Add upstream directives and some others (#11681)

internal/ingress/controller/template/crossplane/crossplane_test.go

@@ -166,12 +166,26 @@ func TestCrossplaneTemplate(t *testing.T) {
 		tplConfig.Cfg.AllowBackendServerHeader = true                                      // default false
 		tplConfig.Cfg.BlockCIDRs = []string{"192.168.0.0/24", " 200.200.0.0/16 "}          // default 0
 		tplConfig.Cfg.BlockUserAgents = []string{"someuseragent", " another/user-agent  "} // default 0
+		tplConfig.Cfg.BlockReferers = []string{"someref", "  anotherref", "escape\nref"}
 
 		tplConfig.AddHeaders = map[string]string{
 			"someheader":    "xpto",
 			"anotherheader": "blabla",
 		}
 
+		tplConfig.Cfg.EnableBrotli = true
+		tplConfig.Cfg.BrotliLevel = 7
+		tplConfig.Cfg.BrotliMinLength = 2
+		tplConfig.Cfg.BrotliTypes = "application/xml+rss application/atom+xml"
+
+		tplConfig.Cfg.HideHeaders = []string{"x-fake-header", "x-another-fake-header"}
+		tplConfig.Cfg.UpstreamKeepaliveConnections = 15
+
+		tplConfig.Cfg.UpstreamKeepaliveConnections = 200
+		tplConfig.Cfg.UpstreamKeepaliveTime = "60s"
+		tplConfig.Cfg.UpstreamKeepaliveTimeout = 200
+		tplConfig.Cfg.UpstreamKeepaliveRequests = 15
+
 		tpl = crossplane.NewTemplate()
 		tpl.SetMimeFile(mimeFile.Name())
 		content, err := tpl.Write(tplConfig)

internal/ingress/controller/template/crossplane/http.go

@@ -81,6 +81,7 @@ func (c *Template) initHTTPDirectives() ngx_crossplane.Directives {
 	return httpBlock
 }
 
+//nolint:gocyclo
 func (c *Template) buildHTTP() {
 	cfg := c.tplConfig.Cfg
 	httpBlock := c.initHTTPDirectives()
@@ -239,7 +240,7 @@ func (c *Template) buildHTTP() {
 			buildDirective("brotli", "on"),
 			buildDirective("brotli_comp_level", cfg.BrotliLevel),
 			buildDirective("brotli_min_length", cfg.BrotliMinLength),
-			buildDirective("brotli_types", cfg.BrotliTypes),
+			buildDirective("brotli_types", strings.Split(cfg.BrotliTypes, " ")),
 		)
 	}
 
@@ -249,6 +250,40 @@ func (c *Template) buildHTTP() {
 		}
 	}
 
+	blockUpstreamDirectives := ngx_crossplane.Directives{
+		buildDirective("server", "0.0.0.1"),
+		buildBlockDirective("balancer_by_lua_block", nil, ngx_crossplane.Directives{buildDirective("balancer.balance()")}),
+	}
+	if c.tplConfig.Cfg.UpstreamKeepaliveConnections > 0 {
+		blockUpstreamDirectives = append(blockUpstreamDirectives,
+			buildDirective("keepalive", c.tplConfig.Cfg.UpstreamKeepaliveConnections),
+			buildDirective("keepalive_time", c.tplConfig.Cfg.UpstreamKeepaliveTime),
+			buildDirective("keepalive_timeout", seconds(c.tplConfig.Cfg.UpstreamKeepaliveTimeout)),
+			buildDirective("keepalive_requests", c.tplConfig.Cfg.UpstreamKeepaliveRequests),
+		)
+	}
+	httpBlock = append(httpBlock, buildBlockDirective("upstream", []string{"upstream_balancer"}, blockUpstreamDirectives))
+
+	for i := range cfg.BlockCIDRs {
+		httpBlock = append(httpBlock, buildDirective("deny", strings.TrimSpace(cfg.BlockCIDRs[i])))
+	}
+
+	if len(cfg.BlockUserAgents) > 0 {
+		uaDirectives := ngx_crossplane.Directives{buildDirective("default", 0)}
+		for i := range cfg.BlockUserAgents {
+			uaDirectives = append(uaDirectives, buildDirective(strings.TrimSpace(cfg.BlockUserAgents[i]), 1))
+		}
+		httpBlock = append(httpBlock, buildMapDirective("$http_user_agent", "$block_ua", uaDirectives))
+	}
+
+	if len(cfg.BlockReferers) > 0 {
+		refDirectives := ngx_crossplane.Directives{buildDirective("default", 0)}
+		for i := range cfg.BlockReferers {
+			refDirectives = append(refDirectives, buildDirective(strings.TrimSpace(cfg.BlockReferers[i]), 1))
+		}
+		httpBlock = append(httpBlock, buildMapDirective("$http_referer", "$block_ref", refDirectives))
+	}
+
 	c.config.Parsed = append(c.config.Parsed, &ngx_crossplane.Directive{
 		Directive: "http",
 		Block:     httpBlock,

