github.com/dustinrc/deis@v1.10.1-0.20150917223407-0894a5fb979e/router/rootfs/etc/confd/templates/nginx.conf (about) 1 # required to run in a container 2 daemon off; 3 4 user nginx; 5 worker_processes {{ or (getv "/deis/router/workerProcesses") "auto" }}; 6 pid /run/nginx.pid; 7 8 events { 9 worker_connections {{ or (getv "/deis/router/maxWorkerConnections") "768" }}; 10 # multi_accept on; 11 } 12 13 14 http { 15 # basic settings 16 vhost_traffic_status_zone; 17 18 sendfile on; 19 tcp_nopush on; 20 tcp_nodelay on; 21 22 # The Timeout value must be greater than the front facing load balancers timeout value. 23 # Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra. 24 {{ $defaultTimeout := or (getv "/deis/router/defaultTimeout") "1300" }} 25 keepalive_timeout {{ $defaultTimeout }}; 26 27 types_hash_max_size 2048; 28 server_names_hash_max_size {{ or (getv "/deis/router/serverNameHashMaxSize") "512" }}; 29 server_names_hash_bucket_size {{ or (getv "/deis/router/serverNameHashBucketSize") "64" }}; 30 31 include /opt/nginx/conf/mime.types; 32 default_type application/octet-stream; 33 {{ if exists "/deis/router/gzip" }} 34 gzip {{ getv "/deis/router/gzip" }}; 35 gzip_comp_level {{ or (getv "/deis/router/gzipCompLevel") "5" }}; 36 gzip_disable {{ or (getv "/deis/router/gzipDisable") "\"msie6\"" }}; 37 gzip_http_version {{ or (getv "/deis/router/gzipHttpVersion") "1.1" }}; 38 gzip_min_length {{ or (getv "/deis/router/gzipMinLength") "256" }}; 39 gzip_types {{ or (getv "/deis/router/gzipTypes") "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" }}; 40 gzip_proxied {{ or (getv "/deis/router/gzipProxied") "any" }}; 41 gzip_vary {{ or (getv "/deis/router/gzipVary") "on" }}; 42 {{ end }} 43 44 {{ $useFirewall := or (getv "/deis/router/firewall/enabled") "false" }}{{ if eq $useFirewall "true" }}# include naxsi rules 45 include /opt/nginx/firewall/naxsi_core.rules; 46 include /opt/nginx/firewall/web_apps.rules; 47 include /opt/nginx/firewall/scanner.rules; 48 include /opt/nginx/firewall/web_server.rules;{{ end }} 49 {{ $firewallErrorCode := or (getv "/deis/router/firewall/errorCode") "400" }} 50 client_max_body_size "{{ or (getv "/deis/router/bodySize") "1m" }}"; 51 52 {{ $useProxyProtocol := or (getv "/deis/router/proxyProtocol") "false" }}{{ if ne $useProxyProtocol "false" }} 53 set_real_ip_from {{ or (getv "/deis/router/proxyRealIpCidr") "10.0.0.0/8" }}; 54 real_ip_header proxy_protocol; 55 {{ end }} 56 57 log_format upstreaminfo '[$time_local] - {{ if ne $useProxyProtocol "false" }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time'; 58 59 # send logs to STDOUT so they can be seen using 'docker logs' 60 access_log /opt/nginx/logs/access.log upstreaminfo; 61 error_log /opt/nginx/logs/error.log {{ or (getv "/deis/router/errorLogLevel") "error" }}; 62 63 map $http_upgrade $connection_upgrade { 64 default upgrade; 65 '' close; 66 } 67 68 # trust http_x_forwarded_proto headers correctly indicate ssl offloading 69 map $http_x_forwarded_proto $access_scheme { 70 default $http_x_forwarded_proto; 71 '' $scheme; 72 } 73 74 ## HSTS instructs the browser to replace all HTTP links with HTTPS links for this domain until maxAge seconds from now 75 {{ $enableHSTS := or (getv "/deis/router/hsts/enabled") "false" }} 76 {{ $maxAgeHSTS := or (getv "/deis/router/hsts/maxAge") "10886400" }} 77 {{ $includeSubdomainsHSTS := or (getv "/deis/router/hsts/includeSubDomains") "false" }} 78 {{ $preloadHSTS := or (getv "/deis/router/hsts/preload") "false" }} 79 map $access_scheme $sts { 80 'https' 'max-age={{ $maxAgeHSTS }}{{ if eq $includeSubdomainsHSTS "true" }}; includeSubDomains{{ end }}{{ if eq $preloadHSTS "true" }}; preload{{ end }}'; 81 } 82 83 ## since HSTS headers are not permitted on HTTP requests, 301 redirects to HTTPS resources are also necessary 84 {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") $enableHSTS "false" }} 85 86 {{/* Enabling the enforceWhitelist option deny all connections except those from IPs explicitly allowed */}} 87 {{ $enforceWhitelist := or (getv "/deis/router/enforceWhitelist") "false" }} 88 89 ## start deis-controller 90 {{ if exists "/deis/controller/host" }} 91 upstream deis-controller { 92 server {{ getv "/deis/controller/host" }}:{{ getv "/deis/controller/port" }}; 93 } 94 {{ end }} 95 96 server { 97 server_name ~^{{ or (getv "/deis/controller/subdomain") "deis" }}\.(?<domain>.+)$; 98 include deis.conf; 99 100 {{/* IP Whitelisting */}} 101 {{ $controllerHasWhitelist := exists "/deis/router/controller/whitelist" }} 102 {{ if $controllerHasWhitelist }} 103 ## Only connections from the following addresses are allowed 104 {{ $whitelist := getv "/deis/router/controller/whitelist" }} 105 {{ range $whitelist_entry := split $whitelist "," }} 106 {{ $whitelist_detail := split $whitelist_entry ":" }} 107 allow {{index $whitelist_detail 0}};{{if eq (len $whitelist_detail) 2}} # {{index $whitelist_detail 1}}{{ end }} 108 {{ end }} 109 {{ end }} 110 {{ if or (eq $enforceWhitelist "true") $controllerHasWhitelist }} 111 deny all; 112 {{ end }} 113 114 {{ if exists "/deis/controller/host" }} 115 location / { 116 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 117 proxy_buffering off; 118 proxy_set_header Host $host; 119 {{ if ne $useProxyProtocol "false" }} 120 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 121 {{ else }} 122 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 123 {{ end }} 124 proxy_redirect off; 125 proxy_connect_timeout {{ or (getv "/deis/router/controller/timeout/connect") "10s" }}; 126 proxy_send_timeout {{ or (getv "/deis/router/controller/timeout/send") "20m" }}; 127 proxy_read_timeout {{ or (getv "/deis/router/controller/timeout/read") "20m" }}; 128 129 proxy_pass http://deis-controller; 130 } 131 {{ else }} 132 location / { 133 return 503; 134 } 135 {{ end }} 136 137 {{ if eq $useFirewall "true" }}location /RequestDenied { 138 return {{ $firewallErrorCode }}; 139 } 140 {{ end }} 141 142 {{ if eq $enforceHTTPS "true" }} 143 if ($access_scheme != "https") { 144 return 301 https://$host$request_uri; 145 } 146 {{ end }} 147 148 {{ if eq $enableHSTS "true" }} 149 add_header Strict-Transport-Security $sts always; 150 {{ end }} 151 } 152 ## end deis-controller 153 154 ## start deis-store-gateway 155 {{ if exists "/deis/store/gateway/host" }} 156 upstream deis-store-gateway { 157 server {{ getv "/deis/store/gateway/host" }}:{{ getv "/deis/store/gateway/port" }}; 158 } 159 {{ end }} 160 161 server { 162 server_name ~^deis-store\.(?<domain>.