Created
May 18, 2021 20:19
-
-
Save roman-kouzmenko/e6f93f3bf5ca74c018f917a2d3fbf947 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Configuration checksum: 11484793262389523397 | |
# setup custom paths that do not require root access | |
pid /tmp/nginx.pid; | |
daemon off; | |
worker_processes 2; | |
worker_rlimit_nofile 523264; | |
worker_shutdown_timeout 240s ; | |
events { | |
multi_accept on; | |
worker_connections 16384; | |
use epoll; | |
} | |
http { | |
lua_package_path "/etc/nginx/lua/?.lua;;"; | |
lua_shared_dict balancer_ewma 10M; | |
lua_shared_dict balancer_ewma_last_touched_at 10M; | |
lua_shared_dict balancer_ewma_locks 1M; | |
lua_shared_dict certificate_data 20M; | |
lua_shared_dict certificate_servers 5M; | |
lua_shared_dict configuration_data 20M; | |
lua_shared_dict global_throttle_cache 10M; | |
lua_shared_dict ocsp_response_cache 5M; | |
init_by_lua_block { | |
collectgarbage("collect") | |
-- init modules | |
local ok, res | |
ok, res = pcall(require, "lua_ingress") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
lua_ingress = res | |
lua_ingress.set_config({ | |
use_forwarded_headers = false, | |
use_proxy_protocol = false, | |
is_ssl_passthrough_enabled = false, | |
http_redirect_code = 308, | |
listen_ports = { ssl_proxy = "442", https = "443" }, | |
hsts = true, | |
hsts_max_age = 15724800, | |
hsts_include_subdomains = true, | |
hsts_preload = false, | |
global_throttle = { | |
memcached = { | |
host = "", port = 11211, connect_timeout = 50, max_idle_timeout = 10000, pool_size = 50, | |
}, | |
status_code = 429, | |
} | |
}) | |
end | |
ok, res = pcall(require, "configuration") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
configuration = res | |
configuration.prohibited_localhost_port = '10246' | |
end | |
ok, res = pcall(require, "balancer") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
balancer = res | |
end | |
ok, res = pcall(require, "monitor") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
monitor = res | |
end | |
ok, res = pcall(require, "certificate") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
certificate = res | |
certificate.is_ocsp_stapling_enabled = false | |
end | |
ok, res = pcall(require, "plugins") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
plugins = res | |
end | |
-- load all plugins that'll be used here | |
plugins.init({ }) | |
} | |
init_worker_by_lua_block { | |
lua_ingress.init_worker() | |
balancer.init_worker() | |
monitor.init_worker(10000) | |
plugins.run() | |
} | |
geoip_country /etc/nginx/geoip/GeoIP.dat; | |
geoip_city /etc/nginx/geoip/GeoLiteCity.dat; | |
geoip_org /etc/nginx/geoip/GeoIPASNum.dat; | |
geoip_proxy_recursive on; | |
aio threads; | |
aio_write on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
log_subrequest on; | |
reset_timedout_connection on; | |
keepalive_timeout 75s; | |
keepalive_requests 100; | |
client_body_temp_path /tmp/client-body; | |
fastcgi_temp_path /tmp/fastcgi-temp; | |
proxy_temp_path /tmp/proxy-temp; | |
ajp_temp_path /tmp/ajp-temp; | |
client_header_buffer_size 1k; | |
client_header_timeout 60s; | |
large_client_header_buffers 4 8k; | |
client_body_buffer_size 8k; | |
client_body_timeout 60s; | |
http2_max_field_size 4k; | |
http2_max_header_size 16k; | |
http2_max_requests 1000; | |
http2_max_concurrent_streams 128; | |
types_hash_max_size 2048; | |
server_names_hash_max_size 1024; | |
server_names_hash_bucket_size 64; | |
map_hash_bucket_size 64; | |
proxy_headers_hash_max_size 512; | |
proxy_headers_hash_bucket_size 64; | |
variables_hash_bucket_size 256; | |
variables_hash_max_size 2048; | |
underscores_in_headers off; | |
ignore_invalid_headers on; | |
limit_req_status 503; | |
limit_conn_status 503; | |
include /etc/nginx/mime.types; | |
default_type text/html; | |
# Custom headers for response | |
server_tokens off; | |
more_clear_headers Server; | |
# disable warnings | |
uninitialized_variable_warn off; | |
# Additional available variables: | |
# $namespace | |
# $ingress_name | |
# $service_name | |
# $service_port | |
log_format upstreaminfo '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id'; | |
map $request_uri $loggable { | |
default 1; | |
} | |
access_log /var/log/nginx/access.log upstreaminfo if=$loggable; | |
error_log /var/log/nginx/error.log notice; | |
resolver 172.17.0.10 valid=30s; | |
# See https://www.nginx.com/blog/websocket-nginx | |
map $http_upgrade $connection_upgrade { | |
default upgrade; | |
# See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive | |
'' ''; | |
} | |
# Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server. | |
# If no such header is provided, it can provide a random value. | |
map $http_x_request_id $req_id { | |
default $http_x_request_id; | |
