DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-04-29 15:47:17 +00:00
parent 89c9353364
commit db71e32e5f
19 changed files with 359 additions and 266 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
deploy/index.html
View file

@ -1481,7 +1481,7 @@ Then execute:</p>
<p>This example creates an ELB with just two listeners, one in port 80 and another in port 443</p>
<p><img alt="Listeners" src="./../docs/images/elb-l7-listener.png" /></p>
<p><img alt="Listeners" src="./../images/elb-l7-listener.png" /></p>
<p>If the ingress controller uses RBAC run:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/patch-service-with-rbac.yaml</span>
</pre></div>

5
development/index.html
View file

@ -1200,7 +1200,10 @@
It includes how to build, test, and release ingress controllers.</p>
<h2 id="quick-start">Quick Start<a class="headerlink" href="#quick-start" title="Permanent link">&para;</a></h2>
<h3 id="initial-developer-environment-build">Initial developer environment build<a class="headerlink" href="#initial-developer-environment-build" title="Permanent link">&para;</a></h3>
<p><strong>Prequisites</strong>: Minikube must be installed; See <a href="https://github.com/kubernetes/minikube/releases">releases</a> for installation instructions. </p>
<blockquote>
<p><strong>Prequisites</strong>: Minikube must be installed.
See <a href="https://github.com/kubernetes/minikube/releases">releases</a> for installation instructions. </p>
</blockquote>
<p>If you are using <strong>MacOS</strong> and deploying to <strong>minikube</strong>, the following command will build the local nginx controller container image and deploy the ingress controller onto a minikube cluster with RBAC enabled in the namespace <code class="codehilite">ingress-nginx</code>:</p>
<div class="codehilite"><pre><span></span>$ make dev-env
</pre></div>

4
examples/PREREQUISITES/index.html
View file

@ -1165,7 +1165,7 @@ key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<h2 id="ca-authentication">CA Authentication<a class="headerlink" href="#ca-authentication" title="Permanent link">&para;</a></h2>
<p>You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our
own CA, and also generate a client certificate.</p>
<p>These instructions are based on CoreOS OpenSSL <a href="https://coreos.com/kubernetes/docs/latest/openssl.html">instructions</a></p>
<p>These instructions are based on CoreOS OpenSSL. <a href="https://coreos.com/kubernetes/docs/latest/openssl.html">See live doc.</a></p>
<h3 id="generating-a-ca">Generating a CA<a class="headerlink" href="#generating-a-ca" title="Permanent link">&para;</a></h3>
<p>First of all, you've to generate a CA. This is going to be the one who will sign your client certificates.
In real production world, you may face CAs with intermediate certificates, as the following:</p>
@ -1243,7 +1243,7 @@ the TLS Auth directive:</p>
</pre></div>
<p>Note: You can also generate the CA Authentication Secret along with the TLS Secret by using:</p>
<p><strong>Note:</strong> You can also generate the CA Authentication Secret along with the TLS Secret by using:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div>

2
examples/customization/custom-errors/rc-custom-errors.yaml
View file

@ -16,7 +16,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.13.0
- image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.14.0
name: nginx-ingress-lb
imagePullPolicy: Always
readinessProbe:

14
examples/docker-registry/README/index.html
View file

@ -1125,8 +1125,11 @@
</pre></div>
<p><strong>Important:</strong> DO NOT RUN THIS IN PRODUCTION.
This deployment uses <code class="codehilite">emptyDir</code> in the <code class="codehilite">volumeMount</code> which means the contents of the registry will be deleted when the pod dies.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p><strong>DO NOT RUN THIS IN PRODUCTION</strong></p>
<p>This deployment uses <code class="codehilite">emptyDir</code> in the <code class="codehilite">volumeMount</code> which means the contents of the registry will be deleted when the pod dies.</p>
</div>
<p>The next required step is creation of the ingress rules. To do this we have two options: with and without TLS</p>
<h3 id="without-tls">Without TLS<a class="headerlink" href="#without-tls" title="Permanent link">&para;</a></h3>
<p>Download and edit the yaml deployment replacing <code class="codehilite">registry.&lt;your domain&gt;</code> with a valid DNS name pointing to the ingress controller:</p>
@ -1134,8 +1137,11 @@ This deployment uses <code class="codehilite">emptyDir</code> in the <code class
</pre></div>
<p><strong>Important:</strong> running a docker registry without TLS requires we configure our local docker daemon with the insecure registry flag.
Please check <a href="https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry">deploy a plain http registry</a></p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>Running a docker registry without TLS requires we configure our local docker daemon with the insecure registry flag.</p>
<p>Please check <a href="https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry">deploy a plain http registry</a></p>
</div>
<h3 id="with-tls">With TLS<a class="headerlink" href="#with-tls" title="Permanent link">&para;</a></h3>
<p>Download and edit the yaml deployment replacing <code class="codehilite">registry.&lt;your domain&gt;</code> with a valid DNS name pointing to the ingress controller:</p>
<div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-with-tls.yaml</span>

7
examples/external-auth/README/index.html
View file

@ -1121,7 +1121,10 @@
<h3 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link">&para;</a></h3>
<p>The <code class="codehilite">auth-url</code> and <code class="codehilite">auth-signin</code> annotations allow you to use an external
authentication provider to protect your Ingress resources.</p>
<p>(Note, this annotation requires <code class="codehilite">nginx-ingress-controller v0.9.0</code> or greater.)</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>this annotation requires <code class="codehilite">nginx-ingress-controller v0.9.0</code> or greater.)</p>
</div>
<h3 id="key-detail">Key Detail<a class="headerlink" href="#key-detail" title="Permanent link">&para;</a></h3>
<p>This functionality is enabled by deploying multiple Ingress objects for a single host.
One Ingress object has no special annotations and handles authentication.</p>
@ -1151,7 +1154,7 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<ol>
<li>Create a custom Github OAuth application https://github.com/settings/applications/new</li>
<li>Create a <a href="https://github.com/settings/applications/new">custom Github OAuth application</a></li>
</ol>
<p><img alt="Register OAuth2 Application" src="../images/register-oauth-app.png" /></p>
<ul>

2
examples/static-ip/README/index.html
View file

@ -1187,9 +1187,11 @@ already has it set to "nginx-ingress-lb").</p>
</pre></div>
<blockquote>
<p>Note that unlike the GCE Ingress, the same loadbalancer IP is shared amongst all
Ingresses, because all requests are proxied through the same set of nginx
controllers.</p>
</blockquote>
<h2 id="promote-ephemeral-to-static-ip">Promote ephemeral to static IP<a class="headerlink" href="#promote-ephemeral-to-static-ip" title="Permanent link">&para;</a></h2>
<p>To promote the allocated IP to static, you can update the Service manifest</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc nginx-ingress-lb -p <span class="s1">&#39;{&quot;spec&quot;: {&quot;loadBalancerIP&quot;: &quot;104.154.109.191&quot;}}&#39;</span>

2
examples/static-ip/nginx-ingress-controller.yaml
View file

@ -21,7 +21,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.13.0
- image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.14.0
name: nginx-ingress-controller
readinessProbe:
httpGet:

2
extra.css
View file

@ -1,3 +1,3 @@
td{
td:nth-child(1){
white-space: nowrap;
}

213
search/search_index.json
View file

File diff suppressed because one or more lines are too long

46
sitemap.xml
View file

@ -4,7 +4,7 @@
<url>
<loc>/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
@ -13,13 +13,13 @@
<url>
<loc>/deploy/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/deploy/rbac/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
@ -35,49 +35,49 @@
<url>
<loc>/user-guide/cli-arguments/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/custom-errors/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/exposing-tcp-udp-services/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/external-articles/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/miscellaneous/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/multiple-ingress/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/nginx-status-page/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/tls/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
@ -93,19 +93,19 @@
<url>
<loc>/examples/PREREQUISITES/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/affinity/cookie/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
@ -123,37 +123,37 @@
<url>
<loc>/examples/docker-registry/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/external-auth/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/multi-tls/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/rewrite/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/static-ip/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/tls-termination/README/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
@ -162,7 +162,7 @@
<url>
<loc>/development/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
@ -170,7 +170,7 @@
<url>
<loc>/ingress-controller-catalog/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>
@ -178,7 +178,7 @@
<url>
<loc>/troubleshooting/</loc>
<lastmod>2018-04-27</lastmod>
<lastmod>2018-04-29</lastmod>
<changefreq>daily</changefreq>
</url>

7
troubleshooting/index.html
View file

@ -1293,9 +1293,10 @@ delete it with <code class="codehilite">kubectl delete secret &lt;name&gt;</code
The API server will mount a volume containing this file, but only if the API server is configured to use
the ServiceAccount admission controller.
If you experience this error, verify that your API server is using the ServiceAccount admission controller.
If you are configuring the API server by hand, you can set this with the <code class="codehilite">--admission-control</code> parameter.
Please note that you should use other admission controllers as well. Before configuring this option, you should
read about admission controllers.</p>
If you are configuring the API server by hand, you can set this with the <code class="codehilite">--admission-control</code> parameter.</p>
<blockquote>
<p>Note that you should use other admission controllers as well. Before configuring this option, you should read about admission controllers.</p>
</blockquote>
</li>
</ol>
<p>More information:</p>

