From eeceef6d7c73645f6740b21633f6d6b8e409ece3 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 28 Jul 2024 20:56:57 -0300 Subject: [PATCH] Add upstream directives and some others (#11681) --- .../template/crossplane/crossplane_test.go | 14 +++++ .../controller/template/crossplane/http.go | 37 +++++++++++- .../template/crossplane/testdata/nginx.tmpl | 59 ++++++++++--------- .../controller/template/crossplane/utils.go | 13 ++-- 4 files changed, 89 insertions(+), 34 deletions(-) diff --git a/internal/ingress/controller/template/crossplane/crossplane_test.go b/internal/ingress/controller/template/crossplane/crossplane_test.go index 24b98f132..20be1af05 100644 --- a/internal/ingress/controller/template/crossplane/crossplane_test.go +++ b/internal/ingress/controller/template/crossplane/crossplane_test.go @@ -166,12 +166,26 @@ func TestCrossplaneTemplate(t *testing.T) { tplConfig.Cfg.AllowBackendServerHeader = true // default false tplConfig.Cfg.BlockCIDRs = []string{"192.168.0.0/24", " 200.200.0.0/16 "} // default 0 tplConfig.Cfg.BlockUserAgents = []string{"someuseragent", " another/user-agent "} // default 0 + tplConfig.Cfg.BlockReferers = []string{"someref", " anotherref", "escape\nref"} tplConfig.AddHeaders = map[string]string{ "someheader": "xpto", "anotherheader": "blabla", } + tplConfig.Cfg.EnableBrotli = true + tplConfig.Cfg.BrotliLevel = 7 + tplConfig.Cfg.BrotliMinLength = 2 + tplConfig.Cfg.BrotliTypes = "application/xml+rss application/atom+xml" + + tplConfig.Cfg.HideHeaders = []string{"x-fake-header", "x-another-fake-header"} + tplConfig.Cfg.UpstreamKeepaliveConnections = 15 + + tplConfig.Cfg.UpstreamKeepaliveConnections = 200 + tplConfig.Cfg.UpstreamKeepaliveTime = "60s" + tplConfig.Cfg.UpstreamKeepaliveTimeout = 200 + tplConfig.Cfg.UpstreamKeepaliveRequests = 15 + tpl = crossplane.NewTemplate() tpl.SetMimeFile(mimeFile.Name()) content, err := tpl.Write(tplConfig) diff --git a/internal/ingress/controller/template/crossplane/http.go b/internal/ingress/controller/template/crossplane/http.go index f5f39e1d5..d6dd81c13 100644 --- a/internal/ingress/controller/template/crossplane/http.go +++ b/internal/ingress/controller/template/crossplane/http.go @@ -81,6 +81,7 @@ func (c *Template) initHTTPDirectives() ngx_crossplane.Directives { return httpBlock } +//nolint:gocyclo func (c *Template) buildHTTP() { cfg := c.tplConfig.Cfg httpBlock := c.initHTTPDirectives() @@ -239,7 +240,7 @@ func (c *Template) buildHTTP() { buildDirective("brotli", "on"), buildDirective("brotli_comp_level", cfg.BrotliLevel), buildDirective("brotli_min_length", cfg.BrotliMinLength), - buildDirective("brotli_types", cfg.BrotliTypes), + buildDirective("brotli_types", strings.Split(cfg.BrotliTypes, " ")), ) } @@ -249,6 +250,40 @@ func (c *Template) buildHTTP() { } } + blockUpstreamDirectives := ngx_crossplane.Directives{ + buildDirective("server", "0.0.0.1"), + buildBlockDirective("balancer_by_lua_block", nil, ngx_crossplane.Directives{buildDirective("balancer.balance()")}), + } + if c.tplConfig.Cfg.UpstreamKeepaliveConnections > 0 { + blockUpstreamDirectives = append(blockUpstreamDirectives, + buildDirective("keepalive", c.tplConfig.Cfg.UpstreamKeepaliveConnections), + buildDirective("keepalive_time", c.tplConfig.Cfg.UpstreamKeepaliveTime), + buildDirective("keepalive_timeout", seconds(c.tplConfig.Cfg.UpstreamKeepaliveTimeout)), + buildDirective("keepalive_requests", c.tplConfig.Cfg.UpstreamKeepaliveRequests), + ) + } + httpBlock = append(httpBlock, buildBlockDirective("upstream", []string{"upstream_balancer"}, blockUpstreamDirectives)) + + for i := range cfg.BlockCIDRs { + httpBlock = append(httpBlock, buildDirective("deny", strings.TrimSpace(cfg.BlockCIDRs[i]))) + } + + if len(cfg.BlockUserAgents) > 0 { + uaDirectives := ngx_crossplane.Directives{buildDirective("default", 0)} + for i := range cfg.BlockUserAgents { + uaDirectives = append(uaDirectives, buildDirective(strings.TrimSpace(cfg.BlockUserAgents[i]), 1)) + } + httpBlock = append(httpBlock, buildMapDirective("$http_user_agent", "$block_ua", uaDirectives)) + } + + if