github.com/nginxinc/kubernetes-ingress@v1.12.5/internal/configs/version1/nginx-plus.tmpl (about) 1 2 worker_processes {{.WorkerProcesses}}; 3 {{- if .WorkerRlimitNofile}} 4 worker_rlimit_nofile {{.WorkerRlimitNofile}};{{end}} 5 {{- if .WorkerCPUAffinity}} 6 worker_cpu_affinity {{.WorkerCPUAffinity}};{{end}} 7 {{- if .WorkerShutdownTimeout}} 8 worker_shutdown_timeout {{.WorkerShutdownTimeout}};{{end}} 9 10 daemon off; 11 12 error_log stderr {{.ErrorLogLevel}}; 13 pid /var/lib/nginx/nginx.pid; 14 15 {{- if .OpenTracingLoadModule}} 16 load_module modules/ngx_http_opentracing_module.so; 17 {{- end}} 18 {{- if .AppProtectLoadModule}} 19 load_module modules/ngx_http_app_protect_module.so; 20 {{- end}} 21 {{- if .MainSnippets}} 22 {{range $value := .MainSnippets}} 23 {{$value}}{{end}} 24 {{- end}} 25 26 {{if .PreviewPolicies}} 27 load_module modules/ngx_http_js_module.so; 28 {{- end}} 29 30 events { 31 worker_connections {{.WorkerConnections}}; 32 } 33 34 http { 35 include /etc/nginx/mime.types; 36 default_type application/octet-stream; 37 38 {{- if .HTTPSnippets}} 39 {{range $value := .HTTPSnippets}} 40 {{$value}}{{end}} 41 {{- end}} 42 43 {{if .LogFormat -}} 44 log_format main {{if .LogFormatEscaping}}escape={{ .LogFormatEscaping }} {{end}} 45 {{range $i, $value := .LogFormat -}} 46 {{with $value}}'{{if $i}} {{end}}{{$value}}' 47 {{end}}{{end}}; 48 {{- else -}} 49 log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 50 '$status $body_bytes_sent "$http_referer" ' 51 '"$http_user_agent" "$http_x_forwarded_for"'; 52 {{- end}} 53 54 {{if .AccessLogOff}} 55 access_log off; 56 {{else}} 57 access_log /dev/stdout main; 58 {{end}} 59 60 {{if .LatencyMetrics}} 61 log_format response_time '{"upstreamAddress":"$upstream_addr", "upstreamResponseTime":"$upstream_response_time", "proxyHost":"$proxy_host", "upstreamStatus": "$upstream_status"}'; 62 access_log syslog:server=unix:/var/lib/nginx/nginx-syslog.sock,nohostname,tag=nginx response_time; 63 {{end}} 64 65 {{- if .AppProtectLoadModule}} 66 {{if .AppProtectFailureModeAction}}app_protect_failure_mode_action {{.AppProtectFailureModeAction}};{{end}} 67 {{if .AppProtectCookieSeed}}app_protect_cookie_seed {{.AppProtectCookieSeed}};{{end}} 68 {{if .AppProtectCPUThresholds}}app_protect_cpu_thresholds {{.AppProtectCPUThresholds}};{{end}} 69 {{if .AppProtectPhysicalMemoryThresholds}}app_protect_physical_memory_util_thresholds {{.AppProtectPhysicalMemoryThresholds}};{{end}} 70 include /etc/nginx/waf/nac-usersigs/index.conf; 71 {{- end}} 72 sendfile on; 73 #tcp_nopush on; 74 75 keepalive_timeout {{.KeepaliveTimeout}}; 76 keepalive_requests {{.KeepaliveRequests}}; 77 78 #gzip on; 79 80 server_names_hash_max_size {{.ServerNamesHashMaxSize}}; 81 {{if .ServerNamesHashBucketSize}}server_names_hash_bucket_size {{.ServerNamesHashBucketSize}};{{end}} 82 83 variables_hash_bucket_size {{.VariablesHashBucketSize}}; 84 variables_hash_max_size {{.VariablesHashMaxSize}}; 85 86 map $http_upgrade $connection_upgrade { 87 default upgrade; 88 '' close; 89 } 90 map $http_upgrade $vs_connection_header { 91 default upgrade; 92 '' $default_connection_header; 93 } 94 {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}} 95 {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}} 96 {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}} 97 {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}} 98 99 {{if .OpenTracingEnabled}} 100 opentracing on; 101 {{end}} 102 {{if .OpenTracingLoadModule}} 103 opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json; 104 {{end}} 105 106 {{if .ResolverAddresses}} 107 resolver {{range $resolver := .ResolverAddresses}}{{$resolver}}{{end}}{{if .ResolverValid}} valid={{.ResolverValid}}{{end}}{{if not .ResolverIPV6}} ipv6=off{{end}}; 108 {{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}} 109 {{end}} 110 111 {{if .PreviewPolicies}} 112 include oidc/oidc_common.conf; 113 {{- end}} 114 115 server { 116 # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes 117 set $default_connection_header ""; 118 set $resource_type ""; 119 set $resource_name ""; 120 set $resource_namespace ""; 121 set $service ""; 122 123 listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; 124 125 {{if .TLSPassthrough}} 126 listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol; 127 set_real_ip_from unix:; 128 real_ip_header proxy_protocol; 129 {{else}} 130 listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; 131 {{end}} 132 133 {{if .SSLRejectHandshake}} 134 ssl_reject_handshake on; 135 {{else}} 136 ssl_certificate /etc/nginx/secrets/default; 137 ssl_certificate_key /etc/nginx/secrets/default; 138 {{end}} 139 140 {{range $setRealIPFrom := .SetRealIPFrom}} 141 set_real_ip_from {{$setRealIPFrom}};{{end}} 142 {{if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}} 143 {{if .RealIPRecursive}}real_ip_recursive on;{{end}} 144 145 server_name _; 146 server_tokens "{{.ServerTokens}}"; 147 {{if .DefaultServerAccessLogOff}} 148 access_log off; 149 {{end}} 150 151 {{if .OpenTracingEnabled}} 152 opentracing off; 153 {{end}} 154 155 {{if .HealthStatus}} 156 location {{.HealthStatusURI}} { 157 default_type text/plain; 158 return 200 "healthy\n"; 159 } 160 {{end}} 161 162 location / { 163 return {{.DefaultServerReturn}}; 164 } 165 } 166 167 {{- if .NginxStatus}} 168 # NGINX Plus APIs 169 server { 170 listen {{.NginxStatusPort}}; 171 172 root /usr/share/nginx/html; 173 174 access_log off; 175 176 {{if .OpenTracingEnabled}} 177 opentracing off; 178 {{end}} 179 180 location = /dashboard.html { 181 } 182 {{range $value := .NginxStatusAllowCIDRs}} 183 allow {{$value}};{{end}} 184 185 deny all; 186 location /api { 187 api write=off; 188 } 189 } 190 {{- end}} 191 192 # NGINX Plus API over unix socket 193 server { 194 listen unix:/var/lib/nginx/nginx-plus-api.sock; 195 access_log off; 196 197 {{if .OpenTracingEnabled}} 198 opentracing off; 199 {{end}} 200 201 # $config_version_mismatch is defined in /etc/nginx/config-version.conf 202 location /configVersionCheck { 203 if ($config_version_mismatch) { 204 return 503; 205 } 206 return 200; 207 } 208 209 location /api { 210 api write=on; 211 } 212 } 213 214 include /etc/nginx/config-version.conf; 215 include /etc/nginx/conf.d/*.conf; 216 217 server { 218 listen unix:/var/lib/nginx/nginx-418-server.sock; 219 access_log off; 220 221 {{if .OpenTracingEnabled}} 222 opentracing off; 223 {{end}} 224 225 return 418; 226 } 227 {{if .InternalRouteServer}} 228 server { 229 listen 443 ssl; 230 server_name {{.InternalRouteServerName}}; 231 ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; 232 ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; 233 ssl_client_certificate /etc/nginx/secrets/spiffe_rootca.pem; 234 ssl_verify_client on; 235 ssl_verify_depth 25; 236 } 237 {{end}} 238 } 239 240 stream { 241 {{if .StreamLogFormat -}} 242 log_format stream-main {{if .StreamLogFormatEscaping}}escape={{ .StreamLogFormatEscaping }} {{end}} 243 {{range $i, $value := .StreamLogFormat -}} 244 {{with $value}}'{{if $i}} {{end}}{{$value}}' 245 {{end}}{{end}}; 246 {{- else -}} 247 log_format stream-main '$remote_addr [$time_local] ' 248 '$protocol $status $bytes_sent $bytes_received ' 249 '$session_time "$ssl_preread_server_name"'; 250 {{- end}} 251 252 access_log /dev/stdout stream-main; 253 254 {{range $value := .StreamSnippets}} 255 {{$value}}{{end}} 256 257 {{if .TLSPassthrough}} 258 map $ssl_preread_server_name $dest_internal_passthrough { 259 default unix:/var/lib/nginx/passthrough-https.sock; 260 include /etc/nginx/tls-passthrough-hosts.conf; 261 } 262 263 server { 264 listen 443; 265 266 ssl_preread on; 267 268 proxy_protocol on; 269 proxy_pass $dest_internal_passthrough; 270 } 271 {{end}} 272 273 include /etc/nginx/stream-conf.d/*.conf; 274 }