"" $request_id; | |
} | |
# Create a variable that contains the literal $ character. | |
# This works because the geo module will not resolve variables. | |
geo $literal_dollar { | |
default "$"; | |
} | |
server_name_in_redirect off; | |
port_in_redirect off; | |
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_early_data off; | |
# turn on session caching to drastically improve performance | |
ssl_session_cache builtin:1000 shared:SSL:10m; | |
ssl_session_timeout 10m; | |
# allow configuring ssl session tickets | |
ssl_session_tickets off; | |
# slightly reduce the time-to-first-byte | |
ssl_buffer_size 4k; | |
# allow configuring custom ssl ciphers | |
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve auto; | |
# PEM sha: 0382bd31e94597253ecd743dd3d7d3561c06ce9b | |
ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem; | |
ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem; | |
proxy_ssl_session_reuse on; | |
upstream upstream_balancer { | |
### Attention!!! | |
# | |
# We no longer create "upstream" section for every backend. | |
# Backends are handled dynamically using Lua. If you would like to debug | |
# and see what backends ingress-nginx has in its memory you can | |
# install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin. | |
# Once you have the plugin you can use "kubectl ingress-nginx backends" command to | |
# inspect current backends. | |
# | |
### | |
server 0.0.0.1; # placeholder | |
balancer_by_lua_block { | |
balancer.balance() | |
} | |
keepalive 320; | |
keepalive_timeout 60s; | |
keepalive_requests 10000; | |
} | |
# Cache for internal auth checks | |
proxy_cache_path /tmp/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off; | |
# Global filters | |
## start server _ | |
server { | |
server_name _ ; | |
listen 80 default_server reuseport backlog=4096 ; | |
listen [::]:80 default_server reuseport backlog=4096 ; | |
listen 443 default_server reuseport backlog=4096 ssl http2 ; | |
listen [::]:443 default_server reuseport backlog=4096 ssl http2 ; | |
set $proxy_upstream_name "-"; | |
ssl_certificate_by_lua_block { | |
certificate.call() | |
} | |
location / { | |
set $namespace ""; | |
set $ingress_name ""; | |
set $service_name ""; | |
set $service_port ""; | |
set $location_path ""; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = false, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
access_log off; | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "upstream-default-backend"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
# health checks in cloud providers require the use of port 80 | |
location /healthz { | |
access_log off; | |
return 200; | |
} | |
# this is required to avoid error if nginx is being monitored | |
# with an external software (like sysdig) | |
location /nginx_status { | |
allow 127.0.0.1; | |
allow ::1; | |
deny all; | |
access_log off; | |
stub_status on; | |
} | |
} | |
## end server _ | |
## start server XXXXX.XXXXX.com | |
server { | |
server_name XXXXX.XXXXX.com ; | |
listen 80 ; | |
listen [::]:80 ; | |
listen 443 ssl http2 ; | |
listen [::]:443 ssl http2 ; | |
set $proxy_upstream_name "-"; | |
ssl_certificate_by_lua_block { | |
certificate.call() | |
} | |
location /oauth2/ { | |
set $namespace "kube-system"; | |
set $ingress_name "oauth2-proxy"; | |
set $service_name "oauth2-proxy"; | |
set $service_port "4180"; | |
set $location_path "/oauth2"; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = true, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "kube-system-oauth2-proxy-4180"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
location = /oauth2 { | |
set $namespace "kube-system"; | |
set $ingress_name "oauth2-proxy"; | |
set $service_name "oauth2-proxy"; | |
set $service_port "4180"; | |
set $location_path "/oauth2"; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = true, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "kube-system-oauth2-proxy-4180"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
location = /_external-auth-L3Rlc3Qv-Prefix { | |
internal; | |
# ngx_auth_request module overrides variables in the parent request, | |
# therefore we have to explicitly set this variable again so that when the parent request | |
# resumes it has the correct value set for this variable so that Lua can pick backend correctly | |
set $proxy_upstream_name "PROXYXXXXX"; | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
proxy_set_header X-Forwarded-Proto ""; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header Host $host; | |
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; | |
proxy_set_header X-Original-Method $request_method; | |
