Skip to content

Instantly share code, notes, and snippets.

@ajohnstone

ajohnstone/ingress-pod

Last active May 1, 2016 13:06
Show Gist options
  • Save ajohnstone/3fada40e3d4d17024754880d2236dda5 to your computer and use it in GitHub Desktop.
Save ajohnstone/3fada40e3d4d17024754880d2236dda5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
$ kubectl exec --tty -i nginx-ingress-controller-9xccu -- ls -alh --color
total 6.2M
drwxr-xr-x 46 root root 4.0K May 1 12:47 .
drwxr-xr-x 46 root root 4.0K May 1 12:47 ..
-rwxr-xr-x 1 root root 0 May 1 12:46 .dockerenv
-rwxr-xr-x 1 root root 0 May 1 12:46 .dockerinit
drwxr-xr-x 2 root root 4.0K Apr 28 00:50 bin
drwxr-xr-x 2 root root 4.0K Nov 27 13:59 boot
drwxr-xr-x 5 root root 380 May 1 12:46 dev
drwxr-xr-x 45 root root 4.0K May 1 12:46 etc
drwxr-xr-x 2 root root 4.0K Nov 27 13:59 home
drwxr-xr-x 7 root root 4.0K Apr 28 00:53 lib
drwxr-xr-x 2 root root 4.0K Apr 21 18:32 lib64
drwxr-xr-x 2 root root 4.0K Mar 31 08:21 media
drwxr-xr-x 2 root root 4.0K Mar 31 08:21 mnt
-rwxr-xr-x 1 root root 6.2M Apr 30 15:15 nginx-ingress-controller
drwxr-xr-x 2 root root 4.0K Mar 31 08:21 opt
dr-xr-xr-x 100 root root 0 May 1 12:46 proc
drwx------ 2 root root 4.0K May 1 12:47 root
drwxr-xr-x 6 root root 4.0K May 1 12:46 run
drwxr-xr-x 2 root root 4.0K Apr 21 18:33 sbin
drwxr-xr-x 2 root root 4.0K Mar 31 08:21 srv
dr-xr-xr-x 13 root root 0 May 1 12:49 sys
drwxrwxrwt 2 root root 4.0K May 1 12:46 tmp
drwxr-xr-x 17 root root 4.0K Apr 28 00:51 usr
drwxr-xr-x 18 root root 4.0K May 1 12:46 var
$ kubectl exec --tty -i nginx-ingress-controller-9xccu -- cat /etc/nginx/template/nginx.tmpl > o
$ cat o | grep https
'https' 'max-age={{ $cfg.htsMaxAge }}{{ if $cfg.htsIncludeSubdomains }}; includeSubDomains{{ end }}; preload';
# return 301 https://$host$request_uri;
$ LBIP=$(kubectl get node `kubectl get po -l name=nginx-ingress-lb --template '{{range .items}}{{.spec.nodeName}}{{end}}'` --template '{{range $i, $n := .status.addresses}}{{if eq $n.type "ExternalIP"}}{{$n.address}}{{end}}{{end}}')
$ curl -vL $LBIP/foo -H 'Host: foo.bar.com'
* Trying 54.229.93.24...