5
user-guide/custom-errors/index.html
View file

@ -1025,7 +1025,10 @@ Each request to the default backend includes two headers:</p>
<li><code class="codehilite">X-Code</code> indicates the HTTP code to be returned to the client.</li>
<li><code class="codehilite">X-Format</code> the value of the <code class="codehilite">Accept</code> header.</li>
</ul>
<p><strong>Important:</strong> The custom backend must return the correct HTTP status code to be returned. NGINX does not change the response from the custom default backend.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The custom backend must return the correct HTTP status code to be returned. NGINX does not change the response from the custom default backend.</p>
</div>
<p>Using these two headers it's possible to use a custom backend service like <a href="https://github.com/kubernetes/ingress-nginx/tree/master/images/custom-error-pages">this one</a> that inspects each request and returns a custom error page with the format expected by the client. Please check the example <a href="https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-errors">custom-errors</a>.</p>
<p>NGINX sends additional headers that can be used to build custom response:</p>
<ul>

5
user-guide/miscellaneous/index.html
View file

@ -1201,7 +1201,10 @@ Basically a default backend exposes two URLs:</p>
<p>The only requirement to avoid the close of connections is the increase of the values of <code class="codehilite">proxy-read-timeout</code> and <code class="codehilite">proxy-send-timeout</code>.</p>
<p>The default value of this settings is <code class="codehilite">60 seconds</code>.</p>
<p>A more adequate value to support websockets is a value higher than one hour (<code class="codehilite">3600</code>).</p>
<p><strong>Important:</strong> If the NGINX ingress controller is exposed with a service <code class="codehilite">type=LoadBalancer</code> make sure the protocol between the loadbalancer and NGINX is TCP.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>If the NGINX ingress controller is exposed with a service <code class="codehilite">type=LoadBalancer</code> make sure the protocol between the loadbalancer and NGINX is TCP.</p>
</div>
<h2 id="optimizing-tls-time-to-first-byte-tttfb">Optimizing TLS Time To First Byte (TTTFB)<a class="headerlink" href="#optimizing-tls-time-to-first-byte-tttfb" title="Permanent link">&para;</a></h2>
<p>NGINX provides the configuration option <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size">ssl_buffer_size</a> to allow the optimization of the TLS record size.</p>
<p>This improves the <a href="https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/">TLS Time To First Byte</a> (TTTFB).

3
user-guide/multiple-ingress/index.html
View file

@ -1093,7 +1093,8 @@
<h1 id="multiple-ingress-controllers">Multiple ingress controllers<a class="headerlink" href="#multiple-ingress-controllers" title="Permanent link">&para;</a></h1>
<h2 id="running-multiple-ingress-controllers">Running multiple ingress controllers<a class="headerlink" href="#running-multiple-ingress-controllers" title="Permanent link">&para;</a></h2>
<p>If you're running multiple ingress controllers, or running on a cloud provider that natively handles ingress, you need to specify the annotation <code class="codehilite">kubernetes.io/ingress.class: &quot;nginx&quot;</code> in all ingresses that you would like this controller to claim. This mechanism also provides users the ability to run <em>multiple</em> NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic). When utilizing this functionality the option <code class="codehilite">--ingress-class</code> should be changed to a value unique for the cluster within the definition of the replication controller. Here is a partial example:</p>
<p>If you're running multiple ingress controllers, or running on a cloud provider that natively handles ingress, you need to specify the annotation <code class="codehilite">kubernetes.io/ingress.class: &quot;nginx&quot;</code> in all ingresses that you would like this controller to claim.</p>
<p>This mechanism also provides users the ability to run <em>multiple</em> NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic). When utilizing this functionality the option <code class="codehilite">--ingress-class</code> should be changed to a value unique for the cluster within the definition of the replication controller. Here is a partial example:</p>
<div class="codehilite"><pre><span></span><span class="n">spec</span><span class="o">:</span>
<span class="n">template</span><span class="o">:</span>
<span class="n">spec</span><span class="o">:</span>

