From 4fbe1ed422792c5a32267f8d708ebd231e873c2b Mon Sep 17 00:00:00 2001 From: chentao1596 Date: Tue, 17 Jan 2017 10:14:36 +0800 Subject: [PATCH 1/2] add description for 'map-hash-bucket-size' --- controllers/nginx/configuration.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index 9d4bd03ea..77d615c08 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -235,6 +235,10 @@ http://nginx.org/en/docs/hash.html http://nginx.org/en/docs/hash.html http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size + +**map-hash-bucket-size:** Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size). The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html) + + **ssl-buffer-size:** Sets the size of the [SSL buffer](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) used for sending data. 4k helps NGINX to improve TLS Time To First Byte (TTTFB) https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ From af8f2881f1edadd3a44686b5e0f6d1eb15fa3336 Mon Sep 17 00:00:00 2001 From: chentao1596 Date: Wed, 18 Jan 2017 10:04:34 +0800 Subject: [PATCH 2/2] add content: Server-side HTTPS enforcement through redirect --- controllers/nginx/configuration.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index 77d615c08..1303209a3 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -8,6 +8,7 @@ * [Rewrite](#rewrite) * [Rate limiting](#rate-limiting) * [Secure backends](#secure-backends) +* [Server-side HTTPS enforcement through redirect](#server-side-https-enforcement-through-redirect) * [Whitelist source range](#whitelist-source-range) * [Allowed parameters in configuration config map](#allowed-parameters-in-configuration-configmap) * [Default configuration options](#default-configuration-options) @@ -160,6 +161,13 @@ Is possible to specify both annotation in the same Ingress rule. If you specify By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the ingress rule changes the protocol to `https`. +### Server-side HTTPS enforcement through redirect + +By default the controller redirects (301) to `HTTPS` if TLS is enabled for that ingress. If you want to disable that behaviour globally, you can use `ssl-redirect: "false"` in the NGINX config map + +To configure this feature for specific ingress resources, you can use the `ingress.kubernetes.io/ssl-redirect: "false"` annotation in the particular resource + + ### Whitelist source range You can specify the allowed client ip source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation, eg; `10.0.0.0/24,172.10.0.1`