* Connected to 54.229.93.24 (54.229.93.24) port 80 (#0)
> GET /foo HTTP/1.1
> Host: foo.bar.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.10.0
< Date: Sun, 01 May 2016 12:58:00 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Location: https://foo.bar.com/foo
<
* Ignoring the response-body
* Connection #0 to host 54.229.93.24 left intact
* Issue another request to this URL: 'https://foo.bar.com/foo'
* Could not resolve host: foo.bar.com
* Closing connection 1
curl: (6) Could not resolve host: foo.bar.com
Raw
ingress-pod
$ kubectl get pods -o yaml nginx-ingress-controller-9xccu
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/created-by: |
{"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"nginx-ingress-controller","uid":"125afc8a-0f6d-11e6-a2d1-0adbaa6061ff","apiVersion":"v1","resourceVersion":"178109"}}
kubernetes.io/limit-ranger: 'LimitRanger plugin set: cpu request for container
nginx-ingress-lb'
creationTimestamp: 2016-05-01T12:46:13Z
generateName: nginx-ingress-controller-
labels:
k8s-app: nginx-ingress-lb
name: nginx-ingress-lb
name: nginx-ingress-controller-9xccu
namespace: default
resourceVersion: "178340"
selfLink: /api/v1/namespaces/default/pods/nginx-ingress-controller-9xccu
uid: b0180aaf-0f9a-11e6-a2d1-0adbaa6061ff
spec:
containers:
- args:
- /nginx-ingress-controller
- --default-backend-service=default/default-http-backend
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: aledbf/nginx-third-party:0.15
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10249
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: nginx-ingress-lb
ports:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 4430
protocol: TCP
resources:
requests:
cpu: 100m
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-kxi3a
readOnly: true
dnsPolicy: ClusterFirst
nodeName: ip-10-115-0-133.eu-west-1.compute.internal
restartPolicy: Always
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 60
volumes:
- configMap:
items:
- key: nginx.tmpl
path: nginx.tmpl
name: nginx-template
name: nginx-template-volume
- name: default-token-kxi3a
secret:
secretName: default-token-kxi3a
status:
conditions:
- lastProbeTime: null
lastTransitionTime: 2016-05-01T12:46:31Z
status: "True"
type: Ready
containerStatuses:
- containerID: docker://b9b3a8ca7ca0fc6589933eb7b44ee14a5233fd6fc326120253396ad2bbb21e65
image: aledbf/nginx-third-party:0.15
imageID: docker://506c21e128417c98d88f059db4c5b9d43b54b5b2dd6e328e3c714a88f2731e65
lastState: {}
name: nginx-ingress-lb
ready: true
restartCount: 0
state:
running:
startedAt: 2016-05-01T12:46:30Z
hostIP: 10.115.0.133
phase: Running
podIP: 100.66.2.7
startTime: 2016-05-01T12:46:13Z
Raw
nginx-conf
$ kubectl exec --tty -i nginx-ingress-controller-9xccu -- nginx -T > o
$ cat o
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
daemon off;
worker_processes 1;
pid /run/nginx.pid;
worker_rlimit_nofile 131072;
pcre_jit on;
events {
multi_accept on;
worker_connections 16384;
use epoll;
}
http {
# lus sectrion to return proper error codes when custom pages are used
lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;';
init_by_lua_block {
require("error_page")
}
sendfile on;
aio threads;
tcp_nopush on;
tcp_nodelay on;
log_subrequest on;
reset_timedout_connection on;
keepalive_timeout 75s;
types_hash_max_size 2048;
server_names_hash_max_size 512;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type text/html;
gzip on;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;
gzip_proxied any;
gzip_vary on;
client_max_body_size "1m";
log_format upstreaminfo '$remote_addr - '
'[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';
access_log /var/log/nginx/access.log upstreaminfo;
error_log /var/log/nginx/error.log notice;