100
user-guide/nginx-configuration/annotations/index.html
View file

@ -679,6 +679,13 @@
Enable Access Log
</a>
</li>
<li class="md-nav__item">
<a href="#enable-rewrite-log" title="Enable Rewrite Log" class="md-nav__link">
Enable Rewrite Log
</a>
</li>
<li class="md-nav__item">
@ -1497,6 +1504,13 @@
Enable Access Log
</a>
</li>
<li class="md-nav__item">
<a href="#enable-rewrite-log" title="Enable Rewrite Log" class="md-nav__link">
Enable Rewrite Log
</a>
</li>
<li class="md-nav__item">
@ -1686,6 +1700,10 @@ i.e. <code class="codehilite">&quot;true&quot;</code>, <code class="codehilite">
<td>string</td>
</tr>
<tr>
<td><a href="#enable-rewrite-log">nginx.ingress.kubernetes.io/rewrite-log</a></td>
<td>URI</td>
</tr>
<tr>
<td><a href="#rewrite">nginx.ingress.kubernetes.io/rewrite-target</a></td>
<td>URI</td>
</tr>
@ -1815,20 +1833,28 @@ This annotation also accepts the alternative form "namespace/secretName", in whi
<p>Please check the <a href="../../../examples/auth/basic/README/">auth</a> example.</p>
<h3 id="custom-nginx-upstream-checks">Custom NGINX upstream checks<a class="headerlink" href="#custom-nginx-upstream-checks" title="Permanent link">&para;</a></h3>
<p>NGINX exposes some flags in the <a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream">upstream configuration</a> that enable the configuration of each server in the upstream. The Ingress controller allows custom <code class="codehilite">max_fails</code> and <code class="codehilite">fail_timeout</code> parameters in a global context using <code class="codehilite">upstream-max-fails</code> and <code class="codehilite">upstream-fail-timeout</code> in the NGINX ConfigMap or in a particular Ingress rule. <code class="codehilite">upstream-max-fails</code> defaults to 0. This means NGINX will respect the container's <code class="codehilite">readinessProbe</code> if it is defined. If there is no probe and no values for <code class="codehilite">upstream-max-fails</code> NGINX will continue to send traffic to the container.</p>
<p><strong>With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.</strong></p>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.**</p>
</div>
<p>To use custom values in an Ingress rule define these annotations:</p>
<p><code class="codehilite">nginx.ingress.kubernetes.io/upstream-max-fails</code>: number of unsuccessful attempts to communicate with the server that should occur in the duration set by the <code class="codehilite">upstream-fail-timeout</code> parameter to consider the server unavailable.</p>
<p><code class="codehilite">nginx.ingress.kubernetes.io/upstream-fail-timeout</code>: time in seconds during which the specified number of unsuccessful attempts to communicate with the server should occur to consider the server unavailable. This is also the period of time the server will be considered unavailable.</p>
<p>In NGINX, backend server pools are called "<a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html">upstreams</a>". Each upstream contains the endpoints for a service. An upstream is created for each service that has Ingress rules defined.</p>
<p><strong>Important:</strong> All Ingress rules using the same service will use the same upstream. Only one of the Ingress rules should define annotations to configure the upstream servers.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>All Ingress rules using the same service will use the same upstream. Only one of the Ingress rules should define annotations to configure the upstream servers.</p>
</div>
<p>Please check the <a href="../../../examples/customization/custom-upstream-check/README/">custom upstream check</a> example.</p>
<h3 id="custom-nginx-upstream-hashing">Custom NGINX upstream hashing<a class="headerlink" href="#custom-nginx-upstream-hashing" title="Permanent link">&para;</a></h3>
<p>NGINX supports load balancing by client-server mapping based on <a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash">consistent hashing</a> for a given key. The key can contain text, variables or any combination thereof. This feature allows for request stickiness other than client IP or cookies. The <a href="http://www.last.fm/user/RJ/journal/2007/04/10/392555/">ketama</a> consistent hashing method will be used which ensures only a few keys would be remapped to different servers on upstream group changes.</p>
<p>To enable consistent hashing for a backend:</p>
<p><code class="codehilite">nginx.ingress.kubernetes.io/upstream-hash-by</code>: the nginx variable, text value or any combination thereof to use for consistent hashing. For example <code class="codehilite">nginx.ingress.kubernetes.io/upstream-hash-by: &quot;$request_uri&quot;</code> to consistently hash upstream requests by the current request URI.</p>
<h3 id="custom-nginx-load-balancing">Custom NGINX load balancing<a class="headerlink" href="#custom-nginx-load-balancing" title="Permanent link">&para;</a></h3>
<p>This is similar to https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#load-balance but configures load balancing algorithm per ingress.
Note that <code class="codehilite">nginx.ingress.kubernetes.io/upstream-hash-by</code> takes preference over this. If this and <code class="codehilite">nginx.ingress.kubernetes.io/upstream-hash-by</code> are not set then we fallback to using globally configured load balancing algorithm.</p>
<p>This is similar to (https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#load-balance) but configures load balancing algorithm per ingress.</p>
<blockquote>
<p>Note that <code class="codehilite">nginx.ingress.kubernetes.io/upstream-hash-by</code> takes preference over this. If this and <code class="codehilite">nginx.ingress.kubernetes.io/upstream-hash-by</code> are not set then we fallback to using globally configured load balancing algorithm.</p>
</blockquote>
<h3 id="custom-nginx-upstream-vhost">Custom NGINX upstream vhost<a class="headerlink" href="#custom-nginx-upstream-vhost" title="Permanent link">&para;</a></h3>
<p>This configuration setting allows you to control the value for host in the following statement: <code class="codehilite">proxy_set_header Host $host</code>, which forms part of the location block. This is useful if you need to call the upstream server by something other than <code class="codehilite">$host</code>.</p>
<h3 id="client-certificate-authentication">Client Certificate Authentication<a class="headerlink" href="#client-certificate-authentication" title="Permanent link">&para;</a></h3>
@ -1862,12 +1888,12 @@ This annotation also accepts the alternative form "namespace/secretName", in whi
<p>Indicates if the received certificates should be passed or not to the upstream server.
By default this is disabled.</p>
<p>Please check the <a href="../../../examples/auth/client-certs/README/">client-certs</a> example.</p>
<p><strong>Important:</strong></p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>TLS with Client Authentication is NOT possible in Cloudflare as is not allowed it and might result in unexpected behavior.</p>
<p>Cloudflare only allows Authenticated Origin Pulls and is required to use their own certificate:
https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/</p>
<p>Only Authenticated Origin Pulls are allowed and can be configured by following their tutorial:
https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls</p>
<p>Cloudflare only allows Authenticated Origin Pulls and is required to use their own certificate: <a href="https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/">https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/</a></p>
<p>Only Authenticated Origin Pulls are allowed and can be configured by following their tutorial: <a href="https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls">https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls</a></p>
</div>
<h3 id="configuration-snippet">Configuration snippet<a class="headerlink" href="#configuration-snippet" title="Permanent link">&para;</a></h3>
<p>Using this annotation you can add additional configuration to the NGINX location. For example:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/configuration-snippet</span><span class="p p-Indicator">:</span> <span class="p p-Indicator">|</span>
@ -1901,14 +1927,15 @@ This is a global configuration for the ingress controller. In some cases could b
<li><code class="codehilite">nginx.ingress.kubernetes.io/cors-max-age</code> controls how long preflight requests can be cached.</li>
</ul>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-max-age: 600</code></p>
<p>For more information please check https://enable-cors.org/server_nginx.html</p>
<p>For more information please see <a href="https://enable-cors.org/server_nginx.html">https://enable-cors.org</a></p>
<h3 id="server-alias">Server Alias<a class="headerlink" href="#server-alias" title="Permanent link">&para;</a></h3>
<p>To add Server Aliases to an Ingress rule add the annotation <code class="codehilite">nginx.ingress.kubernetes.io/server-alias: &quot;&lt;alias&gt;&quot;</code>.
This will create a server with the same configuration, but a different server_name as the provided host.</p>
<p><em>Note:</em> A server-alias name cannot conflict with the hostname of an existing server. If it does the server-alias
annotation will be ignored. If a server-alias is created and later a new server with the same hostname is created
the new server configuration will take place over the alias configuration.</p>
<p>For more information please see http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>A server-alias name cannot conflict with the hostname of an existing server. If it does the server-alias annotation will be ignored. If a server-alias is created and later a new server with the same hostname is created the new server configuration will take place over the alias configuration.</p>
</div>
<p>For more information please see <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name">http://nginx.org</a></p>
<h3 id="server-snippet">Server snippet<a class="headerlink" href="#server-snippet" title="Permanent link">&para;</a></h3>
<p>Using the annotation <code class="codehilite">nginx.ingress.kubernetes.io/server-snippet</code> it is possible to add custom configuration in the server configuration block.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
@ -1928,13 +1955,16 @@ the new server configuration will take place over the alias configuration.</p>
</pre></div>
<p><strong>Important:</strong> This annotation can be used only once per host</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>This annotation can be used only once per host</p>
</div>
<h3 id="client-body-buffer-size">Client Body Buffer Size<a class="headerlink" href="#client-body-buffer-size" title="Permanent link">&para;</a></h3>
<p>Sets buffer size for reading client request body per location. In case the request body is larger than the buffer,
the whole body or only its part is written to a temporary file. By default, buffer size is equal to two memory pages.
This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms. This annotation is
applied to each location provided in the ingress rule.</p>
<p><em>Note:</em> The annotation value must be given in a valid format otherwise the
<p><strong>Note:</strong> The annotation value must be given in a valid format otherwise the
For example to set the client-body-buffer-size the following can be done:</p>
<ul>
<li><code class="codehilite">nginx.ingress.kubernetes.io/client-body-buffer-size: &quot;1000&quot;</code> # 1000 bytes</li>
@ -1943,7 +1973,7 @@ For example to set the client-body-buffer-size the following can be done:</p>