proxy_set_header X-Sent-From "nginx-ingress-controller"; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Auth-Request-Redirect $request_uri; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_ssl_server_name on; | |
proxy_pass_request_headers on; | |
client_max_body_size 1m; | |
# Pass the extracted client certificate to the auth provider | |
set $target https://$host/oauth2/auth; | |
proxy_pass $target; | |
} | |
location @e906e269ca3b09a3644c62b91defc5db66630437 { | |
internal; | |
add_header Set-Cookie $auth_cookie; | |
return 302 https://$host/oauth2/start?rd=$escaped_request_uri; | |
} | |
location /test/ { | |
set $namespace "voila"; | |
set $ingress_name "XXXXX"; | |
set $service_name "XXXXX"; | |
set $service_port "80"; | |
set $location_path "/test"; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = true, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "PROXYXXXXX"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
# this location requires authentication | |
auth_request /_external-auth-L3Rlc3Qv-Prefix; | |
auth_request_set $auth_cookie $upstream_http_set_cookie; | |
add_header Set-Cookie $auth_cookie; | |
set_escape_uri $escaped_request_uri $request_uri; | |
error_page 401 = @e906e269ca3b09a3644c62b91defc5db66630437; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
location = /_external-auth-L3Rlc3Q-Exact { | |
internal; | |
# ngx_auth_request module overrides variables in the parent request, | |
# therefore we have to explicitly set this variable again so that when the parent request | |
# resumes it has the correct value set for this variable so that Lua can pick backend correctly | |
set $proxy_upstream_name "PROXYXXXXX"; | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
proxy_set_header X-Forwarded-Proto ""; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header Host $host; | |
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; | |
proxy_set_header X-Original-Method $request_method; | |
proxy_set_header X-Sent-From "nginx-ingress-controller"; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Auth-Request-Redirect $request_uri; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_ssl_server_name on; | |
proxy_pass_request_headers on; | |
client_max_body_size 1m; | |
# Pass the extracted client certificate to the auth provider | |
set $target https://$host/oauth2/auth; | |
proxy_pass $target; | |
} | |
location @47f77e116bfeba6404ed8eef52dc35d46b0c9051 { | |
internal; | |
add_header Set-Cookie $auth_cookie; | |
return 302 https://$host/oauth2/start?rd=$escaped_request_uri; | |
} | |
location = /test { | |
set $namespace "voila"; | |
set $ingress_name "XXXXX"; | |
set $service_name "XXXXX"; | |
set $service_port "80"; | |
set $location_path "/test"; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = true, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "PROXYXXXXX"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
# this location requires authentication | |
auth_request /_external-auth-L3Rlc3Q-Exact; | |
auth_request_set $auth_cookie $upstream_http_set_cookie; | |
add_header Set-Cookie $auth_cookie; | |
set_escape_uri $escaped_request_uri $request_uri; | |
error_page 401 = @47f77e116bfeba6404ed8eef52dc35d46b0c9051; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
location = /_external-auth-L2VjaG8v-Prefix { | |
internal; | |
# ngx_auth_request module overrides variables in the parent request, | |
# therefore we have to explicitly set this variable again so that when the parent request | |
# resumes it has the correct value set for this variable so that Lua can pick backend correctly | |
set $proxy_upstream_name "PROXYXXXXX"; | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
proxy_set_header X-Forwarded-Proto ""; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header Host $host; | |
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; | |
proxy_set_header X-Original-Method $request_method; | |
proxy_set_header X-Sent-From "nginx-ingress-controller"; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Auth-Request-Redirect $request_uri; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_ssl_server_name on; | |
proxy_pass_request_headers on; | |
client_max_body_size 1m; | |
# Pass the extracted client certificate to the auth provider | |
set $target https://$host/oauth2/auth; | |
proxy_pass $target; | |
} | |
location @daae2f5e3a4fb7a88f2c013e7ba52815099916ea { | |
internal; | |
add_header Set-Cookie $auth_cookie; | |
return 302 https://$host/oauth2/start?rd=$escaped_request_uri; | |
} | |
location /echo/ { | |
set $namespace "voila"; | |
set $ingress_name "XXXXX"; | |
set $service_name "XXXXX"; | |
set $service_port "80"; | |
set $location_path "/echo"; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = true, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "PROXYXXXXX"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