len(cfg.BlockReferers) > 0 { + refDirectives := ngx_crossplane.Directives{buildDirective("default", 0)} + for i := range cfg.BlockReferers { + refDirectives = append(refDirectives, buildDirective(strings.TrimSpace(cfg.BlockReferers[i]), 1)) + } + httpBlock = append(httpBlock, buildMapDirective("$http_referer", "$block_ref", refDirectives)) + } + c.config.Parsed = append(c.config.Parsed, &ngx_crossplane.Directive{ Directive: "http", Block: httpBlock, diff --git a/internal/ingress/controller/template/crossplane/testdata/nginx.tmpl b/internal/ingress/controller/template/crossplane/testdata/nginx.tmpl index cf9d20006..c65a400c4 100644 --- a/internal/ingress/controller/template/crossplane/testdata/nginx.tmpl +++ b/internal/ingress/controller/template/crossplane/testdata/nginx.tmpl @@ -360,18 +360,27 @@ http { {{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }}; {{ end }} - # END MIGRATED VARIOUS 1 + # Global filters + {{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }}; + {{ end }} - {{ buildOpentelemetry $cfg $servers }} + {{ if gt (len $cfg.BlockUserAgents) 0 }} + map $http_user_agent $block_ua { + default 0; - # Create a variable that contains the literal $ character. - # This works because the geo module will not resolve variables. - geo $literal_dollar { - default "$"; + {{ range $ua := $cfg.BlockUserAgents }}{{ trimSpace $ua }} 1; + {{ end }} } + {{ end }} - {{ range $errCode := $cfg.CustomHTTPErrors }} - error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }} + {{ if gt (len $cfg.BlockReferers) 0 }} + map $http_referer $block_ref { + default 0; + + {{ range $ref := $cfg.BlockReferers }}{{ trimSpace $ref }} 1; + {{ end }} + } + {{ end }} upstream upstream_balancer { server 0.0.0.1; # placeholder @@ -388,6 +397,19 @@ http { {{ end }} } + # END MIGRATED VARIOUS 1 + + {{ buildOpentelemetry $cfg $servers }} + + # Create a variable that contains the literal $ character. + # This works because the geo module will not resolve variables. + geo $literal_dollar { + default "$"; + } + + {{ range $errCode := $cfg.CustomHTTPErrors }} + error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }} + {{ range $rl := (filterRateLimits $servers ) }} # Ratelimit {{ $rl.Name }} geo $remote_addr $allowlist_{{ $rl.ID }} { @@ -409,27 +431,6 @@ http { {{ $zone }} {{ end }} - # Global filters - {{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }}; - {{ end }} - - {{ if gt (len $cfg.BlockUserAgents) 0 }} - map $http_user_agent $block_ua { - default 0; - - {{ range $ua := $cfg.BlockUserAgents }}{{ trimSpace $ua }} 1; - {{ end }} - } - {{ end }} - - {{ if gt (len $cfg.BlockReferers) 0 }} - map $http_referer $block_ref { - default 0; - - {{ range $ref := $cfg.BlockReferers }}{{ trimSpace $ref }} 1; - {{ end }} - } - {{ end }} {{/* Build server redirects (from/to www) */}} {{ range $redirect := .RedirectServers }} diff --git a/internal/ingress/controller/template/crossplane/utils.go b/internal/ingress/controller/template/crossplane/utils.go index 437a59ef5..b10363a6f 100644 --- a/internal/ingress/controller/template/crossplane/utils.go +++ b/internal/ingress/controller/template/crossplane/utils.go @@ -85,15 +85,20 @@ func buildResolversInternal(res []net.IP, disableIpv6 bool) []string { return r } -// buildMapDirective is used to build a map directive -func buildMapDirective(name, variable string, block ngx_crossplane.Directives) *ngx_crossplane.Directive { +// buildBlockDirective is used to build a block directive +func buildBlockDirective(blockName string, args []string, block ngx_crossplane.Directives) *ngx_crossplane.Directive { return &ngx_crossplane.Directive{ - Directive: "map", - Args: []string{name, variable}, + Directive: blockName, + Args: args, Block: block, } } +// buildMapDirective is used to build a map directive +func buildMapDirective(name, variable string, block ngx_crossplane.Directives) *ngx_crossplane.Directive { + return buildBlockDirective("map", []string{name, variable}, block) +} + func boolToStr(b bool) string { if b { return "on"