<li><code class="codehilite">nginx.ingress.kubernetes.io/client-body-buffer-size: 1m</code> # 1 megabyte</li>
<li><code class="codehilite">nginx.ingress.kubernetes.io/client-body-buffer-size: 1M</code> # 1 megabyte</li>
</ul>
<p>For more information please see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size</p>
<p>For more information please see <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size">http://nginx.org</a></p>
<h3 id="external-authentication">External Authentication<a class="headerlink" href="#external-authentication" title="Permanent link">&para;</a></h3>
<p>To use an existing service that provides authentication the Ingress rule can be annotated with <code class="codehilite">nginx.ingress.kubernetes.io/auth-url</code> to indicate the URL where the HTTP request should be sent.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-url</span><span class="p p-Indicator">:</span> <span class="s">&quot;URL</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">authentication</span><span class="nv"> </span><span class="s">service&quot;</span>
@ -1971,15 +2001,23 @@ For example to set the client-body-buffer-size the following can be done:</p>
<p>This annotation allows to return a permanent redirect instead of sending data to the upstream. For example <code class="codehilite">nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com</code> would redirect everything to Google.</p>
<h3 id="ssl-passthrough">SSL Passthrough<a class="headerlink" href="#ssl-passthrough" title="Permanent link">&para;</a></h3>
<p>The annotation <code class="codehilite">nginx.ingress.kubernetes.io/ssl-passthrough</code> allows to configure TLS termination in the pod and not in NGINX.</p>
<p><strong>Important:</strong></p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<ul>
<li>Using the annotation <code class="codehilite">nginx.ingress.kubernetes.io/ssl-passthrough</code> invalidates all the other available annotations. This is because SSL Passthrough works in L4 (TCP).</li>
<li>The use of this annotation requires Proxy Protocol to be enabled in the load-balancer. For example enabling Proxy Protocol for AWS ELB is described <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html">here</a>. If you're using ingress-controller without load balancer then the flag <code class="codehilite">--enable-ssl-passthrough</code> is required (by default it is disabled).</li>
<li>
<p>Using the annotation <code class="codehilite">nginx.ingress.kubernetes.io/ssl-passthrough</code> invalidates all the other available annotations. This is because SSL Passthrough works in L4 (TCP).</p>
</li>
<li>
<p>The use of this annotation requires Proxy Protocol to be enabled in the load-balancer. For example enabling Proxy Protocol for AWS ELB is described <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html">here</a>. If you're using ingress-controller without load balancer then the flag <code class="codehilite">--enable-ssl-passthrough</code> is required (by default it is disabled).</p>
</li>
</ul>
</div>
<h3 id="secure-backends">Secure backends<a class="headerlink" href="#secure-backends" title="Permanent link">&para;</a></h3>
<p>By default NGINX uses <code class="codehilite">http</code> to reach the services. Adding the annotation <code class="codehilite">nginx.ingress.kubernetes.io/secure-backends: &quot;true&quot;</code> in the Ingress rule changes the protocol to <code class="codehilite">https</code>.
If you want to validate the upstream against a specific certificate, you can create a secret with it and reference the secret with the annotation <code class="codehilite">nginx.ingress.kubernetes.io/secure-verify-ca-secret</code>.</p>
<p>Please note that if an invalid or non-existent secret is given, the NGINX ingress controller will ignore the <code class="codehilite">secure-backends</code> annotation.</p>
<blockquote>
<p>Note that if an invalid or non-existent secret is given, the NGINX ingress controller will ignore the <code class="codehilite">secure-backends</code> annotation.</p>
</blockquote>
<h3 id="service-upstream">Service Upstream<a class="headerlink" href="#service-upstream" title="Permanent link">&para;</a></h3>
<p>By default the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration. This annotation disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port. This can be desirable for things like zero-downtime deployments as it reduces the need to reload NGINX configuration when Pods come up and down. See issue <a href="https://github.com/kubernetes/ingress-nginx/issues/257">#257</a>.</p>
<h4 id="known-issues">Known Issues<a class="headerlink" href="#known-issues" title="Permanent link">&para;</a></h4>
@ -1995,16 +2033,18 @@ If you want to validate the upstream against a specific certificate, you can cre
<h3 id="redirect-from-to-www">Redirect from to www<a class="headerlink" href="#redirect-from-to-www" title="Permanent link">&para;</a></h3>
<p>In some scenarios is required to redirect from <code class="codehilite">www.domain.com</code> to <code class="codehilite">domain.com</code> or viceversa.
To enable this feature use the annotation <code class="codehilite">nginx.ingress.kubernetes.io/from-to-www-redirect: &quot;true&quot;</code></p>
<p><strong>Important:</strong>
If at some point a new Ingress is created with a host equal to one of the options (like <code class="codehilite">domain.com</code>) the annotation will be omitted.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>If at some point a new Ingress is created with a host equal to one of the options (like <code class="codehilite">domain.com</code>) the annotation will be omitted.</p>
</div>
<h3 id="whitelist-source-range">Whitelist source range<a class="headerlink" href="#whitelist-source-range" title="Permanent link">&para;</a></h3>
<p>You can specify the allowed client IP source ranges through the <code class="codehilite">nginx.ingress.kubernetes.io/whitelist-source-range</code> annotation. The value is a comma separated list of <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">CIDRs</a>, e.g. <code class="codehilite">10.0.0.0/24,172.10.0.1</code>.</p>
<p>To configure this setting globally for all Ingress rules, the <code class="codehilite">whitelist-source-range</code> value may be set in the NGINX ConfigMap.</p>
<p><em>Note:</em> Adding an annotation to an Ingress rule overrides any global restriction.</p>
<p><strong>Note:</strong> Adding an annotation to an Ingress rule overrides any global restriction.</p>
<h3 id="cookie-affinity">Cookie affinity<a class="headerlink" href="#cookie-affinity" title="Permanent link">&para;</a></h3>
<p>If you use the <code class="codehilite">cookie</code> type you can also specify the name of the cookie that will be used to route the requests with the annotation <code class="codehilite">nginx.ingress.kubernetes.io/session-cookie-name</code>. The default is to create a cookie named 'INGRESSCOOKIE'.</p>
<p>In case of NGINX the annotation <code class="codehilite">nginx.ingress.kubernetes.io/session-cookie-hash</code> defines which algorithm will be used to 'hash' the used upstream. Default value is <code class="codehilite">md5</code> and possible values are <code class="codehilite">md5</code>, <code class="codehilite">sha1</code> and <code class="codehilite">index</code>.
The <code class="codehilite">index</code> option is not hashed, an in-memory index is used instead, it's quicker and the overhead is shorter Warning: the matching against upstream servers list is inconsistent. So, at reload, if upstreams servers has changed, index values are not guaranteed to correspond to the same server as before! USE IT WITH CAUTION and only if you need to!</p>
The <code class="codehilite">index</code> option is not hashed, an in-memory index is used instead, it's quicker and the overhead is shorter Warning: the matching against upstream servers list is inconsistent. So, at reload, if upstreams servers has changed, index values are not guaranteed to correspond to the same server as before! <strong>USE IT WITH CAUTION</strong> and only if you need to!</p>
<p>In NGINX this feature is implemented by the third party module <a href="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng">nginx-sticky-module-ng</a>. The workflow used to define which upstream server will be used is explained <a href="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/raw/08a395c66e425540982c00482f55034e1fee67b6/docs/sticky.pdf">here</a></p>
<h3 id="custom-timeouts">Custom timeouts<a class="headerlink" href="#custom-timeouts" title="Permanent link">&para;</a></h3>
<p>Using the configuration configmap it is possible to set the default global timeout for connections to the upstream servers.
@ -2058,6 +2098,12 @@ To use custom values in an Ingress rule define these annotation:</p>
</pre></div>
<h3 id="enable-rewrite-log">Enable Rewrite Log<a class="headerlink" href="#enable-rewrite-log" title="Permanent link">&para;</a></h3>
<p>In some scenarios it could be required to enable NGINX rewrite logs. Note that rewrite logs are sent to the error_log file at the notice level. To enable this feature use the annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-rewrite-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
</pre></div>
<h3 id="lua-resty-waf">Lua Resty WAF<a class="headerlink" href="#lua-resty-waf" title="Permanent link">&para;</a></h3>
<p>Using <code class="codehilite">lua-resty-waf-*</code> annotations we can enable and control <a href="https://github.com/p0pr0ck5/lua-resty-waf">lua-resty-waf</a> per location.
Following configuration will enable WAF for the paths defined in the corresponding ingress:</p>
@ -2068,7 +2114,7 @@ Following configuration will enable WAF for the paths defined in the correspondi
<p>In order to run it in debugging mode you can set <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-debug</code> to <code class="codehilite">&quot;true&quot;</code> in addition to the above configuration.
The other possible values for <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf</code> are <code class="codehilite">inactive</code> and <code class="codehilite">simulate</code>. In <code class="codehilite">inactive</code> mode WAF won't do anything, whereas
in <code class="codehilite">simulate</code> mode it will log a warning message if there's a matching WAF rule for given request. This is useful to debug a rule and eliminate possible false positives before fully deploying it.</p>
<p><code class="codehilite">lua-resty-waf</code> comes with predefined set of rules(https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules) that covers ModSecurity CRS.
<p><code class="codehilite">lua-resty-waf</code> comes with predefined set of rules <a href="https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules">https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules</a> that covers ModSecurity CRS.
You can use <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</code> to ignore subset of those rulesets. For an example:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</span><span class="p p-Indicator">:</span> <span class="s">&quot;41000_sqli,</span><span class="nv"> </span><span class="s">42000_xss&quot;</span>
</pre></div>
@ -2081,7 +2127,7 @@ configure a WAF rule to deny requests with query string value that contains word
</pre></div>
<p>For details on how to write WAF rules, please refer to https://github.com/p0pr0ck5/lua-resty-waf.</p>
<p>For details on how to write WAF rules, please refer to <a href="https://github.com/p0pr0ck5/lua-resty-waf">https://github.com/p0pr0ck5/lua-resty-waf</a>.</p>

196
user-guide/nginx-configuration/configmap/index.html
View file

@ -2631,11 +2631,13 @@ you can add key-value pairs to the data section of the config-map. For Example:<
</pre></div>
<p><strong>IMPORTANT:</strong></p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The key and values in a ConfigMap can only be strings.
This means that we want a value with boolean values we need to quote the values, like "true" or "false".
Same for numbers, like "100".</p>
<p>"Slice" types (defined below as <code class="codehilite">[]string</code> or <code class="codehilite">[]int</code> can be provided as a comma-delimited string.</p>
</div>
<h2 id="configuration-options">Configuration options<a class="headerlink" href="#configuration-options" title="Permanent link">&para;</a></h2>
<p>The following table shows a configuration option's name, type, and the default value:</p>
<table>
@ -3217,12 +3219,12 @@ Same for numbers, like "100".</p>
<h2 id="add-headers">add-headers<a class="headerlink" href="#add-headers" title="Permanent link">&para;</a></h2>
<p>Sets custom headers from named configmap before sending traffic to the client. See <a href="#proxy-set-headers">proxy-set-headers</a>. <a href="https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers">example</a></p>
<h2 id="allow-backend-server-header">allow-backend-server-header<a class="headerlink" href="#allow-backend-server-header" title="Permanent link">&para;</a></h2>
<p>Enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled.</p>
<p>Enables the return of the header Server from the backend instead of the generic nginx string. <em><strong>default:</strong></em> is disabled</p>
<h2 id="hide-headers">hide-headers<a class="headerlink" href="#hide-headers" title="Permanent link">&para;</a></h2>
<p>Sets additional header that will not be passed from the upstream server to the client response.
Default: empty</p>
<em><strong>default:</strong></em> empty</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header</p>
<a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header">http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header</a></p>
<h2 id="access-log-path">access-log-path<a class="headerlink" href="#access-log-path" title="Permanent link">&para;</a></h2>
<p>Access log path. Goes to <code class="codehilite">/var/log/nginx/access.log</code> by default.</p>
<p><strong>Note:</strong> the file <code class="codehilite">/var/log/nginx/access.log</code> is a symlink to <code class="codehilite">/dev/stdout</code></p>
@ -3230,77 +3232,81 @@ Default: empty</p>
<p>Error log path. Goes to <code class="codehilite">/var/log/nginx/error.log</code> by default.</p>
<p><strong>Note:</strong> the file <code class="codehilite">/var/log/nginx/error.log</code> is a symlink to <code class="codehilite">/dev/stderr</code></p>
<p><em>References:</em>
- http://nginx.org/en/docs/ngx_core_module.html#error_log</p>
<a href="http://nginx.org/en/docs/ngx_core_module.html#error_log">http://nginx.org/en/docs/ngx_core_module.html#error_log</a></p>
<h2 id="enable-dynamic-tls-records">enable-dynamic-tls-records<a class="headerlink" href="#enable-dynamic-tls-records" title="Permanent link">&para;</a></h2>
<p>Enables dynamically sized TLS records to improve time-to-first-byte. By default this is enabled. See <a href="https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency">CloudFlare's blog</a> for more information.</p>
<p>Enables dynamically sized TLS records to improve time-to-first-byte. <em><strong>default:</strong></em> is enabled</p>
<p><em>References:</em>
<a href="https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency">https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency</a></p>
<h2 id="enable-modsecurity">enable-modsecurity<a class="headerlink" href="#enable-modsecurity" title="Permanent link">&para;</a></h2>
<p>Enables the modsecurity module for NGINX. By default this is disabled.</p>
<p>Enables the modsecurity module for NGINX. <em><strong>default:</strong></em> is disabled</p>
<h2 id="enable-owasp-modsecurity-crs">enable-owasp-modsecurity-crs<a class="headerlink" href="#enable-owasp-modsecurity-crs" title="Permanent link">&para;</a></h2>
<p>Enables the OWASP ModSecurity Core Rule Set (CRS). By default this is disabled.</p>
<p>Enables the OWASP ModSecurity Core Rule Set (CRS). <em><strong>default:</strong></em> is disabled</p>
<h2 id="client-header-buffer-size">client-header-buffer-size<a class="headerlink" href="#client-header-buffer-size" title="Permanent link">&para;</a></h2>
<p>Allows to configure a custom buffer size for reading client request header.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size">http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size</a></p>
<h2 id="client-header-timeout">client-header-timeout<a class="headerlink" href="#client-header-timeout" title="Permanent link">&para;</a></h2>
<p>Defines a timeout for reading client request header, in seconds.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout">http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout</a></p>
<h2 id="client-body-buffer-size">client-body-buffer-size<a class="headerlink" href="#client-body-buffer-size" title="Permanent link">&para;</a></h2>
<p>Sets buffer size for reading client request body.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size">http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size</a></p>
<h2 id="client-body-timeout">client-body-timeout<a class="headerlink" href="#client-body-timeout" title="Permanent link">&para;</a></h2>
<p>Defines a timeout for reading client request body, in seconds.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout">http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout</a></p>
<h2 id="disable-access-log">disable-access-log<a class="headerlink" href="#disable-access-log" title="Permanent link">&para;</a></h2>
<p>Disables the Access Log from the entire Ingress Controller. This is '"false"' by default.</p>
<p>Disables the Access Log from the entire Ingress Controller. <em><strong>default:</strong></em> '"false"'</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log</p>
<a href="http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log">http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log</a></p>
<h2 id="disable-ipv6">disable-ipv6<a class="headerlink" href="#disable-ipv6" title="Permanent link">&para;</a></h2>
<p>Disable listening on IPV6. By default this is disabled.</p>
<p>Disable listening on IPV6. <em><strong>default:</strong></em> is disabled</p>
<h2 id="disable-ipv6-dns">disable-ipv6-dns<a class="headerlink" href="#disable-ipv6-dns" title="Permanent link">&para;</a></h2>
<p>Disable IPV6 for nginx DNS resolver. By default this is disabled.</p>
<p>Disable IPV6 for nginx DNS resolver. <em><strong>default:</strong></em> is disabled</p>
<h2 id="enable-underscores-in-headers">enable-underscores-in-headers<a class="headerlink" href="#enable-underscores-in-headers" title="Permanent link">&para;</a></h2>
<p>Enables underscores in header names. By default this is disabled.</p>
<p>Enables underscores in header names. <em><strong>default:</strong></em> is disabled</p>
<h2 id="ignore-invalid-headers">ignore-invalid-headers<a class="headerlink" href="#ignore-invalid-headers" title="Permanent link">&para;</a></h2>
<p>Set if header fields with invalid names should be ignored.
By default this is enabled.</p>
<em><strong>default:</strong></em> is enabled</p>
<h2 id="enable-vts-status">enable-vts-status<a class="headerlink" href="#enable-vts-status" title="Permanent link">&para;</a></h2>
<p>Allows the replacement of the default status page with a third party module named <a href="https://github.com/vozlt/nginx-module-vts">nginx-module-vts</a>.
By default this is disabled.</p>
<em><strong>default:</strong></em> is disabled</p>
<h2 id="vts-status-zone-size">vts-status-zone-size<a class="headerlink" href="#vts-status-zone-size" title="Permanent link">&para;</a></h2>
<p>Vts config on http level sets parameters for a shared memory zone that will keep states for various keys. The cache is shared between all worker processes. Default value is 10m</p>
<p>Vts config on http level sets parameters for a shared memory zone that will keep states for various keys. The cache is shared between all worker processes. <em><strong>default:</strong></em> 10m</p>
<p><em>References:</em>
- https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_zone</p>
<a href="https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_zone">https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_zone</a></p>
<h2 id="vts-default-filter-key">vts-default-filter-key<a class="headerlink" href="#vts-default-filter-key" title="Permanent link">&para;</a></h2>
<p>Vts config on http level enables the keys by user defined variable. The key is a key string to calculate traffic. The name is a group string to calculate traffic. The key and name can contain variables such as $host, $server_name. The name's group belongs to filterZones if specified. The key's group belongs to serverZones if not specified second argument name. Default value is $geoip_country_code country::*</p>
<p>Vts config on http level enables the keys by user defined variable. The key is a key string to calculate traffic. The name is a group string to calculate traffic. The key and name can contain variables such as $host, $server_name. The name's group belongs to filterZones if specified. The key's group belongs to serverZones if not specified second argument name. <em><strong>default:</strong></em> $geoip_country_code country::*</p>
<p><em>References:</em>
- https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key</p>
<a href="https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key">https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key</a></p>
<h2 id="vts-sum-key">vts-sum-key<a class="headerlink" href="#vts-sum-key" title="Permanent link">&para;</a></h2>
<p>For metrics keyed (or when using Prometheus, labeled) by server zone, this value is used to indicate metrics for all server zones combined. Default value is *</p>
<p>For metrics keyed (or when using Prometheus, labeled) by server zone, this value is used to indicate metrics for all server zones combined. <em><strong>default:</strong></em> *</p>
<p><em>References:</em>
- https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_display_sum_key</p>
<a href="https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_display_sum_key">https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_display_sum_key</a></p>
<h2 id="retry-non-idempotent">retry-non-idempotent<a class="headerlink" href="#retry-non-idempotent" title="Permanent link">&para;</a></h2>
<p>Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error in the upstream server. The previous behavior can be restored using the value "true".</p>
<h2 id="error-log-level">error-log-level<a class="headerlink" href="#error-log-level" title="Permanent link">&para;</a></h2>
<p>Configures the logging level of errors. Log levels above are listed in the order of increasing severity.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/ngx_core_module.html#error_log</p>
<a href="http://nginx.org/en/docs/ngx_core_module.html#error_log">http://nginx.org/en/docs/ngx_core_module.html#error_log</a></p>
<h2 id="http2-max-field-size">http2-max-field-size<a class="headerlink" href="#http2-max-field-size" title="Permanent link">&para;</a></h2>
<p>Limits the maximum size of an HPACK-compressed request header field.</p>
<p><em>References:</em>
- https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size</p>
<a href="https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size">https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size</a></p>
<h2 id="http2-max-header-size">http2-max-header-size<a class="headerlink" href="#http2-max-header-size" title="Permanent link">&para;</a></h2>
<p>Limits the maximum size of the entire request header list after HPACK decompression.</p>
<p><em>References:</em>
- https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size</p>
<a href="https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size">https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size</a></p>
<h2 id="hsts">hsts<a class="headerlink" href="#hsts" title="Permanent link">&para;</a></h2>
<p>Enables or disables the header HSTS in servers running SSL.
HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. It provides protection against protocol downgrade attacks and cookie theft.</p>
<p><em>References:</em>
- https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
- https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server</p>
<p><em>References:</em></p>
<ul>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security</a></li>
<li><a href="https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server">https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server</a></li>
</ul>
<h2 id="hsts-include-subdomains">hsts-include-subdomains<a class="headerlink" href="#hsts-include-subdomains" title="Permanent link">&para;</a></h2>
<p>Enables or disables the use of HSTS in all the subdomains of the server-name.</p>
<h2 id="hsts-max-age">hsts-max-age<a class="headerlink" href="#hsts-max-age" title="Permanent link">&para;</a></h2>
@ -3310,22 +3316,22 @@ HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature
<h2 id="keep-alive">keep-alive<a class="headerlink" href="#keep-alive" title="Permanent link">&para;</a></h2>
<p>Sets the time during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout">http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout</a></p>
<h2 id="keep-alive-requests">keep-alive-requests<a class="headerlink" href="#keep-alive-requests" title="Permanent link">&para;</a></h2>
<p>Sets the maximum number of requests that can be served through one keep-alive connection.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests">http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests</a></p>
<h2 id="large-client-header-buffers">large-client-header-buffers<a class="headerlink" href="#large-client-header-buffers" title="Permanent link">&para;</a></h2>
<p>Sets the maximum number and size of buffers used for reading large client request header. Default: 4 8k.</p>
<p>Sets the maximum number and size of buffers used for reading large client request header. <em><strong>default:</strong></em> 4 8k</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers">http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers</a></p>
<h2 id="log-format-escape-json">log-format-escape-json<a class="headerlink" href="#log-format-escape-json" title="Permanent link">&para;</a></h2>
<p>Sets if the escape parameter allows JSON ("true") or default characters escaping in variables ("false") Sets the nginx <a href="http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format">log format</a>.</p>
<h2 id="log-format-upstream">log-format-upstream<a class="headerlink" href="#log-format-upstream" title="Permanent link">&para;</a></h2>
<p>Sets the nginx <a href="http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format">log format</a>.
Example for json output:</p>
<p><code class="codehilite">consolelog-format-upstream: &#39;{ &quot;time&quot;: &quot;$time_iso8601&quot;, &quot;remote_addr&quot;: &quot;$proxy_protocol_addr&quot;,&quot;x-forward-for&quot;: &quot;$proxy_add_x_forwarded_for&quot;, &quot;request_id&quot;: &quot;$req_id&quot;, &quot;remote_user&quot;:&quot;$remote_user&quot;, &quot;bytes_sent&quot;: $bytes_sent, &quot;request_time&quot;: $request_time, &quot;status&quot;:$status, &quot;vhost&quot;: &quot;$host&quot;, &quot;request_proto&quot;: &quot;$server_protocol&quot;, &quot;path&quot;: &quot;$uri&quot;,&quot;request_query&quot;: &quot;$args&quot;, &quot;request_length&quot;: $request_length, &quot;duration&quot;: $request_time,&quot;method&quot;: &quot;$request_method&quot;, &quot;http_referrer&quot;: &quot;$http_referer&quot;, &quot;http_user_agent&quot;:&quot;$http_user_agent&quot; }&#39;</code></p>
<p>Please check <a href="../log-format/">log-format</a> for definition of each field.</p>
<p>Please check the <a href="../log-format/">log-format</a> for definition of each field.</p>
<h2 id="log-format-stream">log-format-stream<a class="headerlink" href="#log-format-stream" title="Permanent link">&para;</a></h2>
<p>Sets the nginx <a href="https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format">stream format</a>.</p>
<h2 id="max-worker-connections">max-worker-connections<a class="headerlink" href="#max-worker-connections" title="Permanent link">&para;</a></h2>
@ -3339,24 +3345,30 @@ Example for json output:</p>
<h2 id="server-name-hash-max-size">server-name-hash-max-size<a class="headerlink" href="#server-name-hash-max-size" title="Permanent link">&para;</a></h2>
<p>Sets the maximum size of the <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size">server names hash tables</a> used in server names,map directives values, MIME types, names of request header strings, etc.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/hash.html</p>
<a href="http://nginx.org/en/docs/hash.html">http://nginx.org/en/docs/hash.html</a></p>
<h2 id="server-name-hash-bucket-size">server-name-hash-bucket-size<a class="headerlink" href="#server-name-hash-bucket-size" title="Permanent link">&para;</a></h2>
<p>Sets the size of the bucket for the server names hash tables.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/hash.html
- http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size</p>
<p><em>References:</em></p>
<ul>
<li><a href="http://nginx.org/en/docs/hash.html">http://nginx.org/en/docs/hash.html</a></li>
<li><a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size">http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size</a></li>
</ul>
<h2 id="proxy-headers-hash-max-size">proxy-headers-hash-max-size<a class="headerlink" href="#proxy-headers-hash-max-size" title="Permanent link">&para;</a></h2>
<p>Sets the maximum size of the proxy headers hash tables.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/hash.html
- https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_max_size</p>
<p><em>References:</em></p>
<ul>
<li><a href="http://nginx.org/en/docs/hash.html">http://nginx.org/en/docs/hash.html</a></li>
<li><a href="https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_max_size">https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_max_size</a></li>
</ul>
<h2 id="proxy-headers-hash-bucket-size">proxy-headers-hash-bucket-size<a class="headerlink" href="#proxy-headers-hash-bucket-size" title="Permanent link">&para;</a></h2>
<p>Sets the size of the bucket for the proxy headers hash tables.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/hash.html
- https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size</p>
<p><em>References:</em></p>
<ul>
<li><a href="http://nginx.org/en/docs/hash.html">http://nginx.org/en/docs/hash.html</a></li>
<li><a href="https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size">https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size</a></li>
</ul>
<h2 id="server-tokens">server-tokens<a class="headerlink" href="#server-tokens" title="Permanent link">&para;</a></h2>
<p>Send NGINX Server header in responses and display NGINX version in error pages. By default this is enabled.</p>
<p>Send NGINX Server header in responses and display NGINX version in error pages. <em><strong>default:</strong></em> is enabled</p>
<h2 id="ssl-ciphers">ssl-ciphers<a class="headerlink" href="#ssl-ciphers" title="Permanent link">&para;</a></h2>
<p>Sets the <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers">ciphers</a> list to enable. The ciphers are specified in the format understood by the OpenSSL library.</p>
<p>The default cipher list is:
@ -3366,13 +3378,15 @@ Example for json output:</p>
<h2 id="ssl-ecdh-curve">ssl-ecdh-curve<a class="headerlink" href="#ssl-ecdh-curve" title="Permanent link">&para;</a></h2>
<p>Specifies a curve for ECDHE ciphers.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve</p>
<a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve</a></p>
<h2 id="ssl-dh-param">ssl-dh-param<a class="headerlink" href="#ssl-dh-param" title="Permanent link">&para;</a></h2>
<p>Sets the name of the secret that contains Diffie-Hellman key to help with "Perfect Forward Secrecy".</p>
<p><em>References:</em>
- https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
- https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam</p>
<p><em>References:</em></p>
<ul>
<li><a href="https://wiki.openssl.org/index.php/Diffie-Hellman_parameters">https://wiki.openssl.org/index.php/Diffie-Hellman_parameters</a></li>
<li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam">https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam</a></li>
<li><a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam</a></li>
</ul>
<h2 id="ssl-protocols">ssl-protocols<a class="headerlink" href="#ssl-protocols" title="Permanent link">&para;</a></h2>
<p>Sets the <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols">SSL protocols</a> to use. The default is: <code class="codehilite">TLSv1.2</code>.</p>
<p>Please check the result of the configuration using <code class="codehilite">https://ssllabs.com/ssltest/analyze.html</code> or <code class="codehilite">https://testssl.sh</code>.</p>
@ -3390,7 +3404,7 @@ Example for json output:</p>
<h2 id="ssl-buffer-size">ssl-buffer-size<a class="headerlink" href="#ssl-buffer-size" title="Permanent link">&para;</a></h2>
<p>Sets the size of the <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size">SSL buffer</a> used for sending data. The default of 4k helps NGINX to improve TLS Time To First Byte (TTTFB).</p>
<p><em>References:</em>
- https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/</p>
<a href="https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/">https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/</a></p>
<h2 id="use-proxy-protocol">use-proxy-protocol<a class="headerlink" href="#use-proxy-protocol" title="Permanent link">&para;</a></h2>
<p>Enables or disables the <a href="https://www.nginx.com/resources/admin-guide/proxy-protocol/">PROXY protocol</a> to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAProxy and Amazon Elastic Load Balancer (ELB).</p>
<h2 id="use-gzip">use-gzip<a class="headerlink" href="#use-gzip" title="Permanent link">&para;</a></h2>
@ -3398,16 +3412,18 @@ Example for json output:</p>
The default mime type list to compress is: <code class="codehilite">application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component</code>.</p>
<h2 id="use-geoip">use-geoip<a class="headerlink" href="#use-geoip" title="Permanent link">&para;</a></h2>
<p>Enables or disables <a href="http://nginx.org/en/docs/http/ngx_http_geoip_module.html">"geoip" module</a> that creates variables with values depending on the client IP address, using the precompiled MaxMind databases.
The default value is true.</p>
<em><strong>default:</strong></em> true</p>
<h2 id="enable-brotli">enable-brotli<a class="headerlink" href="#enable-brotli" title="Permanent link">&para;</a></h2>
<p>Enables or disables compression of HTTP responses using the <a href="https://github.com/google/ngx_brotli">"brotli" module</a>.
The default mime type list to compress is: <code class="codehilite">application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component</code>. This is <em>disabled</em> by default.</p>
<p><em>Note:</em> Brotli does not works in Safari &lt; 11 https://caniuse.com/#feat=brotli</p>
The default mime type list to compress is: <code class="codehilite">application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component</code>. <em><strong>default:</strong></em> is disabled</p>
<blockquote>
<p><strong>Note:</strong> Brotli does not works in Safari &lt; 11. For more information see <a href="https://caniuse.com/#feat=brotli">https://caniuse.com/#feat=brotli</a></p>
</blockquote>
<h2 id="brotli-level">brotli-level<a class="headerlink" href="#brotli-level" title="Permanent link">&para;</a></h2>
<p>Sets the Brotli Compression Level that will be used. <em>Defaults to</em> 4.</p>
<p>Sets the Brotli Compression Level that will be used. <em><strong>default:</strong></em> 4</p>
<h2 id="brotli-types">brotli-types<a class="headerlink" href="#brotli-types" title="Permanent link">&para;</a></h2>
<p>Sets the MIME Types that will be compressed on-the-fly by brotli.
<em>Defaults to</em> <code class="codehilite">application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component</code>.</p>
<em><strong>default:</strong></em> <code class="codehilite">application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component</code></p>
<h2 id="use-http2">use-http2<a class="headerlink" href="#use-http2" title="Permanent link">&para;</a></h2>
<p>Enables or disables <a href="http://nginx.org/en/docs/http/ngx_http_v2_module.html">HTTP/2</a> support in secure connections.</p>
<h2 id="gzip-types">gzip-types<a class="headerlink" href="#gzip-types" title="Permanent link">&para;</a></h2>
@ -3424,7 +3440,7 @@ By default worker processes are not bound to any specific CPUs. The value can be
<li>auto: binding worker processes automatically to available CPUs.</li>
</ul>
<h2 id="worker-shutdown-timeout">worker-shutdown-timeout<a class="headerlink" href="#worker-shutdown-timeout" title="Permanent link">&para;</a></h2>
<p>Sets a timeout for Nginx to <a href="http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout">wait for worker to gracefully shutdown</a>. The default is "10s".</p>
<p>Sets a timeout for Nginx to <a href="http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout">wait for worker to gracefully shutdown</a>. <em><strong>default:</strong></em> "10s"</p>
<h2 id="load-balance">load-balance<a class="headerlink" href="#load-balance" title="Permanent link">&para;</a></h2>
<p>Sets the algorithm to use for load balancing.
The value can either be:</p>
@ -3436,70 +3452,70 @@ The value can either be:</p>
</ul>
<p>The default is least_conn.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/load_balancing.html.</p>
<a href="http://nginx.org/en/docs/http/load_balancing.html">http://nginx.org/en/docs/http/load_balancing.html</a></p>
<h2 id="variables-hash-bucket-size">variables-hash-bucket-size<a class="headerlink" href="#variables-hash-bucket-size" title="Permanent link">&para;</a></h2>
<p>Sets the bucket size for the variables hash table.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size</p>
<a href="http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size">http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size</a></p>
<h2 id="variables-hash-max-size">variables-hash-max-size<a class="headerlink" href="#variables-hash-max-size" title="Permanent link">&para;</a></h2>
<p>Sets the maximum size of the variables hash table.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size</p>
<a href="http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size">http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size</a></p>
<h2 id="upstream-keepalive-connections">upstream-keepalive-connections<a class="headerlink" href="#upstream-keepalive-connections" title="Permanent link">&para;</a></h2>
<p>Activates the cache for connections to upstream servers. The connections parameter sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. When this
