,9 +2073,51 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-serviceprovider-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -2458,39 +2125,20 @@ http { server { server_name smartcards.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca - ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; # - location / { - set $proxy_upstream_name "staging-smartcardmanager-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 52.212.176.193/32; - allow 62.45.127.65/32; - allow 77.250.52.167/32; - allow 82.161.109.153/32; - allow 83.85.75.129/32; - allow 83.86.83.47/32; - allow 84.104.29.40/32; - allow 90.145.204.64/26; - allow 94.208.108.253/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2516,9 +2164,51 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-smartcardmanager-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -2526,25 +2216,20 @@ http { server { server_name sns.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 7f4e396f628630573c27cb3883f0b2428a210378 - ssl_certificate /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; - ssl_certificate_key /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; # - location /invoices/api/v1/email_notifications { - set $proxy_upstream_name "staging-invoicemanager-80"; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; + port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2570,18 +2255,22 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-invoicemanager-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2607,6 +2296,7 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; proxy_pass http://upstream-default-backend; @@ -2617,33 +2307,20 @@ http { server { server_name sppp.digidentity-staging.eu; listen [::]:8080; - listen 8442 ssl ; - # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 - ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; - ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; # - location / { - set $proxy_upstream_name "staging-sppp-80"; - - allow 213.125.23.194/32; - allow 52.18.61.164/32; - allow 77.250.52.167/32; - allow 83.85.75.129/32; - allow 84.104.29.40/32; - deny all; + location /.well-known/acme-challenge { + set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; port_in_redirect off; - # enforce ssl on server side - if ($scheme = http) { - return 301 https://$host$request_uri; - } client_max_body_size "1m"; proxy_set_header Host $host; + # Pass the extracted client certificate to the backend + # Pass Real IP proxy_set_header X-Real-IP $remote_addr; @@ -2669,9 +2346,51 @@ http { proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://staging-sppp-80; + proxy_pass http://kube-system-kube-lego-nginx-8080; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; } } @@ -2709,18 +2428,14 @@ http { set $proxy_upstream_name "upstream-default-backend"; proxy_pass http://upstream-default-backend; } - } - # default server for services without endpoints server { listen 8181; set $proxy_upstream_name "-"; location / { - return 503; - } } } diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index b9ff267fe..f86375ee1 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -213,7 +213,11 @@ http { listen {{ if not $cfg.DisableIpv6 }}[::]:{{ end }}80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}}; {{/* Listen on 442 because port 443 is used in the stream section */}} {{/* This listen on port 442 cannot contains proxy_protocol directive because port 443 is in charge of decoding the protocol */}} +<<<<<<< HEAD {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}{{ if not $cfg.DisableIpv6 }}[::]:{{ end }}443 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if not $cfg.DisableIpv6 }}ipv6only=off{{end}} reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }}; +======= + {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}4420{{ else }}[::]:4430 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $index 0 }} ipv6only=off{{end}} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl ; #{{ if $cfg.UseHTTP2 }}http2{{ end }}; +>>>>>>> run e2e {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}} # PEM sha: {{ $server.SSLPemChecksum }} ssl_certificate {{ $server.SSLCertificate }}; @@ -221,7 +225,7 @@ http { {{ end }} {{ if (and (not (empty $server.SSLCertificate)) $cfg.HSTS) }} - more_set_headers "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload"; + #more_set_headers "Strict-Transport-Security: max-age={{ $cfg.HSTSMaxAge }}{{ if $cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}; preload"; {{ end }} {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }} @@ -384,7 +388,6 @@ http { } {{ end }} - {{ template "CUSTOM_ERRORS" $cfg }} } {{ end }} @@ -427,9 +430,9 @@ http { set $proxy_upstream_name "upstream-default-backend"; proxy_pass http://upstream-default-backend; } - {{ template "CUSTOM_ERRORS" $cfg }} } + # default server for services without endpoints server { listen 8181; @@ -437,6 +440,7 @@ http { location / { {{ if .CustomErrors }} +<<<<<<< HEAD content_by_lua_block { openURL(ngx.req.get_headers(0), 503) } @@ -517,44 +521,14 @@ stream { {{ range $errCode := .CustomHTTPErrors }} location @custom_{{ $errCode }} { internal; +======= +>>>>>>> run e2e content_by_lua_block { - openURL(ngx.req.get_headers(0), {{ $errCode }}) + openURL(ngx.req.get_headers(0), 503) } + {{ else }} + return 503; + {{ end }} } - {{ end }} -{{ end }} - -{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}} -{{ define "CORS" }} - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - # - # Om nom nom cookies - # - add_header 'Access-Control-Allow-Credentials' 'true'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - # - # Custom headers and headers various browsers *should* be OK with but aren't - # - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - # - # Tell client that this pre-flight info is valid for 20 days - # - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - if ($request_method = 'POST') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Credentials' 'true'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - } - if ($request_method = 'GET') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Credentials' 'true'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - } -{{ end }} + } +} \ No newline at end of file