# Custom dns resolver.
resolver 100.64.0.10 valid=30s;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
map $http_x_forwarded_proto $pass_access_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}
map $pass_access_scheme $sts {
'https' 'max-age=<no value>; preload';
}
# Map a response error watching the header Content-Type
map $http_accept $httpAccept {
default html;
application/json json;
application/xml xml;
text/plain text;
}
map $httpAccept $httpReturnType {
default text/html;
json application/json;
xml application/xml;
text text/plain;
}
server_name_in_redirect off;
port_in_redirect off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# turn on session caching to drastically improve performance
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 10m;
# allow configuring ssl session tickets
ssl_session_tickets on;
# slightly reduce the time-to-first-byte
ssl_buffer_size 4k;
# allow configuring custom ssl ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# Custom error pages
proxy_intercept_errors on;
error_page 403 = @custom_403;
error_page 404 = @custom_404;
error_page 405 = @custom_405;
error_page 408 = @custom_408;
error_page 413 = @custom_413;
error_page 501 = @custom_501;
error_page 502 = @custom_502;
error_page 503 = @custom_503;
error_page 504 = @custom_504;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504 ;
upstream default-echoheaders-x-80 {
least_conn;
server 100.66.3.4:8080;
}
upstream default-echoheaders-y-80 {
least_conn;
server 100.66.3.4:8080;
}
upstream upstream-default-backend {
least_conn;
server 100.66.1.4:8080;
}
server {
listen 80;
server_name _;
#
location / {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://upstream-default-backend;
}
# this is required to avoid error if nginx is being monitored
# with an external software (like sysdig)
location /nginx_status {
allow 127.0.0.1;
deny all;
access_log off;
stub_status on;
}
location @custom_403 {
internal;
content_by_lua_block {
openURL(403)
}
}
location @custom_404 {
internal;
content_by_lua_block {
openURL(404)
}
}
location @custom_405 {
internal;
content_by_lua_block {
openURL(405)
}
}
location @custom_408 {
internal;
content_by_lua_block {
openURL(408)
}
}
location @custom_413 {
internal;
content_by_lua_block {
openURL(413)
}
}
location @custom_502 {
internal;
content_by_lua_block {
openURL(502)
}
}
location @custom_503 {
internal;
content_by_lua_block {
openURL(503)
}
}
location @custom_504 {
internal;
content_by_lua_block {
openURL(504)
}
}
}
server {
listen 80;
server_name bar.baz.com;
#
location / {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://upstream-default-backend;
}
location /bar {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://default-echoheaders-y-80;
}
location /foo {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://default-echoheaders-x-80;
}
location @custom_403 {
internal;
content_by_lua_block {
openURL(403)
}
}
location @custom_404 {
internal;
content_by_lua_block {
openURL(404)
}
}
location @custom_405 {
internal;
content_by_lua_block {
openURL(405)
}
}
location @custom_408 {
internal;
content_by_lua_block {
openURL(408)
}
}
location @custom_413 {
internal;
content_by_lua_block {
openURL(413)
}
}
location @custom_502 {
internal;
content_by_lua_block {
openURL(502)
}
}
location @custom_503 {
internal;
content_by_lua_block {
openURL(503)
}
}
location @custom_504 {
internal;
content_by_lua_block {
openURL(504)
}
}
}
server {
listen 80;
server_name foo.bar.com;
#
location / {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://upstream-default-backend;
}
location /foo {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://default-echoheaders-x-80;
}
location @custom_403 {
internal;
content_by_lua_block {
openURL(403)
}
}
location @custom_404 {
internal;
content_by_lua_block {
openURL(404)
}
}
location @custom_405 {
internal;
content_by_lua_block {
openURL(405)
}
}
location @custom_408 {
internal;
content_by_lua_block {
openURL(408)
}
}
location @custom_413 {