+)$; 163 include deis.conf; 164 165 client_max_body_size 0; 166 167 {{ if exists "/deis/store/gateway/host" }} 168 location / { 169 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 170 proxy_buffering off; 171 proxy_set_header Host $host; 172 {{ if ne $useProxyProtocol "false" }} 173 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 174 {{ else }} 175 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 176 {{ end }} 177 proxy_redirect off; 178 proxy_connect_timeout 10s; 179 proxy_send_timeout {{ $defaultTimeout }}s; 180 proxy_read_timeout {{ $defaultTimeout }}s; 181 182 proxy_pass http://deis-store-gateway; 183 } 184 {{ else }} 185 location / { 186 return 503; 187 } 188 {{ end }} 189 } 190 ## end deis-store-gateway 191 {{ $useSSL := or (getv "/deis/router/sslCert") "false" }} 192 {{ $domains := ls "/deis/domains" }} 193 {{ $certs := ls "/deis/certs" }} 194 ## start service definitions for each application 195 {{ range $app := lsdir "/deis/services" }} 196 {{ $upstreams := printf "/deis/services/%s/*" $app}} 197 upstream {{ $app }} { 198 {{ if exists "/deis/router/affinityArg" }} 199 hash $arg_{{ getv "/deis/router/affinityArg" }} consistent; 200 {{ end }} 201 {{ range gets $upstreams }}server {{ .Value }}; 202 {{ end }} 203 } 204 {{ $appContainers := gets $upstreams }}{{ $appContainerLen := len $appContainers }} 205 ## server entries for custom domains 206 {{ range $app_domain := $domains }}{{ if eq $app (getv (printf "/deis/domains/%s" $app_domain)) }} 207 server { 208 server_name {{ $app_domain }}; 209 {{/* if a SSL certificate is installed for this domain, use SSL */}} 210 {{/* NOTE (bacongobbler): domains are separate from the default platform domain, */}} 211 {{/* so we can't rely on deis.conf as each domain is an island */}} 212 {{ if exists (printf "/deis/certs/%s/cert" $app_domain) }} 213 server_name_in_redirect off; 214 port_in_redirect off; 215 listen 80{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 216 listen 443 ssl spdy{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 217 ssl_certificate /etc/ssl/deis/certs/{{ $app_domain }}.cert; 218 ssl_certificate_key /etc/ssl/deis/keys/{{ $app_domain }}.key; 219 include ssl.conf; 220 {{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}} 221 {{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}} 222 {{/* so we can apply this config to just subdomains of the platform domain. */}} 223 {{/* ref: https://github.com/deis/deis/pull/3519 */}} 224 {{ else }} 225 include deis.conf; 226 {{ end }} 227 228 {{/* IP Whitelisting */}} 229 {{ $appHasWhitelist := exists (printf "/deis/config/%s/deis_whitelist" $app) }} 230 {{ if $appHasWhitelist }} 231 ## Only connections from the following addresses are allowed 232 {{ $whitelist := getv (printf "/deis/config/%s/deis_whitelist" $app) }} 233 {{ range $whitelist_entry := split $whitelist "," }} 234 {{ $whitelist_detail := split $whitelist_entry ":" }} 235 allow {{index $whitelist_detail 0}};{{if eq (len $whitelist_detail) 2}} # {{index $whitelist_detail 1}}{{ end }} 236 {{ end }} 237 {{ end }} 238 {{ if or (eq $enforceWhitelist "true") $appHasWhitelist}} 239 deny all; 240 {{ end }} 241 242 {{ if ne $appContainerLen 0 }} 243 location / { 244 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 245 proxy_buffering off; 246 proxy_set_header Host $host; 247 set $access_ssl 'off'; 248 set $access_port '80'; 249 if ($access_scheme ~ https) { 250 set $access_ssl 'on'; 251 set $access_port '443'; 252 } 253 proxy_set_header X-Forwarded-Port $access_port; 254 proxy_set_header X-Forwarded-Proto $access_scheme; 255 {{ if ne $useProxyProtocol "false" }} 256 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 257 {{ else }} 258 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 259 {{ end }} 260 proxy_set_header X-Forwarded-Ssl $access_ssl; 261 proxy_redirect off; 262 proxy_connect_timeout 30s; 263 proxy_send_timeout {{ $defaultTimeout }}s; 264 proxy_read_timeout {{ $defaultTimeout }}s; 265 proxy_http_version 1.1; 266 proxy_set_header Upgrade $http_upgrade; 267 proxy_set_header Connection $connection_upgrade; 268 269 proxy_next_upstream error timeout http_502 http_503 http_504; 270 271 {{ if eq $enforceHTTPS "true" }} 272 if ($access_scheme != "https") { 273 return 301 https://$host$request_uri; 274 } 275 {{ end }} 276 277 {{ if eq $enableHSTS "true" }} 278 add_header Strict-Transport-Security $sts always; 279 {{ end }} 280 281 ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765 282 {{ if exists "/deis/router/affinityArg" }} 283 set_random $prng 0 99; 284 set_if_empty $arg_{{ getv "/deis/router/affinityArg" }} $prng; 285 {{ end }} 286 287 proxy_pass http://{{ $app }}; 288 } 289 {{ else }} 290 location / { 291 return 503; 292 } 293 {{ end }} 294 {{ if eq $useFirewall "true" }}location /RequestDenied { 295 return {{ $firewallErrorCode }}; 296 } 297 {{ end }} 298 }{{ end }}{{ end }} 299 ## end entries for custom domains 300 301 server { 302 server_name ~^{{ $app }}\.(?<domain>.+)$; 303 include deis.conf; 304 305 {{/* IP Whitelisting */}} 306 {{ $appHasWhitelist := exists (printf "/deis/config/%s/deis_whitelist" $app) }} 307 {{ if $appHasWhitelist }} 308 ## Only connections from the following addresses are allowed 309 {{ $whitelist := getv (printf "/deis/config/%s/deis_whitelist" $app) }} 310 {{ range $whitelist_entry := split $whitelist "," }} 311 {{ $whitelist_detail := split $whitelist_entry ":" }} 312 allow {{index $whitelist_detail 0}};{{if eq (len $whitelist_detail) 2}} # {{index $whitelist_detail 1}}{{ end }} 313 {{ end }} 314 {{ end }} 315 {{ if or (eq $enforceWhitelist "true") $appHasWhitelist}} 316 deny all; 317 {{ end }} 318 319 {{ if ne $appContainerLen 0 }} 320 location / { 321 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 322 proxy_buffering off; 323 proxy_set_header Host $host; 324 set $access_ssl 'off'; 325 set $access_port '80'; 326 if ($access_scheme ~ https) { 327 set $access_ssl 'on'; 328 set $access_port '443'; 329 } 330 proxy_set_header X-Forwarded-Port $access_port; 331 proxy_set_header X-Forwarded-Proto $access_scheme; 332 {{ if ne $useProxyProtocol "false" }} 333 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 334 {{ else }} 335 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 336 {{ end }} 337 proxy_set_header X-Forwarded-Ssl $access_ssl; 338 proxy_redirect off; 339 proxy_connect_timeout 30s; 340 proxy_send_timeout {{ $defaultTimeout }}s; 341 proxy_read_timeout {{ $defaultTimeout }}s; 342 proxy_http_version 1.1; 343 proxy_set_header Upgrade $http_upgrade; 344 proxy_set_header Connection $connection_upgrade; 345 346 proxy_next_upstream error timeout http_502 http_503 http_504; 347 348 {{ if eq $enforceHTTPS "true" }} 349 if ($access_scheme != "https") { 350 return 301 https://$host$request_uri; 351 } 352 {{ end }} 353 354 {{ if eq $enableHSTS "true" }} 355 add_header Strict-Transport-Security $sts always; 356 {{ end }} 357 358 proxy_pass http://{{ $app }}; 359 } 360 {{ else }} 361 location / { 362 return 503; 363 } 364 {{ end }} 365 {{ if eq $useFirewall "true" }}location /RequestDenied { 366 return {{ $firewallErrorCode }}; 367 } 368 {{ end }} 369 }{{ end }} 370 ## end service definitions for each application 371 372 {{ $scheduler := or (getv "/deis/controller/schedulerModule") "fleet" }} 373 374 # default server, including "classic" healthcheck 375 server { 376 listen 80 default_server reuseport{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 377 location /health-check { 378 access_log off; 379 {{ if eq $scheduler "k8s" }} 380 proxy_pass http://{{ getenv "HOST" }}:10249/healthz; 381 {{ else }} 382 default_type 'text/plain'; 383 return 200; 384 {{ end }} 385 } 386 location /router-nginx-status { 387 vhost_traffic_status_display; 388 vhost_traffic_status_display_format html; 389 } 390 location / { 391 return 404; 392 } 393 } 394 395 # healthcheck on 9090 -- never uses proxy_protocol 396 server { 397 listen 9090 default_server; 398 location /health-check { 399 access_log off; 400 {{ if eq $scheduler "k8s" }} 401 proxy_pass http://{{ getenv "HOST" }}:10249/healthz; 402 {{ else }} 403 default_type 'text/plain'; 404 return 200; 405 {{ end }} 406 } 407 location / { 408 return 404; 409 } 410 } 411 412 #start k8s apps 413 {{ range $k8namespace := lsdir "/registry/services/specs/" }} 414 {{ $k8appdir := printf "/registry/services/specs/%s" $k8namespace}}{{ range $kapp := ls $k8appdir }} 415 {{ $k8appPath := printf "/registry/services/specs/%s/%s" $k8namespace $kapp}}{{ $k8Svc := json (getv $k8appPath) }} 416 {{ $upstreams := printf "/registry/services/specs/%s/%s" $k8namespace $kapp}} 417 upstream {{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }} { 418 {{ if exists "/deis/router/affinityArg" }} 419 hash $arg_{{ getv "/deis/router/affinityArg" }} consistent; 420 {{ end }} 421 server {{ $k8Svc.spec.clusterIP }}:80; 422 } 423 {{ $appContainers := gets $upstreams }}{{ $appContainerLen := len $appContainers }} 424 {{ $k8sappname := or $k8Svc.metadata.labels.name $k8Svc.metadata.name }} 425 ## server entries for custom domains 426 {{ range $app_domain := $domains }}{{ if eq $k8sappname (getv (printf "/deis/domains/%s" $app_domain)) }} 427 server { 428 server_name {{ $app_domain }}; 429 {{/* if a SSL certificate is installed for this domain, use SSL */}} 430 {{/* NOTE (bacongobbler): domains are separate from the default platform domain, */}} 431 {{/* so we can't rely on deis.conf as each domain is an island */}} 432 {{ if exists (printf "/deis/certs/%s/cert" $app_domain) }} 433 server_name_in_redirect off; 434 port_in_redirect off; 435 listen 80{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 436 listen 443 ssl spdy{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 437 ssl_certificate /etc/ssl/deis/certs/{{ $app_domain }}.cert; 438 ssl_certificate_key /etc/ssl/deis/keys/{{ $app_domain }}.key; 439 include ssl.conf; 440 {{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}} 441 {{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}} 442 {{/* so we can apply this config to just subdomains of the platform domain. */}} 443 {{/* ref: https://github.com/deis/deis/pull/3519 */}} 444 {{ else }} 445 include deis.conf; 446 {{ end }} 447 {{ if ne $appContainerLen 0 }} 448 location / { 449 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 450 proxy_buffering off; 451 proxy_set_header Host $host; 452 set $access_ssl 'off'; 453 set $access_port '80'; 454 if ($access_scheme ~ https) { 455 set $access_ssl 'on'; 456 set $access_port '443'; 457 } 458 proxy_set_header X-Forwarded-Port $access_port; 459 proxy_set_header X-Forwarded-Proto $access_scheme; 460 {{ if ne $useProxyProtocol "false" }} 461 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 462 {{ else }} 463 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 464 {{ end }} 465 proxy_set_header X-Forwarded-Ssl $access_ssl; 466 proxy_redirect off; 467 proxy_connect_timeout 30s; 468 proxy_send_timeout {{ $defaultTimeout }}s; 469 proxy_read_timeout {{ $defaultTimeout }}s; 470 proxy_http_version 1.1; 471 proxy_set_header Upgrade $http_upgrade; 472 proxy_set_header Connection $connection_upgrade; 473 474 proxy_next_upstream error timeout http_502 http_503 http_504; 475 476 {{ if eq $enforceHTTPS "true" }} 477 if ($access_scheme != "https") { 478 return 301 https://$host$request_uri; 479 } 480 {{ end }} 481 482 {{ if eq $enableHSTS "true" }} 483 add_header Strict-Transport-Security $sts always; 484 {{ end }} 485 486 ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765 487 {{ if exists "/deis/router/affinityArg" }} 488 set_random $prng 0 99; 489 set_if_empty $arg_{{ getv "/deis/router/affinityArg" }} $prng; 490 {{ end }} 491 492 proxy_pass http://{{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }}; 493 } 494 {{ else }} 495 location / { 496 return 503; 497 } 498 {{ end }} 499 {{ if eq $useFirewall "true" }}location /RequestDenied { 500 return {{ $firewallErrorCode }}; 501 } 502 {{ end }} 503 }{{ end }}{{ end }} 504 ## end entries for custom domains 505 506 server { 507 server_name ~^{{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }}\.(?<domain>.+)$; 508 include deis.conf; 509 {{ if ne $appContainerLen 0 }} 510 location / { 511 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 512 proxy_buffering off; 513 proxy_set_header Host $host; 514 set $access_ssl 'off'; 515 set $access_port '80'; 516 if ($access_scheme ~ https) { 517 set $access_ssl 'on'; 518 set $access_port '443'; 519 } 520 proxy_set_header X-Forwarded-Port $access_port; 521 proxy_set_header X-Forwarded-Proto $access_scheme; 522 {{ if ne $useProxyProtocol "false" }} 523 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 524 {{ else }} 525 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 526 {{ end }} 527 proxy_set_header X-Forwarded-Ssl $access_ssl; 528 proxy_redirect off; 529 proxy_connect_timeout 30s; 530 proxy_send_timeout {{ $defaultTimeout }}s; 531 proxy_read_timeout {{ $defaultTimeout }}s; 532 proxy_http_version 1.1; 533 proxy_set_header Upgrade $http_upgrade; 534 proxy_set_header Connection $connection_upgrade; 535 536 proxy_next_upstream error timeout http_502 http_503 http_504; 537 538 {{ if eq $enforceHTTPS "true" }} 539 if ($access_scheme != "https") { 540 return 301 https://$host$request_uri; 541 } 542 {{ end }} 543 544 {{ if eq $enableHSTS "true" }} 545 add_header Strict-Transport-Security $sts always; 546 {{ end }} 547 548 proxy_pass http://{{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }}; 549 } 550 {{ else }} 551 location / { 552 return 503; 553 } 554 {{ end }} 555 {{ if eq $useFirewall "true" }}location /RequestDenied { 556 return {{ $firewallErrorCode }}; 557 } 558 {{ end }} 559 }{{end}}{{end}} 560 } 561 562 ## start builder 563 {{ if exists "/deis/builder/host" }} 564 stream { 565 566 upstream builder { 567 server {{ getv "/deis/builder/host" }}:{{ getv "/deis/builder/port" }}; 568 } 569 570 server { 571 listen 2222; 572 proxy_connect_timeout {{ or (getv "/deis/router/builder/timeout/connect") "10000" }}; 573 proxy_timeout {{ or (getv "/deis/router/builder/timeout/tcp") "1200000" }}; 574 proxy_pass builder; 575 } 576 }{{ end }} 577 ## end builder