number is exceeded, the least recently used connections are closed. Default: 32</p>
number is exceeded, the least recently used connections are closed. <em><strong>default:</strong></em> 32</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive</p>
<a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive">http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive</a></p>
<h2 id="limit-conn-zone-variable">limit-conn-zone-variable<a class="headerlink" href="#limit-conn-zone-variable" title="Permanent link">&para;</a></h2>
<p>Sets parameters for a shared memory zone that will keep states for various keys of <a href="http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone">limit_conn_zone</a>. The default of "$binary_remote_addr" variables size is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses.</p>
<h2 id="proxy-stream-timeout">proxy-stream-timeout<a class="headerlink" href="#proxy-stream-timeout" title="Permanent link">&para;</a></h2>
<p>Sets the timeout between two successive read or write operations on client or proxied server connections. If no data is transmitted within this time, the connection is closed.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout</p>
<a href="http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout">http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout</a></p>
<h2 id="proxy-stream-responses">proxy-stream-responses<a class="headerlink" href="#proxy-stream-responses" title="Permanent link">&para;</a></h2>
<p>Sets the number of datagrams expected from the proxied server in response to the client request if the UDP protocol is used.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses</p>
<a href="http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses">http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses</a></p>
<h2 id="bind-address-ipv4">bind-address-ipv4<a class="headerlink" href="#bind-address-ipv4" title="Permanent link">&para;</a></h2>
<p>Sets the addresses on which the server will accept requests instead of *. It should be noted that these addresses must exist in the runtime environment or the controller will crash loop.</p>
<h2 id="bind-address-ipv6">bind-address-ipv6<a class="headerlink" href="#bind-address-ipv6" title="Permanent link">&para;</a></h2>
<p>Sets the addresses on which the server will accept requests instead of *. It should be noted that these addresses must exist in the runtime environment or the controller will crash loop.</p>
<h2 id="forwarded-for-header">forwarded-for-header<a class="headerlink" href="#forwarded-for-header" title="Permanent link">&para;</a></h2>
<p>Sets the header field for identifying the originating IP address of a client. Default is X-Forwarded-For</p>
<p>Sets the header field for identifying the originating IP address of a client. <em><strong>default:</strong></em> X-Forwarded-For</p>
<h2 id="compute-full-forwarded-for">compute-full-forwarded-for<a class="headerlink" href="#compute-full-forwarded-for" title="Permanent link">&para;</a></h2>
<p>Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.</p>
<h2 id="proxy-add-original-uri-header">proxy-add-original-uri-header<a class="headerlink" href="#proxy-add-original-uri-header" title="Permanent link">&para;</a></h2>
<p>Adds an X-Original-Uri header with the original request URI to the backend request</p>
<h2 id="enable-opentracing">enable-opentracing<a class="headerlink" href="#enable-opentracing" title="Permanent link">&para;</a></h2>
<p>Enables the nginx Opentracing extension. By default this is disabled.</p>
<p>Enables the nginx Opentracing extension. <em><strong>default:</strong></em> is disabled</p>
<p><em>References:</em>
- https://github.com/opentracing-contrib/nginx-opentracing</p>
<a href="https://github.com/opentracing-contrib/nginx-opentracing">https://github.com/opentracing-contrib/nginx-opentracing</a></p>
<h2 id="zipkin-collector-host">zipkin-collector-host<a class="headerlink" href="#zipkin-collector-host" title="Permanent link">&para;</a></h2>
<p>Specifies the host to use when uploading traces. It must be a valid URL.</p>
<h2 id="zipkin-collector-port">zipkin-collector-port<a class="headerlink" href="#zipkin-collector-port" title="Permanent link">&para;</a></h2>
<p>Specifies the port to use when uploading traces. Default: 9411</p>
<p>Specifies the port to use when uploading traces. <em><strong>default:</strong></em> 9411</p>
<h2 id="zipkin-service-name">zipkin-service-name<a class="headerlink" href="#zipkin-service-name" title="Permanent link">&para;</a></h2>
<p>Specifies the service name to use for any traces created. Default: nginx</p>
<p>Specifies the service name to use for any traces created. <em><strong>default:</strong></em> nginx</p>
<h2 id="jaeger-collector-host">jaeger-collector-host<a class="headerlink" href="#jaeger-collector-host" title="Permanent link">&para;</a></h2>
<p>Specifies the host to use when uploading traces. It must be a valid URL.</p>
<h2 id="jaeger-collector-port">jaeger-collector-port<a class="headerlink" href="#jaeger-collector-port" title="Permanent link">&para;</a></h2>
<p>Specifies the port to use when uploading traces. Default: 6831</p>
<p>Specifies the port to use when uploading traces. <em><strong>default:</strong></em> 6831</p>
<h2 id="jaeger-service-name">jaeger-service-name<a class="headerlink" href="#jaeger-service-name" title="Permanent link">&para;</a></h2>
<p>Specifies the service name to use for any traces created. Default: nginx</p>
<p>Specifies the service name to use for any traces created. <em><strong>default:</strong></em> nginx</p>
<h2 id="jaeger-sampler-type">jaeger-sampler-type<a class="headerlink" href="#jaeger-sampler-type" title="Permanent link">&para;</a></h2>
<p>Specifies the sampler to be used when sampling traces. The available samplers are: const, probabilistic, ratelimiting, remote. Default const.</p>
<p>Specifies the sampler to be used when sampling traces. The available samplers are: const, probabilistic, ratelimiting, remote. <em><strong>default:</strong></em> const</p>
<h2 id="jaeger-sampler-param">jaeger-sampler-param<a class="headerlink" href="#jaeger-sampler-param" title="Permanent link">&para;</a></h2>
<p>Specifies the argument to be passed to the sampler constructor. Must be a number.
For const this should be 0 to never sample and 1 to always sample. Default: 1</p>
For const this should be 0 to never sample and 1 to always sample. <em><strong>default:</strong></em> 1</p>
<h2 id="http-snippet">http-snippet<a class="headerlink" href="#http-snippet" title="Permanent link">&para;</a></h2>
<p>Adds custom configuration to the http section of the nginx configuration.
Default: ""</p>
<em><strong>default:</strong></em> ""</p>
<h2 id="server-snippet">server-snippet<a class="headerlink" href="#server-snippet" title="Permanent link">&para;</a></h2>
<p>Adds custom configuration to all the servers in the nginx configuration.
Default: ""</p>
<em><strong>default:</strong></em> ""</p>
<h2 id="location-snippet">location-snippet<a class="headerlink" href="#location-snippet" title="Permanent link">&para;</a></h2>
<p>Adds custom configuration to all the locations in the nginx configuration.
Default: ""</p>
<em><strong>default:</strong></em> ""</p>
<h2 id="custom-http-errors">custom-http-errors<a class="headerlink" href="#custom-http-errors" title="Permanent link">&para;</a></h2>
<p>Enables which HTTP codes should be passed for processing with the <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page">error_page directive</a></p>
<p>Setting at least one code also enables <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors">proxy_intercept_errors</a> which are required to process error_page.</p>
@ -3524,43 +3540,45 @@ See NGINX <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#clien
<h2 id="proxy-next-upstream-tries">proxy-next-upstream-tries<a class="headerlink" href="#proxy-next-upstream-tries" title="Permanent link">&para;</a></h2>
<p>Limit the number of <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_tries">possible tries</a> a request should be passed to the next server.</p>
<h2 id="proxy-redirect-from">proxy-redirect-from<a class="headerlink" href="#proxy-redirect-from" title="Permanent link">&para;</a></h2>
<p>Sets the original text that should be changed in the "Location" and "Refresh" header fields of a proxied server response. Default: off.</p>
<p>Sets the original text that should be changed in the "Location" and "Refresh" header fields of a proxied server response. <em><strong>default:</strong></em> off</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect</p>
<a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect">http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect</a></p>
<h2 id="proxy-request-buffering">proxy-request-buffering<a class="headerlink" href="#proxy-request-buffering" title="Permanent link">&para;</a></h2>
<p>Enables or disables <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering">buffering of a client request body</a>.</p>
<h2 id="ssl-redirect">ssl-redirect<a class="headerlink" href="#ssl-redirect" title="Permanent link">&para;</a></h2>
<p>Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate (defined in an Ingress rule).
Default is "true".</p>
<em><strong>default:</strong></em> "true"</p>
<h2 id="whitelist-source-range">whitelist-source-range<a class="headerlink" href="#whitelist-source-range" title="Permanent link">&para;</a></h2>
<p>Sets the default whitelisted IPs for each <code class="codehilite">server</code> block. This can be overwritten by an annotation on an Ingress rule.
See <a href="http://nginx.org/en/docs/http/ngx_http_access_module.html">ngx_http_access_module</a>.</p>
<h2 id="skip-access-log-urls">skip-access-log-urls<a class="headerlink" href="#skip-access-log-urls" title="Permanent link">&para;</a></h2>
<p>Sets a list of URLs that should not appear in the NGINX access log. This is useful with urls like <code class="codehilite">/health</code> or <code class="codehilite">health-check</code> that make "complex" reading the logs. By default this list is empty</p>
<p>Sets a list of URLs that should not appear in the NGINX access log. This is useful with urls like <code class="codehilite">/health</code> or <code class="codehilite">health-check</code> that make "complex" reading the logs. <em><strong>default:</strong></em> is empty</p>
<h2 id="limit-rate">limit-rate<a class="headerlink" href="#limit-rate" title="Permanent link">&para;</a></h2>
<p>Limits the rate of response transmission to a client. The rate is specified in bytes per second. The zero value disables rate limiting. The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate">http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate</a></p>
<h2 id="limit-rate-after">limit-rate-after<a class="headerlink" href="#limit-rate-after" title="Permanent link">&para;</a></h2>
<p>Sets the initial amount after which the further transmission of a response to a client will be rate limited.</p>
<p><em>References:</em>
- http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after</p>
<a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after">http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after</a></p>
<h2 id="http-redirect-code">http-redirect-code<a class="headerlink" href="#http-redirect-code" title="Permanent link">&para;</a></h2>
<p>Sets the HTTP status code to be used in redirects.
Supported codes are <a href="https://developer.mozilla.org/es/docs/Web/HTTP/Status/301">301</a>,<a href="https://developer.mozilla.org/es/docs/Web/HTTP/Status/302">302</a>,<a href="https://developer.mozilla.org/es/docs/Web/HTTP/Status/307">307</a> and <a href="https://developer.mozilla.org/es/docs/Web/HTTP/Status/308">308</a>
Default code is 308.</p>
<p>Why the default code is 308?</p>
<em><strong>default:</strong></em> 308</p>
<blockquote>
<p><strong>Why the default code is 308?</strong></p>
<p><a href="https://tools.ietf.org/html/rfc7238">RFC 7238</a> was created to define the 308 (Permanent Redirect) status code that is similar to 301 (Moved Permanently) but it keeps the payload in the redirect. This is important if the we send a redirect in methods like POST.</p>
</blockquote>
<h2 id="proxy-buffering">proxy-buffering<a class="headerlink" href="#proxy-buffering" title="Permanent link">&para;</a></h2>
<p>Enables or disables <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering">buffering of responses from the proxied server</a>.</p>
<h2 id="limit-req-status-code">limit-req-status-code<a class="headerlink" href="#limit-req-status-code" title="Permanent link">&para;</a></h2>
<p>Sets the <a href="http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status">status code to return in response to rejected requests</a>.Default: 503</p>
<p>Sets the <a href="http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status">status code to return in response to rejected requests</a>. <em><strong>default:</strong></em> 503</p>
<h2 id="no-tls-redirect-locations">no-tls-redirect-locations<a class="headerlink" href="#no-tls-redirect-locations" title="Permanent link">&para;</a></h2>
<p>A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
Default: "/.well-known/acme-challenge"</p>
<em><strong>default:</strong></em> "/.well-known/acme-challenge"</p>
<h2 id="no-auth-locations">no-auth-locations<a class="headerlink" href="#no-auth-locations" title="Permanent link">&para;</a></h2>
<p>A comma-separated list of locations that should not get authenticated.
Default: "/.well-known/acme-challenge"</p>
<em><strong>default:</strong></em> "/.well-known/acme-challenge"</p>

8
user-guide/third-party-addons/modsecurity/index.html
View file

@ -1021,14 +1021,16 @@
<h1 id="modsecurity-web-application-firewall">ModSecurity Web Application Firewall<a class="headerlink" href="#modsecurity-web-application-firewall" title="Permanent link">&para;</a></h1>
<p>ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - https://www.modsecurity.org</p>
<p>ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - <a href="https://www.modsecurity.org">https://www.modsecurity.org</a></p>
<p>The <a href="https://github.com/SpiderLabs/ModSecurity-nginx">ModSecurity-nginx</a> connector is the connection point between NGINX and libmodsecurity (ModSecurity v3).</p>
<p>The default ModSecurity configuration file is located in <code class="codehilite">/etc/nginx/modsecurity/modsecurity.conf</code>. This is the only file located in this directory and contains the default recommended configuration. Using a volume we can replace this file with the desired configuration.
To enable the ModSecurity feature we need to specify <code class="codehilite">enable-modsecurity: &quot;true&quot;</code> in the configuration configmap.</p>
<p><strong>NOTE:</strong> the default configuration use detection only, because that minimises the chances of post-installation disruption.
<blockquote>
<p><strong>Note:</strong> the default configuration use detection only, because that minimises the chances of post-installation disruption.
The file <code class="codehilite">/var/log/modsec_audit.log</code> contains the log of ModSecurity.</p>
</blockquote>
<p>The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
The directory <code class="codehilite">/etc/nginx/owasp-modsecurity-crs</code> contains the https://github.com/SpiderLabs/owasp-modsecurity-crs repository.
The directory <code class="codehilite">/etc/nginx/owasp-modsecurity-crs</code> contains the <a href="https://github.com/SpiderLabs/owasp-modsecurity-crs repository">https://github.com/SpiderLabs/owasp-modsecurity-crs repository</a>.
Using <code class="codehilite">enable-owasp-modsecurity-crs: &quot;true&quot;</code> we enable the use of the rules.</p>

2
user-guide/third-party-addons/opentracing/index.html
View file

@ -1054,7 +1054,7 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma
<p>In the zipkin interface we can see the details:</p>
<p><img alt="zipkin screenshot" src="../../images/zipkin-demo.png" title="zipkin collector screenshot" /></p>
<p><img alt="zipkin screenshot" src="../../../images/zipkin-demo.png" title="zipkin collector screenshot" /></p>