internal/ingress/controller/template/crossplane/testdata/nginx.tmpl

@@ -360,18 +360,27 @@ http {
     {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
     {{ end }}
 
-    # END MIGRATED VARIOUS 1
+    # Global filters
+    {{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }};
+    {{ end }}
 
-    {{ buildOpentelemetry $cfg $servers }}
+    {{ if gt (len $cfg.BlockUserAgents) 0 }}
+    map $http_user_agent $block_ua {
+        default 0;
 
-    # Create a variable that contains the literal $ character.
+        {{ range $ua := $cfg.BlockUserAgents }}{{ trimSpace $ua }} 1;
-    # This works because the geo module will not resolve variables.
+        {{ end }}
-    geo $literal_dollar {
-        default "$";
     }
+    {{ end }}
 
-    {{ range $errCode := $cfg.CustomHTTPErrors }}
+    {{ if gt (len $cfg.BlockReferers) 0 }}
-    error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
+    map $http_referer $block_ref {
+        default 0;
+
+        {{ range $ref := $cfg.BlockReferers }}{{ trimSpace $ref }} 1;
+        {{ end }}
+    }
+    {{ end }}
 
     upstream upstream_balancer {
         server 0.0.0.1; # placeholder
@@ -388,6 +397,19 @@ http {
         {{ end }}
     }
 
+    # END MIGRATED VARIOUS 1
+
+    {{ buildOpentelemetry $cfg $servers }}
+
+    # Create a variable that contains the literal $ character.
+    # This works because the geo module will not resolve variables.
+    geo $literal_dollar {
+        default "$";
+    }
+
+    {{ range $errCode := $cfg.CustomHTTPErrors }}
+    error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
+
     {{ range $rl := (filterRateLimits $servers ) }}
     # Ratelimit {{ $rl.Name }}
     geo $remote_addr $allowlist_{{ $rl.ID }} {
@@ -409,27 +431,6 @@ http {
     {{ $zone }}
     {{ end }}
 
-    # Global filters
-    {{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }};
-    {{ end }}
-
-    {{ if gt (len $cfg.BlockUserAgents) 0 }}
-    map $http_user_agent $block_ua {
-        default 0;
-
-        {{ range $ua := $cfg.BlockUserAgents }}{{ trimSpace $ua }} 1;
-        {{ end }}
-    }
-    {{ end }}
-
-    {{ if gt (len $cfg.BlockReferers) 0 }}
-    map $http_referer $block_ref {
-        default 0;
-
-        {{ range $ref := $cfg.BlockReferers }}{{ trimSpace $ref }} 1;
-        {{ end }}
-    }
-    {{ end }}
 
     {{/* Build server redirects (from/to www) */}}
     {{ range $redirect := .RedirectServers }}

internal/ingress/controller/template/crossplane/utils.go

@@ -85,15 +85,20 @@ func buildResolversInternal(res []net.IP, disableIpv6 bool) []string {
 	return r
 }
 
-// buildMapDirective is used to build a map directive
+// buildBlockDirective is used to build a block directive
-func buildMapDirective(name, variable string, block ngx_crossplane.Directives) *ngx_crossplane.Directive {
+func buildBlockDirective(blockName string, args []string, block ngx_crossplane.Directives) *ngx_crossplane.Directive {
 	return &ngx_crossplane.Directive{
-		Directive: "map",
+		Directive: blockName,
-		Args:      []string{name, variable},
+		Args:      args,
 		Block:     block,
 	}
 }
 
+// buildMapDirective is used to build a map directive
+func buildMapDirective(name, variable string, block ngx_crossplane.Directives) *ngx_crossplane.Directive {
+	return buildBlockDirective("map", []string{name, variable}, block)
+}
+
 func boolToStr(b bool) string {
 	if b {
 		return "on"