internal;
content_by_lua_block {
openURL(413)
}
}
location @custom_502 {
internal;
content_by_lua_block {
openURL(502)
}
}
location @custom_503 {
internal;
content_by_lua_block {
openURL(503)
}
}
location @custom_504 {
internal;
content_by_lua_block {
openURL(504)
}
}
}
# default server, including healthcheck
server {
listen 8080 default_server reuseport;
location /healthz {
access_log off;
return 200;
}
location /health-check {
access_log off;
proxy_pass http://127.0.0.1:10249/healthz;
}
location /nginx_status {
access_log off;
stub_status on;
}
location / {
proxy_pass http://upstream-default-backend;
}
location @custom_403 {
internal;
content_by_lua_block {
openURL(403)
}
}
location @custom_404 {
internal;
content_by_lua_block {
openURL(404)
}
}
location @custom_405 {
internal;
content_by_lua_block {
openURL(405)
}
}
location @custom_408 {
internal;
content_by_lua_block {
openURL(408)
}
}
location @custom_413 {
internal;
content_by_lua_block {
openURL(413)
}
}
location @custom_502 {
internal;
content_by_lua_block {
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
Raw
nginx.tmpl
{{ $cfg := .cfg }}
daemon off;
worker_processes {{ $cfg.workerProcesses }};
pid /run/nginx.pid;
worker_rlimit_nofile 131072;
pcre_jit on;
events {
multi_accept on;
worker_connections {{ $cfg.maxWorkerConnections }};
use epoll;
}
http {
{{ if $cfg.enableVtsStatus}}vhost_traffic_status_zone shared:vhost_traffic_status:{{ $cfg.vtsStatusZoneSize }};{{ end }}
# lus sectrion to return proper error codes when custom pages are used
lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;';
init_by_lua_block {
require("error_page")
}
sendfile on;
aio threads;
tcp_nopush on;
tcp_nodelay on;
log_subrequest on;
reset_timedout_connection on;
keepalive_timeout {{ $cfg.keepAlive }}s;
types_hash_max_size 2048;
server_names_hash_max_size {{ $cfg.serverNameHashMaxSize }};
server_names_hash_bucket_size {{ $cfg.serverNameHashBucketSize }};
include /etc/nginx/mime.types;
default_type text/html;
{{ if $cfg.useGzip }}
gzip on;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types {{ $cfg.gzipTypes }};
gzip_proxied any;
gzip_vary on;
{{ end }}
client_max_body_size "{{ $cfg.bodySize }}";
{{ if $cfg.useProxyProtocol }}
set_real_ip_from {{ $cfg.proxyRealIpCidr }};
real_ip_header proxy_protocol;
{{ end }}
log_format upstreaminfo '{{ if $cfg.useProxyProtocol }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - '
'[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';
access_log /var/log/nginx/access.log upstreaminfo;
error_log /var/log/nginx/error.log {{ $cfg.errorLogLevel }};
{{ if not (empty .defResolver) }}# Custom dns resolver.
resolver {{ .defResolver }} valid=30s;
{{ end }}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
map $http_x_forwarded_proto $pass_access_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}
map $pass_access_scheme $sts {
'https' 'max-age={{ $cfg.htsMaxAge }}{{ if $cfg.htsIncludeSubdomains }}; includeSubDomains{{ end }}; preload';
}
# Map a response error watching the header Content-Type
map $http_accept $httpAccept {
default html;
application/json json;
application/xml xml;
text/plain text;
}
map $httpAccept $httpReturnType {
default text/html;
json application/json;
xml application/xml;
text text/plain;
}
server_name_in_redirect off;
port_in_redirect off;
ssl_protocols {{ $cfg.sslProtocols }};
# turn on session caching to drastically improve performance
{{ if $cfg.sslSessionCache }}
ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.sslSessionCacheSize }};
ssl_session_timeout {{ $cfg.sslSessionTimeout }};
{{ end }}
# allow configuring ssl session tickets
ssl_session_tickets {{ if $cfg.sslSessionTickets }}on{{ else }}off{{ end }};
# slightly reduce the time-to-first-byte
ssl_buffer_size {{ $cfg.sslBufferSize }};
{{ if not (empty $cfg.sslCiphers) }}
# allow configuring custom ssl ciphers
ssl_ciphers '{{ $cfg.sslCiphers }}';
ssl_prefer_server_ciphers on;
{{ end }}
{{ if not (empty .sslDHParam) }}
# allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
ssl_dhparam {{ .sslDHParam }};
{{ end }}
# Custom error pages
proxy_intercept_errors on;
error_page 403 = @custom_403;
error_page 404 = @custom_404;
error_page 405 = @custom_405;
error_page 408 = @custom_408;
error_page 413 = @custom_413;
error_page 501 = @custom_501;
error_page 502 = @custom_502;
error_page 503 = @custom_503;
error_page 504 = @custom_504;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504 {{ if $cfg.retryNonIdempotent }}non_idempotent{{ end }};
{{range $name, $upstream := .upstreams}}
upstream {{$upstream.Name}} {
least_conn;
{{range $server := $upstream.Backends}}server {{$server.Address}}:{{$server.Port}};
{{end}}
}
{{end}}
{{ range $server := .servers }}
server {
listen 80;
{{ if $server.SSL }}listen 443 ssl http2;
ssl_certificate {{ $server.SSLCertificate }};
ssl_certificate_key {{ $server.SSLCertificateKey }};{{ end }}
{{ if $cfg.enableVtsStatus }}
vhost_traffic_status_filter_by_set_key {{ $server.Name }} application::*;
{{ end }}
server_name {{ $server.Name }};
# {{ if $server.SSL }}
# if ($scheme = http) {
# return 301 https://$host$request_uri;
# }
# {{ end }}
{{ range $location := $server.Locations }}
location {{ $location.Path }} {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_connect_timeout {{ $cfg.proxyConnectTimeout }}s;
proxy_send_timeout {{ $cfg.proxySendTimeout }}s;
proxy_read_timeout {{ $cfg.proxyReadTimeout }}s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://{{ $location.Upstream.Name }};
}
{{ end }}
{{ if eq $server.Name "_" }}
# this is required to avoid error if nginx is being monitored
# with an external software (like sysdig)
location /nginx_status {
allow 127.0.0.1;
deny all;
access_log off;
stub_status on;
}
{{ end }}
{{ template "CUSTOM_ERRORS" $cfg }}
}
{{ end }}
# default server, including healthcheck
server {
listen 8080 default_server{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }} reuseport;
location /healthz {
access_log off;
return 200;
}
location /health-check {
access_log off;
proxy_pass http://127.0.0.1:10249/healthz;
}
location /nginx_status {
{{ if $cfg.enableVtsStatus }}
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
{{ else }}
access_log off;
stub_status on;
{{ end }}
}
location / {
proxy_pass http://upstream-default-backend;
}
{{ template "CUSTOM_ERRORS" $cfg }}
}
# default server for services without endpoints
server {
listen 8181;
location / {
content_by_lua_block {
openURL(503)
}
}
}
}
stream {
# TCP services
{{ range $i, $tcpServer := .tcpUpstreams }}
upstream tcp-{{ $tcpServer.Upstream.Name }} {
{{ range $server := $tcpServer.Upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }};
{{ end }}
}
server {
listen {{ $tcpServer.Path }};
proxy_connect_timeout {{ $cfg.proxyConnectTimeout }};
proxy_timeout {{ $cfg.proxyReadTimeout }};
proxy_pass tcp-{{ $tcpServer.Upstream.Name }};
}
{{ end }}
# UDP services
{{ range $i, $udpServer := .udpUpstreams }}
upstream udp-{{ $udpServer.Upstream.Name }} {
{{ range $server := $udpServer.Upstream.Backends }}server {{ $server.Address }}:{{ $server.Port }};
{{ end }}
}
server {
listen {{ $udpServer.Path }} udp;
proxy_timeout 10s;
proxy_responses 1;
proxy_pass udp-{{ $udpServer.Upstream.Name }};
}
{{ end }}
}
{{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }}
location @custom_403 {
internal;
content_by_lua_block {
openURL(403)
}
}
location @custom_404 {
internal;
content_by_lua_block {
openURL(404)
}
}
location @custom_405 {
internal;
content_by_lua_block {
openURL(405)
}
}
location @custom_408 {
internal;
content_by_lua_block {
openURL(408)
}
}
location @custom_413 {
internal;
content_by_lua_block {
openURL(413)
}
}
location @custom_502 {
internal;
content_by_lua_block {
openURL(502)
}
}
location @custom_503 {
internal;
content_by_lua_block {
openURL(503)
}
}
location @custom_504 {
internal;
content_by_lua_block {
openURL(504)
}
}
{{ end }}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment