github.com/nginxinc/kubernetes-ingress@v1.12.5/internal/configs/version1/nginx-plus.ingress.tmpl

# configuration for {{.Ingress.Namespace}}/{{.Ingress.Name}}
{{range $upstream := .Upstreams}}
upstream {{$upstream.Name}} {
	zone {{$upstream.Name}} {{if ne $upstream.UpstreamZoneSize "0"}}{{$upstream.UpstreamZoneSize}}{{else}}256k{{end}};
	{{if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}}
	{{range $server := $upstream.UpstreamServers}}
	server {{$server.Address}}:{{$server.Port}} max_fails={{$server.MaxFails}} fail_timeout={{$server.FailTimeout}} max_conns={{$server.MaxConns}}
	    {{- if $server.SlowStart}} slow_start={{$server.SlowStart}}{{end}}{{if $server.Resolve}} resolve{{end}};{{end}}
	{{if $upstream.StickyCookie}}
	sticky cookie {{$upstream.StickyCookie}};
	{{end}}
	{{if $.Keepalive}}keepalive {{$.Keepalive}};{{end}}
	{{- if $upstream.UpstreamServers -}}
	{{- if $upstream.Queue}}
	queue {{$upstream.Queue}} timeout={{$upstream.QueueTimeout}}s;
	{{- end -}}
	{{- end}}
}
{{- end}}

{{range $server := .Servers}}
server {
	{{if $server.SpiffeCerts}}
	listen 443 ssl;
	ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
	ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
	{{else}}
	{{if not $server.GRPCOnly}}
	{{range $port := $server.Ports}}
	listen {{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};
	{{- end}}
	{{end}}

	{{if $server.SSL}}
	{{if $server.TLSPassthrough}}
	listen unix:/var/lib/nginx/passthrough-https.sock ssl{{if $server.HTTP2}} http2{{end}} proxy_protocol;
	set_real_ip_from unix:;
	real_ip_header proxy_protocol;
	{{else}}
	{{- range $port := $server.SSLPorts}}
	listen {{$port}} ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};
	{{- end}}
	{{end}}
	{{if $server.SSLRejectHandshake}}
	ssl_reject_handshake on;
	{{else}}
	ssl_certificate {{$server.SSLCertificate}};
	ssl_certificate_key {{$server.SSLCertificateKey}};
	{{end}}
	{{end}}
	{{end}}

	{{range $setRealIPFrom := $server.SetRealIPFrom}}
	set_real_ip_from {{$setRealIPFrom}};{{end}}
	{{if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}}
	{{if $server.RealIPRecursive}}real_ip_recursive on;{{end}}

	server_tokens "{{$server.ServerTokens}}";

	server_name {{$server.Name}};

	status_zone {{$server.StatusZone}};
	set $resource_type "ingress";
	set $resource_name "{{$.Ingress.Name}}";
	set $resource_namespace "{{$.Ingress.Namespace}}";

	{{- if $server.AppProtectEnable}}
	app_protect_enable {{$server.AppProtectEnable}};
	{{if $server.AppProtectPolicy}}app_protect_policy_file {{$server.AppProtectPolicy}};{{end}}
	{{- end}}
	{{- if $server.AppProtectLogEnable}}
	app_protect_security_log_enable {{$server.AppProtectLogEnable}};
	{{range $AppProtectLogConf := $server.AppProtectLogConfs}}app_protect_security_log {{$AppProtectLogConf}};
	{{end}}
	{{- end}}
	
	{{if not $server.GRPCOnly}}
	{{range $proxyHideHeader := $server.ProxyHideHeaders}}
	proxy_hide_header {{$proxyHideHeader}};{{end}}
	{{range $proxyPassHeader := $server.ProxyPassHeaders}}
	proxy_pass_header {{$proxyPassHeader}};{{end}}
	{{end}}

	{{- if and $server.HSTS (or $server.SSL $server.HSTSBehindProxy)}}
	set $hsts_header_val "";
	proxy_hide_header Strict-Transport-Security;
	{{- if $server.HSTSBehindProxy}}
	if ($http_x_forwarded_proto = 'https') {
	{{else}}
	if ($https = on) {
	{{- end}}
		set $hsts_header_val "max-age={{$server.HSTSMaxAge}}; {{if $server.HSTSIncludeSubdomains}}includeSubDomains; {{end}}preload";
	}

	add_header Strict-Transport-Security "$hsts_header_val" always;
	{{end}}

	{{if $server.SSL}}
	{{if not $server.GRPCOnly}}
	{{- if $server.SSLRedirect}}
	if ($scheme = http) {
		return 301 https://$host:{{index $server.SSLPorts 0}}$request_uri;
	}
	{{- end}}
	{{end}}
	{{- end}}

	{{- if $server.RedirectToHTTPS}}
	if ($http_x_forwarded_proto = 'http') {
		return 301 https://$host$request_uri;
	}
	{{- end}}

	{{with $jwt := $server.JWTAuth}}
	auth_jwt_key_file {{$jwt.Key}};
	auth_jwt "{{.Realm}}"{{if $jwt.Token}} token={{$jwt.Token}}{{end}};

	{{- if $jwt.RedirectLocationName}}
	error_page 401 {{$jwt.RedirectLocationName}};
	{{end}}
	{{end}}

	{{- if $server.ServerSnippets}}
	{{range $value := $server.ServerSnippets}}
	{{$value}}{{end}}
	{{- end}}

	{{- range $healthCheck := $server.HealthChecks}}
	location @hc-{{$healthCheck.UpstreamName}} {
		{{- range $name, $header := $healthCheck.Headers}}
		proxy_set_header {{$name}} "{{$header}}";
		{{- end }}
		proxy_connect_timeout {{$healthCheck.TimeoutSeconds}}s;
		proxy_read_timeout {{$healthCheck.TimeoutSeconds}}s;
		proxy_send_timeout {{$healthCheck.TimeoutSeconds}}s;
		proxy_pass {{$healthCheck.Scheme}}://{{$healthCheck.UpstreamName}};
		health_check {{if $healthCheck.Mandatory}}mandatory {{end}}uri={{$healthCheck.URI}} interval=
			{{- $healthCheck.Interval}}s fails={{$healthCheck.Fails}} passes={{$healthCheck.Passes}};
	}
	{{end -}}

	{{- range $location := $server.JWTRedirectLocations}}
	location {{$location.Name}} {
		internal;
		return 302 {{$location.LoginURL}};
	}
	{{end -}}

	{{range $location := $server.Locations}}
	location {{$location.Path}} {
		set $service "{{$location.ServiceName}}";
		{{with $location.MinionIngress}}
		# location for minion {{$location.MinionIngress.Namespace}}/{{$location.MinionIngress.Name}}
		set $resource_name "{{$location.MinionIngress.Name}}";
		set $resource_namespace "{{$location.MinionIngress.Namespace}}";
		{{end}}
		{{if $location.GRPC}}
		{{if not $server.GRPCOnly}}
		error_page 400 @grpcerror400;
		error_page 401 @grpcerror401;
		error_page 403 @grpcerror403;
		error_page 404 @grpcerror404;
		error_page 405 @grpcerror405;
		error_page 408 @grpcerror408;
		error_page 414 @grpcerror414;
		error_page 426 @grpcerror426;
		error_page 500 @grpcerror500;
		error_page 501 @grpcerror501;
		error_page 502 @grpcerror502;
		error_page 503 @grpcerror503;
		error_page 504 @grpcerror504;
		{{end}}

		{{- if $location.LocationSnippets}}
		{{range $value := $location.LocationSnippets}}
		{{$value}}{{end}}
		{{- end}}

		{{with $jwt := $location.JWTAuth}}
		auth_jwt_key_file {{$jwt.Key}};
		auth_jwt "{{.Realm}}"{{if $jwt.Token}} token={{$jwt.Token}}{{end}};
		{{end}}

		grpc_connect_timeout {{$location.ProxyConnectTimeout}};
		grpc_read_timeout {{$location.ProxyReadTimeout}};
		grpc_send_timeout {{$location.ProxySendTimeout}};
		grpc_set_header Host $host;
		grpc_set_header X-Real-IP $remote_addr;
		grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		grpc_set_header X-Forwarded-Host $host;
		grpc_set_header X-Forwarded-Port $server_port;
		grpc_set_header X-Forwarded-Proto $scheme;

		{{- if $location.ProxyBufferSize}}
		grpc_buffer_size {{$location.ProxyBufferSize}};
		{{- end}}
		{{if $.SpiffeClientCerts}}
		grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
		grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
		grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
		grpc_ssl_server_name on;
		grpc_ssl_verify on;
		grpc_ssl_verify_depth 25;
		grpc_ssl_name {{$location.ProxySSLName}};
		{{end}}
		{{if $location.SSL}}
		grpc_pass grpcs://{{$location.Upstream.Name}};
		{{else}}
		grpc_pass grpc://{{$location.Upstream.Name}};
		{{end}}
		{{else}}
		proxy_http_version 1.1;
		{{if $location.Websocket}}
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		{{- else}}
		{{- if $.Keepalive}}proxy_set_header Connection "";{{end}}
		{{- end}}

		{{- if $location.LocationSnippets}}
		{{range $value := $location.LocationSnippets}}
		{{$value}}{{end}}
		{{- end}}

		{{ with $jwt := $location.JWTAuth }}
		auth_jwt_key_file {{$jwt.Key}};
		auth_jwt "{{.Realm}}"{{if $jwt.Token}} token={{$jwt.Token}}{{end}};
		{{if $jwt.RedirectLocationName}}
		error_page 401 {{$jwt.RedirectLocationName}};
		{{end}}
		{{end}}

		proxy_connect_timeout {{$location.ProxyConnectTimeout}};
		proxy_read_timeout {{$location.ProxyReadTimeout}};
		proxy_send_timeout {{$location.ProxySendTimeout}};
		client_max_body_size {{$location.ClientMaxBodySize}};
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Port $server_port;
		proxy_set_header X-Forwarded-Proto {{if $server.RedirectToHTTPS}}https{{else}}$scheme{{end}};
		proxy_buffering {{if $location.ProxyBuffering}}on{{else}}off{{end}};
		{{- if $location.ProxyBuffers}}
		proxy_buffers {{$location.ProxyBuffers}};
		{{- end}}
		{{- if $location.ProxyBufferSize}}
		proxy_buffer_size {{$location.ProxyBufferSize}};
		{{- end}}
		{{- if $location.ProxyMaxTempFileSize}}
		proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}};
		{{- end}}
		{{if $.SpiffeClientCerts}}
		proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
		proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
		proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
		proxy_ssl_server_name on;
		proxy_ssl_verify on;
		proxy_ssl_verify_depth 25;
		proxy_ssl_name {{$location.ProxySSLName}};
		{{end}}
		{{if $location.SSL}}
		proxy_pass https://{{$location.Upstream.Name}}{{$location.Rewrite}};
		{{else}}
		proxy_pass http://{{$location.Upstream.Name}}{{$location.Rewrite}};
		{{end}}
		{{end}}
	}{{end}}
	{{if $server.GRPCOnly}}
	error_page 400 @grpcerror400;
	error_page 401 @grpcerror401;
	error_page 403 @grpcerror403;
	error_page 404 @grpcerror404;
	error_page 405 @grpcerror405;
	error_page 408 @grpcerror408;
	error_page 414 @grpcerror414;
	error_page 426 @grpcerror426;
	error_page 500 @grpcerror500;
	error_page 501 @grpcerror501;
	error_page 502 @grpcerror502;
	error_page 503 @grpcerror503;
	error_page 504 @grpcerror504;
	{{end}}
	{{if $server.HTTP2}}
	location @grpcerror400 { default_type application/grpc; return 400 "\n"; }
	location @grpcerror401 { default_type application/grpc; return 401 "\n"; }
	location @grpcerror403 { default_type application/grpc; return 403 "\n"; }
	location @grpcerror404 { default_type application/grpc; return 404 "\n"; }
	location @grpcerror405 { default_type application/grpc; return 405 "\n"; }
	location @grpcerror408 { default_type application/grpc; return 408 "\n"; }
	location @grpcerror414 { default_type application/grpc; return 414 "\n"; }
	location @grpcerror426 { default_type application/grpc; return 426 "\n"; }
	location @grpcerror500 { default_type application/grpc; return 500 "\n"; }
	location @grpcerror501 { default_type application/grpc; return 501 "\n"; }
	location @grpcerror502 { default_type application/grpc; return 502 "\n"; }
	location @grpcerror503 { default_type application/grpc; return 503 "\n"; }
	location @grpcerror504 { default_type application/grpc; return 504 "\n"; }
	{{end}}
}{{end}}