# this location requires authentication | |
auth_request /_external-auth-L2VjaG8v-Prefix; | |
auth_request_set $auth_cookie $upstream_http_set_cookie; | |
add_header Set-Cookie $auth_cookie; | |
auth_request_set $authHeader0 $upstream_http_x_auth_request_email; | |
proxy_set_header 'x-auth-request-email' $authHeader0; | |
set_escape_uri $escaped_request_uri $request_uri; | |
error_page 401 = @daae2f5e3a4fb7a88f2c013e7ba52815099916ea; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
set $args user=$http_x_auth_request_email&$args; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
location = /_external-auth-L2VjaG8-Exact { | |
internal; | |
# ngx_auth_request module overrides variables in the parent request, | |
# therefore we have to explicitly set this variable again so that when the parent request | |
# resumes it has the correct value set for this variable so that Lua can pick backend correctly | |
set $proxy_upstream_name "PROXYXXXXX"; | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
proxy_set_header X-Forwarded-Proto ""; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header Host $host; | |
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; | |
proxy_set_header X-Original-Method $request_method; | |
proxy_set_header X-Sent-From "nginx-ingress-controller"; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Auth-Request-Redirect $request_uri; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_ssl_server_name on; | |
proxy_pass_request_headers on; | |
client_max_body_size 1m; | |
# Pass the extracted client certificate to the auth provider | |
set $target https://$host/oauth2/auth; | |
proxy_pass $target; | |
} | |
location @87934873ccd113b6cdaecdb8391eab7afa44a7b7 { | |
internal; | |
add_header Set-Cookie $auth_cookie; | |
return 302 https://$host/oauth2/start?rd=$escaped_request_uri; | |
} | |
location = /echo { | |
set $namespace "voila"; | |
set $ingress_name "XXXXX"; | |
set $service_name "XXXXX"; | |
set $service_port "80"; | |
set $location_path "/echo"; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = true, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "PROXYXXXXX"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
# this location requires authentication | |
auth_request /_external-auth-L2VjaG8-Exact; | |
auth_request_set $auth_cookie $upstream_http_set_cookie; | |
add_header Set-Cookie $auth_cookie; | |
auth_request_set $authHeader0 $upstream_http_x_auth_request_email; | |
proxy_set_header 'x-auth-request-email' $authHeader0; | |
set_escape_uri $escaped_request_uri $request_uri; | |
error_page 401 = @87934873ccd113b6cdaecdb8391eab7afa44a7b7; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
set $args user=$http_x_auth_request_email&$args; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
location = /_external-auth-Lw-Prefix { | |
internal; | |
# ngx_auth_request module overrides variables in the parent request, | |
# therefore we have to explicitly set this variable again so that when the parent request | |
# resumes it has the correct value set for this variable so that Lua can pick backend correctly | |
set $proxy_upstream_name "upstream-default-backend"; | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
proxy_set_header X-Forwarded-Proto ""; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header Host $host; | |
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; | |
proxy_set_header X-Original-Method $request_method; | |
proxy_set_header X-Sent-From "nginx-ingress-controller"; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Auth-Request-Redirect $request_uri; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_ssl_server_name on; | |
proxy_pass_request_headers on; | |
client_max_body_size 1m; | |
# Pass the extracted client certificate to the auth provider | |
set $target https://$host/oauth2/auth; | |
proxy_pass $target; | |
} | |
location @19323ad5152e2a377238f6ad204b12ab4bc9cce1 { | |
internal; | |
add_header Set-Cookie $auth_cookie; | |
return 302 https://$host/oauth2/start?rd=$escaped_request_uri; | |
} | |
location / { | |
set $namespace "voila"; | |
set $ingress_name "XXXXX"; | |
set $service_name ""; | |
set $service_port ""; | |
set $location_path "/"; | |
set $global_rate_limit_exceeding n; | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = false, | |
ssl_redirect = true, | |
force_no_ssl_redirect = false, | |
use_port_in_redirects = false, | |
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any | |
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` | |
# other authentication method such as basic auth or external auth useless - all requests will be allowed. | |
#access_by_lua_block { | |
#} | |
header_filter_by_lua_block { | |
