github.com/nginxinc/kubernetes-ingress@v1.12.5/internal/configs/version2/nginx-plus.virtualserver.tmpl (about) 1 {{ range $u := .Upstreams }} 2 upstream {{ $u.Name }} { 3 zone {{ $u.Name }} {{ if ne $u.UpstreamZoneSize "0" }}{{ $u.UpstreamZoneSize }}{{ else }}256k{{ end }}; 4 5 {{ if $u.LBMethod }}{{ $u.LBMethod }};{{ end }} 6 7 {{ range $s := $u.Servers }} 8 server {{ $s.Address }} max_fails={{ $u.MaxFails }} fail_timeout={{ $u.FailTimeout }}{{ if $u.SlowStart }} slow_start={{ $u.SlowStart }}{{ end }} max_conns={{ $u.MaxConns }}{{ if $u.Resolve }} resolve{{ end }}; 9 {{ end }} 10 11 {{ if $u.Keepalive }} 12 keepalive {{ $u.Keepalive }}; 13 {{ end }} 14 15 {{ if $u.Queue }} 16 queue {{ $u.Queue.Size }} timeout={{ $u.Queue.Timeout }}; 17 {{ end }} 18 19 {{ with $u.SessionCookie }} 20 {{ if .Enable }} 21 sticky cookie {{ .Name }}{{ if .Expires }} expires={{ .Expires }}{{ end }}{{ if .Domain }} domain={{ .Domain }}{{ end }}{{ if .HTTPOnly }} httponly{{ end }}{{ if .Secure }} secure{{ end }}{{ if .Path }} path={{ .Path }}{{ end }}; 22 {{ end }} 23 {{ end }} 24 } 25 {{ end }} 26 27 {{ range $sc := .SplitClients }} 28 split_clients {{ $sc.Source }} {{ $sc.Variable }} { 29 {{ range $d := $sc.Distributions }} 30 {{ $d.Weight }} {{ $d.Value }}; 31 {{ end }} 32 } 33 {{ end }} 34 35 {{ range $m := .Maps }} 36 map {{ $m.Source }} {{ $m.Variable }} { 37 {{ range $p := $m.Parameters }} 38 {{ $p.Value }} {{ $p.Result }}; 39 {{ end }} 40 } 41 {{ end }} 42 43 {{ range $snippet := .HTTPSnippets }} 44 {{- $snippet }} 45 {{ end }} 46 47 {{ range $z := .LimitReqZones }} 48 limit_req_zone {{ $z.Key }} zone={{ $z.ZoneName }}:{{ $z.ZoneSize }} rate={{ $z.Rate }}; 49 {{ end }} 50 51 {{ range $m := .StatusMatches }} 52 match {{ $m.Name }} { 53 status {{ $m.Code }}; 54 } 55 {{ end }} 56 57 {{ $s := .Server }} 58 server { 59 listen 80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; 60 61 server_name {{ $s.ServerName }}; 62 status_zone {{ $s.StatusZone }}; 63 set $resource_type "virtualserver"; 64 set $resource_name "{{$s.VSName}}"; 65 set $resource_namespace "{{$s.VSNamespace}}"; 66 67 {{ with $oidc := $s.OIDC }} 68 include oidc/oidc.conf; 69 70 set $oidc_pkce_enable 0; 71 set $oidc_logout_redirect "/_logout"; 72 set $oidc_hmac_key "{{ $s.VSName }}"; 73 74 set $oidc_authz_endpoint "{{ $oidc.AuthEndpoint }}"; 75 set $oidc_token_endpoint "{{ $oidc.TokenEndpoint }}"; 76 set $oidc_jwt_keyfile "{{ $oidc.JwksURI }}"; 77 set $oidc_scopes "{{ $oidc.Scope }}"; 78 set $oidc_client "{{ $oidc.ClientID }}"; 79 set $oidc_client_secret "{{ $oidc.ClientSecret }}"; 80 set $redir_location "{{ $oidc.RedirectURI }}"; 81 {{ end }} 82 83 {{ with $ssl := $s.SSL }} 84 {{ if $s.TLSPassthrough }} 85 listen unix:/var/lib/nginx/passthrough-https.sock{{ if $ssl.HTTP2 }} http2{{ end }} proxy_protocol; 86 set_real_ip_from unix:; 87 real_ip_header proxy_protocol; 88 {{ else }} 89 listen 443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; 90 {{ end }} 91 92 {{ if $ssl.RejectHandshake }} 93 ssl_reject_handshake on; 94 {{ else }} 95 ssl_certificate {{ $ssl.Certificate }}; 96 ssl_certificate_key {{ $ssl.CertificateKey }}; 97 {{ end }} 98 {{ end }} 99 100 {{ with $s.IngressMTLS }} 101 ssl_client_certificate {{ .ClientCert }}; 102 ssl_verify_client {{ .VerifyClient }}; 103 ssl_verify_depth {{ .VerifyDepth }}; 104 {{ end }} 105 106 {{ with $s.TLSRedirect }} 107 if ({{ .BasedOn }} = 'http') { 108 return {{ .Code }} https://$host$request_uri; 109 } 110 {{ end }} 111 112 server_tokens "{{ $s.ServerTokens }}"; 113 114 {{ range $setRealIPFrom := $s.SetRealIPFrom }} 115 set_real_ip_from {{ $setRealIPFrom }}; 116 {{ end }} 117 {{ if $s.RealIPHeader }} 118 real_ip_header {{ $s.RealIPHeader }}; 119 {{ end }} 120 {{ if $s.RealIPRecursive }} 121 real_ip_recursive on; 122 {{ end }} 123 124 {{ with $s.PoliciesErrorReturn }} 125 return {{ .Code }}; 126 {{ end }} 127 128 {{ range $allow := $s.Allow }} 129 allow {{ $allow }}; 130 {{ end }} 131 {{ if gt (len $s.Allow) 0 }} 132 deny all; 133 {{ end }} 134 135 {{ range $deny := $s.Deny }} 136 deny {{ $deny }}; 137 {{ end }} 138 {{ if gt (len $s.Deny) 0 }} 139 allow all; 140 {{ end }} 141 142 {{ if $s.LimitReqOptions.DryRun }} 143 limit_req_dry_run on; 144 {{ end }} 145 146 {{ with $level := $s.LimitReqOptions.LogLevel }} 147 limit_req_log_level {{ $level }}; 148 {{ end }} 149 150 {{ with $code := $s.LimitReqOptions.RejectCode }} 151 limit_req_status {{ $code }}; 152 {{ end }} 153 154 {{ range $rl := $s.LimitReqs }} 155 limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} 156 {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; 157 {{ end }} 158 159 {{ with $s.JWTAuth }} 160 auth_jwt "{{ .Realm }}"{{ if .Token }} token={{ .Token }}{{ end }}; 161 auth_jwt_key_file {{ .Secret }}; 162 {{ end }} 163 164 {{ with $s.EgressMTLS }} 165 {{ if .Certificate }} 166 proxy_ssl_certificate {{ .Certificate }}; 167 proxy_ssl_certificate_key {{ .CertificateKey }}; 168 {{ end }} 169 {{ if .TrustedCert }} 170 proxy_ssl_trusted_certificate {{ .TrustedCert }}; 171 {{ end }} 172 173 proxy_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; 174 proxy_ssl_verify_depth {{ .VerifyDepth }}; 175 proxy_ssl_protocols {{ .Protocols }}; 176 proxy_ssl_ciphers {{ .Ciphers }}; 177 proxy_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; 178 proxy_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; 179 proxy_ssl_name {{ .SSLName }}; 180 {{ end }} 181 182 {{ with $s.WAF }} 183 app_protect_enable {{ .Enable }}; 184 {{ if .ApPolicy }} 185 app_protect_policy_file {{ .ApPolicy }}; 186 {{ end }} 187 188 {{ if .ApSecurityLogEnable }} 189 app_protect_security_log_enable on; 190 app_protect_security_log {{ .ApLogConf }}; 191 {{ end }} 192 {{ end }} 193 194 {{ range $snippet := $s.Snippets }} 195 {{- $snippet }} 196 {{ end }} 197 198 {{ range $l := $s.InternalRedirectLocations }} 199 location {{ $l.Path }} { 200 rewrite ^ {{ $l.Destination }} last; 201 } 202 {{ end }} 203 204 {{ range $hc := $s.HealthChecks }} 205 location @hc-{{ $hc.Name }} { 206 {{ range $n, $v := $hc.Headers }} 207 proxy_set_header {{ $n }} "{{ $v }}"; 208 {{ end }} 209 proxy_connect_timeout {{ $hc.ProxyConnectTimeout }}; 210 proxy_read_timeout {{ $hc.ProxyReadTimeout }}; 211 proxy_send_timeout {{ $hc.ProxySendTimeout }}; 212 proxy_pass {{ $hc.ProxyPass }}; 213 health_check uri={{ $hc.URI }} port={{ $hc.Port }} interval={{ $hc.Interval }} jitter={{ $hc.Jitter }} 214 fails={{ $hc.Fails }} passes={{ $hc.Passes }}{{ if $hc.Match }} match={{ $hc.Match }}{{ end }}; 215 } 216 {{ end }} 217 218 {{ range $e := $s.ErrorPageLocations }} 219 location {{ $e.Name }} { 220 {{ if $e.DefaultType }} 221 default_type "{{ $e.DefaultType }}"; 222 {{ end }} 223 {{ range $h := $e.Headers }} 224 add_header {{ $h.Name }} "{{ $h.Value }}" always; 225 {{ end }} 226 # status code is ignored here, using 0 227 return 0 "{{ $e.Return.Text }}"; 228 } 229 {{ end }} 230 231 {{ range $l := $s.ReturnLocations }} 232 location {{ $l.Name }} { 233 default_type "{{ $l.DefaultType }}"; 234 # status code is ignored here, using 0 235 return 0 "{{ $l.Return.Text }}"; 236 } 237 {{ end }} 238 239 {{ range $l := $s.Locations }} 240 location {{ $l.Path }} { 241 set $service "{{ $l.ServiceName }}"; 242 {{ if $l.IsVSR }} 243 set $resource_type "virtualserverroute"; 244 set $resource_name "{{ $l.VSRName }}"; 245 set $resource_namespace "{{ $l.VSRNamespace }}"; 246 {{ end }} 247 248 {{ if $l.Internal }} 249 internal; 250 {{ end }} 251 {{ range $snippet := $l.Snippets }} 252 {{- $snippet }} 253 {{ end }} 254 255 {{ with $l.PoliciesErrorReturn }} 256 return {{ .Code }}; 257 {{ end }} 258 259 {{ range $allow := $l.Allow }} 260 allow {{ $allow }}; 261 {{ end }} 262 {{ if gt (len $l.Allow) 0 }} 263 deny all; 264 {{ end }} 265 266 {{ range $deny := $l.Deny }} 267 deny {{ $deny }}; 268 {{ end }} 269 {{ if gt (len $l.Deny) 0 }} 270 allow all; 271 {{ end }} 272 273 {{ if $l.LimitReqOptions.DryRun }} 274 limit_req_dry_run on; 275 {{ end }} 276 277 {{ with $level := $l.LimitReqOptions.LogLevel }} 278 limit_req_log_level {{ $level }}; 279 {{ end }} 280 281 {{ with $code := $l.LimitReqOptions.RejectCode }} 282 limit_req_status {{ $code }}; 283 {{ end }} 284 285 {{ range $rl := $l.LimitReqs }} 286 limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} 287 {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; 288 {{ end }} 289 290 {{ with $l.JWTAuth }} 291 auth_jwt "{{ .Realm }}"{{ if .Token }} token={{ .Token }}{{ end }}; 292 auth_jwt_key_file {{ .Secret }}; 293 {{ end }} 294 295 {{ with $l.EgressMTLS }} 296 {{ if .Certificate }} 297 proxy_ssl_certificate {{ .Certificate }}; 298 proxy_ssl_certificate_key {{ .CertificateKey }}; 299 {{ end }} 300 {{ if .TrustedCert }} 301 proxy_ssl_trusted_certificate {{ .TrustedCert }}; 302 {{ end }} 303 304 proxy_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; 305 proxy_ssl_verify_depth {{ .VerifyDepth }}; 306 proxy_ssl_protocols {{ .Protocols }}; 307 proxy_ssl_ciphers {{ .Ciphers }}; 308 proxy_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; 309 proxy_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; 310 proxy_ssl_name {{ .SSLName }}; 311 {{ end }} 312 313 {{ if $l.OIDC }} 314 auth_jwt "" token=$session_jwt; 315 error_page 401 = @do_oidc_flow; 316 auth_jwt_key_request /_jwks_uri; 317 proxy_set_header username $jwt_claim_sub; 318 {{ end }} 319 320 {{ with $l.WAF }} 321 app_protect_enable {{ .Enable }}; 322 {{ if .ApPolicy }} 323 app_protect_policy_file {{ .ApPolicy }}; 324 {{ end }} 325 326 {{ if .ApSecurityLogEnable }} 327 app_protect_security_log_enable on; 328 app_protect_security_log {{ .ApLogConf }}; 329 {{ end }} 330 {{ end }} 331 332 {{ range $e := $l.ErrorPages }} 333 error_page {{ $e.Codes }} {{ if ne 0 $e.ResponseCode }}={{ $e.ResponseCode }}{{ end }} "{{ $e.Name }}"; 334 {{ end }} 335 336 {{ if $l.ProxyInterceptErrors }} 337 proxy_intercept_errors on; 338 {{ end }} 339 340 {{ if $l.InternalProxyPass }} 341 proxy_pass {{ $l.InternalProxyPass }}; 342 {{ end }} 343 344 {{ if $l.ProxyPass }} 345 set $default_connection_header {{ if $l.HasKeepalive }}""{{ else }}close{{ end }}; 346 347 {{ range $r := $l.Rewrites }} 348 rewrite {{ $r }}; 349 {{ end }} 350 proxy_connect_timeout {{ $l.ProxyConnectTimeout }}; 351 proxy_read_timeout {{ $l.ProxyReadTimeout }}; 352 proxy_send_timeout {{ $l.ProxySendTimeout }}; 353 client_max_body_size {{ $l.ClientMaxBodySize }}; 354 355 {{ if $l.ProxyMaxTempFileSize }} 356 proxy_max_temp_file_size {{ $l.ProxyMaxTempFileSize }}; 357 {{ end }} 358 359 proxy_buffering {{ if $l.ProxyBuffering }}on{{ else }}off{{ end }}; 360 {{ if $l.ProxyBuffers }} 361 proxy_buffers {{ $l.ProxyBuffers }}; 362 {{ end }} 363 {{ if $l.ProxyBufferSize }} 364 proxy_buffer_size {{ $l.ProxyBufferSize }}; 365 {{ end }} 366 proxy_http_version 1.1; 367 368 proxy_set_header Upgrade $http_upgrade; 369 proxy_set_header Connection $vs_connection_header; 370 proxy_set_header X-Real-IP $remote_addr; 371 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 372 proxy_set_header X-Forwarded-Host $host; 373 proxy_set_header X-Forwarded-Port $server_port; 374 proxy_set_header X-Forwarded-Proto {{ with $s.TLSRedirect }}{{ .BasedOn }}{{ else }}$scheme{{ end }}; 375 {{ range $h := $l.ProxySetHeaders }} 376 proxy_set_header {{ $h.Name }} "{{ $h.Value }}"; 377 {{ end }} 378 {{ range $h := $l.ProxyHideHeaders }} 379 proxy_hide_header {{ $h }}; 380 {{ end }} 381 {{ range $h := $l.ProxyPassHeaders }} 382 proxy_pass_header {{ $h }}; 383 {{ end }} 384 {{ with $l.ProxyIgnoreHeaders }} 385 proxy_ignore_headers {{ $l.ProxyIgnoreHeaders }}; 386 {{ end }} 387 {{ range $h := $l.AddHeaders }} 388 add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }}; 389 {{ end }} 390 {{ if $.SpiffeCerts }} 391 proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; 392 proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; 393 proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem; 394 proxy_ssl_server_name on; 395 proxy_ssl_verify on; 396 proxy_ssl_verify_depth 25; 397 proxy_ssl_name {{ $l.ProxySSLName }}; 398 {{ end }} 399 proxy_pass {{ $l.ProxyPass }}{{ $l.ProxyPassRewrite }}; 400 proxy_next_upstream {{ $l.ProxyNextUpstream }}; 401 proxy_next_upstream_timeout {{ $l.ProxyNextUpstreamTimeout }}; 402 proxy_next_upstream_tries {{ $l.ProxyNextUpstreamTries }}; 403 proxy_pass_request_headers {{ if $l.ProxyPassRequestHeaders }}on{{ else }}off{{ end }}; 404 {{ end }} 405 } 406 {{ end }} 407 }