github.com/nginxinc/kubernetes-ingress@v1.12.5/internal/configs/version2/nginx.virtualserver.tmpl (about) 1 {{ range $u := .Upstreams }} 2 upstream {{ $u.Name }} { 3 {{ if ne $u.UpstreamZoneSize "0" }}zone {{ $u.Name }} {{ $u.UpstreamZoneSize }};{{ end }} 4 5 {{ if $u.LBMethod }}{{ $u.LBMethod }};{{ end }} 6 7 {{ range $s := $u.Servers }} 8 server {{ $s.Address }} max_fails={{ $u.MaxFails }} fail_timeout={{ $u.FailTimeout }} max_conns={{ $u.MaxConns }}; 9 {{ end }} 10 11 {{ if $u.Keepalive }} 12 keepalive {{ $u.Keepalive }}; 13 {{ end }} 14 } 15 {{ end }} 16 17 {{ range $sc := .SplitClients }} 18 split_clients {{ $sc.Source }} {{ $sc.Variable }} { 19 {{ range $d := $sc.Distributions }} 20 {{ $d.Weight }} {{ $d.Value }}; 21 {{ end }} 22 } 23 {{ end }} 24 25 {{ range $m := .Maps }} 26 map {{ $m.Source }} {{ $m.Variable }} { 27 {{ range $p := $m.Parameters }} 28 {{ $p.Value }} {{ $p.Result }}; 29 {{ end }} 30 } 31 {{ end }} 32 33 {{ range $snippet := .HTTPSnippets }} 34 {{- $snippet }} 35 {{ end }} 36 37 {{ range $z := .LimitReqZones }} 38 limit_req_zone {{ $z.Key }} zone={{ $z.ZoneName }}:{{ $z.ZoneSize }} rate={{ $z.Rate }}; 39 {{ end }} 40 41 {{ $s := .Server }} 42 server { 43 listen 80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; 44 45 server_name {{ $s.ServerName }}; 46 47 set $resource_type "virtualserver"; 48 set $resource_name "{{$s.VSName}}"; 49 set $resource_namespace "{{$s.VSNamespace}}"; 50 51 52 {{ with $ssl := $s.SSL }} 53 {{ if $s.TLSPassthrough }} 54 listen unix:/var/lib/nginx/passthrough-https.sock{{ if $ssl.HTTP2 }} http2{{ end }} proxy_protocol; 55 set_real_ip_from unix:; 56 real_ip_header proxy_protocol; 57 {{ else }} 58 listen 443 ssl{{ if $ssl.HTTP2 }} http2{{ end }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; 59 {{ end }} 60 61 {{ if $ssl.RejectHandshake }} 62 ssl_reject_handshake on; 63 {{ else }} 64 ssl_certificate {{ $ssl.Certificate }}; 65 ssl_certificate_key {{ $ssl.CertificateKey }}; 66 {{ end }} 67 {{ end }} 68 69 {{ with $s.IngressMTLS }} 70 ssl_client_certificate {{ .ClientCert }}; 71 ssl_verify_client {{ .VerifyClient }}; 72 ssl_verify_depth {{ .VerifyDepth }}; 73 {{ end }} 74 75 {{ with $s.TLSRedirect }} 76 if ({{ .BasedOn }} = 'http') { 77 return {{ .Code }} https://$host$request_uri; 78 } 79 {{ end }} 80 81 server_tokens "{{ $s.ServerTokens }}"; 82 83 {{ range $setRealIPFrom := $s.SetRealIPFrom }} 84 set_real_ip_from {{ $setRealIPFrom }}; 85 {{ end }} 86 {{ if $s.RealIPHeader }} 87 real_ip_header {{ $s.RealIPHeader }}; 88 {{ end }} 89 {{ if $s.RealIPRecursive }} 90 real_ip_recursive on; 91 {{ end }} 92 93 {{ with $s.PoliciesErrorReturn }} 94 return {{ .Code }}; 95 {{ end }} 96 97 {{ range $allow := $s.Allow }} 98 allow {{ $allow }}; 99 {{ end }} 100 {{ if gt (len $s.Allow) 0 }} 101 deny all; 102 {{ end }} 103 104 {{ range $deny := $s.Deny }} 105 deny {{ $deny }}; 106 {{ end }} 107 {{ if gt (len $s.Deny) 0 }} 108 allow all; 109 {{ end }} 110 111 {{ if $s.LimitReqOptions.DryRun }} 112 limit_req_dry_run on; 113 {{ end }} 114 115 {{ with $level := $s.LimitReqOptions.LogLevel }} 116 limit_req_log_level {{ $level }}; 117 {{ end }} 118 119 {{ with $code := $s.LimitReqOptions.RejectCode }} 120 limit_req_status {{ $code }}; 121 {{ end }} 122 123 {{ range $rl := $s.LimitReqs }} 124 limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} 125 {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; 126 {{ end }} 127 128 {{ with $s.EgressMTLS }} 129 {{ if .Certificate }} 130 proxy_ssl_certificate {{ .Certificate }}; 131 proxy_ssl_certificate_key {{ .CertificateKey }}; 132 {{ end }} 133 {{ if .TrustedCert }} 134 proxy_ssl_trusted_certificate {{ .TrustedCert }}; 135 {{ end }} 136 137 proxy_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; 138 proxy_ssl_verify_depth {{ .VerifyDepth }}; 139 proxy_ssl_protocols {{ .Protocols }}; 140 proxy_ssl_ciphers {{ .Ciphers }}; 141 proxy_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; 142 proxy_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; 143 proxy_ssl_name {{ .SSLName }}; 144 {{ end }} 145 146 {{ range $snippet := $s.Snippets }} 147 {{- $snippet }} 148 {{ end }} 149 150 {{ range $l := $s.InternalRedirectLocations }} 151 location {{ $l.Path }} { 152 rewrite ^ {{ $l.Destination }} last; 153 } 154 {{ end }} 155 156 {{ range $e := $s.ErrorPageLocations }} 157 location {{ $e.Name }} { 158 {{ if $e.DefaultType }} 159 default_type "{{ $e.DefaultType }}"; 160 {{ end }} 161 {{ range $h := $e.Headers }} 162 add_header {{ $h.Name }} "{{ $h.Value }}" always; 163 {{ end }} 164 # status code is ignored here, using 0 165 return 0 "{{ $e.Return.Text }}"; 166 } 167 {{ end }} 168 169 {{ range $l := $s.ReturnLocations }} 170 location {{ $l.Name }} { 171 default_type "{{ $l.DefaultType }}"; 172 # status code is ignored here, using 0 173 return 0 "{{ $l.Return.Text }}"; 174 } 175 {{ end }} 176 177 {{ range $l := $s.Locations }} 178 location {{ $l.Path }} { 179 set $service "{{ $l.ServiceName }}"; 180 {{ if $l.IsVSR }} 181 set $resource_type "virtualserverroute"; 182 set $resource_name "{{ $l.VSRName }}"; 183 set $resource_namespace "{{ $l.VSRNamespace }}"; 184 {{ end }} 185 {{ if $l.Internal }} 186 internal; 187 {{ end }} 188 {{ range $snippet := $l.Snippets }} 189 {{- $snippet }} 190 {{ end }} 191 192 {{ with $l.PoliciesErrorReturn }} 193 return {{ .Code }}; 194 {{ end }} 195 196 {{ range $allow := $l.Allow }} 197 allow {{ $allow }}; 198 {{ end }} 199 {{ if gt (len $l.Allow) 0 }} 200 deny all; 201 {{ end }} 202 203 {{ range $deny := $l.Deny }} 204 deny {{ $deny }}; 205 {{ end }} 206 {{ if gt (len $l.Deny) 0 }} 207 allow all; 208 {{ end }} 209 210 {{ if $l.LimitReqOptions.DryRun }} 211 limit_req_dry_run on; 212 {{ end }} 213 214 {{ with $level := $l.LimitReqOptions.LogLevel }} 215 limit_req_log_level {{ $level }}; 216 {{ end }} 217 218 {{ with $code := $l.LimitReqOptions.RejectCode }} 219 limit_req_status {{ $code }}; 220 {{ end }} 221 222 {{ range $rl := $l.LimitReqs }} 223 limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} 224 {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; 225 {{ end }} 226 227 {{ with $l.EgressMTLS }} 228 {{ if .Certificate }} 229 proxy_ssl_certificate {{ .Certificate }}; 230 proxy_ssl_certificate_key {{ .CertificateKey }}; 231 {{ end }} 232 {{ if .TrustedCert }} 233 proxy_ssl_trusted_certificate {{ .TrustedCert }}; 234 {{ end }} 235 236 proxy_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; 237 proxy_ssl_verify_depth {{ .VerifyDepth }}; 238 proxy_ssl_protocols {{ .Protocols }}; 239 proxy_ssl_ciphers {{ .Ciphers }}; 240 proxy_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; 241 proxy_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; 242 proxy_ssl_name {{ .SSLName }}; 243 {{ end }} 244 245 {{ range $e := $l.ErrorPages }} 246 error_page {{ $e.Codes }} {{ if ne 0 $e.ResponseCode }}={{ $e.ResponseCode }}{{ end }} "{{ $e.Name }}"; 247 {{ end }} 248 249 {{ if $l.ProxyInterceptErrors }} 250 proxy_intercept_errors on; 251 {{ end }} 252 253 {{ if $l.InternalProxyPass }} 254 proxy_pass {{ $l.InternalProxyPass }}; 255 {{ end }} 256 257 {{ if $l.ProxyPass }} 258 set $default_connection_header {{ if $l.HasKeepalive }}""{{ else }}close{{ end }}; 259 260 {{ range $r := $l.Rewrites }} 261 rewrite {{ $r }}; 262 {{ end }} 263 proxy_connect_timeout {{ $l.ProxyConnectTimeout }}; 264 proxy_read_timeout {{ $l.ProxyReadTimeout }}; 265 proxy_send_timeout {{ $l.ProxySendTimeout }}; 266 client_max_body_size {{ $l.ClientMaxBodySize }}; 267 268 {{ if $l.ProxyMaxTempFileSize }} 269 proxy_max_temp_file_size {{ $l.ProxyMaxTempFileSize }}; 270 {{ end }} 271 272 proxy_buffering {{ if $l.ProxyBuffering }}on{{ else }}off{{ end }}; 273 {{ if $l.ProxyBuffers }} 274 proxy_buffers {{ $l.ProxyBuffers }}; 275 {{ end }} 276 {{ if $l.ProxyBufferSize }} 277 proxy_buffer_size {{ $l.ProxyBufferSize }}; 278 {{ end }} 279 proxy_http_version 1.1; 280 281 proxy_set_header Upgrade $http_upgrade; 282 proxy_set_header Connection $vs_connection_header; 283 proxy_set_header X-Real-IP $remote_addr; 284 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 285 proxy_set_header X-Forwarded-Host $host; 286 proxy_set_header X-Forwarded-Port $server_port; 287 proxy_set_header X-Forwarded-Proto {{ with $s.TLSRedirect }}{{ .BasedOn }}{{ else }}$scheme{{ end }}; 288 {{ range $h := $l.ProxySetHeaders }} 289 proxy_set_header {{ $h.Name }} "{{ $h.Value }}"; 290 {{ end }} 291 {{ range $h := $l.ProxyHideHeaders }} 292 proxy_hide_header {{ $h }}; 293 {{ end }} 294 {{ range $h := $l.ProxyPassHeaders }} 295 proxy_pass_header {{ $h }}; 296 {{ end }} 297 {{ with $l.ProxyIgnoreHeaders }} 298 proxy_ignore_headers {{ $l.ProxyIgnoreHeaders }}; 299 {{ end }} 300 {{ range $h := $l.AddHeaders }} 301 add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }}; 302 {{ end }} 303 proxy_pass {{ $l.ProxyPass }}{{ $l.ProxyPassRewrite }}; 304 proxy_next_upstream {{ $l.ProxyNextUpstream }}; 305 proxy_next_upstream_timeout {{ $l.ProxyNextUpstreamTimeout }}; 306 proxy_next_upstream_tries {{ $l.ProxyNextUpstreamTries }}; 307 proxy_pass_request_headers {{ if $l.ProxyPassRequestHeaders }}on{{ else }}off{{ end }}; 308 {{ end }} 309 } 310 {{ end }} 311 }