lua_ingress.header() | |
plugins.run() | |
} | |
body_filter_by_lua_block { | |
plugins.run() | |
} | |
log_by_lua_block { | |
balancer.log() | |
monitor.call() | |
plugins.run() | |
} | |
port_in_redirect off; | |
set $balancer_ewma_score -1; | |
set $proxy_upstream_name "upstream-default-backend"; | |
set $proxy_host $proxy_upstream_name; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
set $proxy_alternative_upstream_name ""; | |
# this location requires authentication | |
auth_request /_external-auth-Lw-Prefix; | |
auth_request_set $auth_cookie $upstream_http_set_cookie; | |
add_header Set-Cookie $auth_cookie; | |
set_escape_uri $escaped_request_uri $request_uri; | |
error_page 401 = @19323ad5152e2a377238f6ad204b12ab4bc9cce1; | |
client_max_body_size 1m; | |
proxy_set_header Host $best_http_host; | |
# Pass the extracted client certificate to the backend | |
# Allow websocket connections | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Request-ID $req_id; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Host $best_http_host; | |
proxy_set_header X-Forwarded-Port $pass_port; | |
proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
proxy_set_header X-Scheme $pass_access_scheme; | |
# Pass the original X-Forwarded-For | |
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; | |
# mitigate HTTPoxy Vulnerability | |
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
proxy_set_header Proxy ""; | |
# Custom headers to proxied server | |
proxy_connect_timeout 5s; | |
proxy_send_timeout 60s; | |
proxy_read_timeout 60s; | |
proxy_buffering off; | |
proxy_buffer_size 16k; | |
proxy_buffers 4 16k; | |
proxy_max_temp_file_size 1024m; | |
proxy_request_buffering on; | |
proxy_http_version 1.1; | |
proxy_cookie_domain off; | |
proxy_cookie_path off; | |
# In case of errors try the next upstream server before returning an error | |
proxy_next_upstream error timeout; | |
proxy_next_upstream_timeout 0; | |
proxy_next_upstream_tries 3; | |
proxy_pass http://upstream_balancer; | |
proxy_redirect off; | |
} | |
} | |
## end server XXXXX.XXXXX.com | |
# backend for when default-backend-service is not configured or it does not have endpoints | |
server { | |
listen 8181 default_server reuseport backlog=4096; | |
listen [::]:8181 default_server reuseport backlog=4096; | |
set $proxy_upstream_name "internal"; | |
access_log off; | |
location / { | |
return 404; | |
} | |
} | |
# default server, used for NGINX healthcheck and access to nginx stats | |
server { | |
listen 127.0.0.1:10246; | |
set $proxy_upstream_name "internal"; | |
keepalive_timeout 0; | |
gzip off; | |
access_log off; | |
location /healthz { | |
return 200; | |
} | |
location /is-dynamic-lb-initialized { | |
content_by_lua_block { | |
local configuration = require("configuration") | |
local backend_data = configuration.get_backends_data() | |
if not backend_data then | |
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) | |
return | |
end | |
ngx.say("OK") | |
ngx.exit(ngx.HTTP_OK) | |
} | |
} | |
location /nginx_status { | |
stub_status on; | |
} | |
location /configuration { | |
client_max_body_size 21m; | |
client_body_buffer_size 21m; | |
proxy_buffering off; | |
content_by_lua_block { | |
configuration.call() | |
} | |
} | |
location / { | |
content_by_lua_block { | |
ngx.exit(ngx.HTTP_NOT_FOUND) | |
} | |
} | |
} | |
} | |
stream { | |
lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;"; | |
lua_shared_dict tcp_udp_configuration_data 5M; | |
init_by_lua_block { | |
collectgarbage("collect") | |
-- init modules | |
local ok, res | |
ok, res = pcall(require, "configuration") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
configuration = res | |
end | |
ok, res = pcall(require, "tcp_udp_configuration") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
tcp_udp_configuration = res | |
tcp_udp_configuration.prohibited_localhost_port = '10246' | |
end | |
ok, res = pcall(require, "tcp_udp_balancer") | |
if not ok then | |
error("require failed: " .. tostring(res)) | |
else | |
tcp_udp_balancer = res | |
end | |
} | |
init_worker_by_lua_block { | |
tcp_udp_balancer.init_worker() | |
} | |
lua_add_variable $proxy_upstream_name; | |
log_format log_stream '[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time'; | |
access_log /var/log/nginx/access.log log_stream ; | |
error_log /var/log/nginx/error.log notice; | |
upstream upstream_balancer { | |
server 0.0.0.1:1234; # placeholder | |
balancer_by_lua_block { | |
tcp_udp_balancer.balance() | |
} | |
} | |
server { | |
listen 127.0.0.1:10247; | |
access_log off; | |
content_by_lua_block { | |
tcp_udp_configuration.call() | |
} | |
} | |
# TCP services | |
# UDP services | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment