API tools faq
paste
Advertisement
ravaelamanov

Untitled

ravaelamanov
Jun 8th, 2022
1,009
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Nginx 14.79 KB | None | 0 0
raw download clone embed print report
  1.  
  2. # Configuration checksum: 1518439798699252712
  3.  
  4. # setup custom paths that do not require root access
  5. pid /tmp/nginx.pid;
  6.  
  7. daemon off;
  8.  
  9. worker_processes 4;
  10.  
  11. worker_rlimit_nofile 1047552;
  12.  
  13. worker_shutdown_timeout 240s ;
  14.  
  15. events {
  16.     multi_accept        on;
  17.     worker_connections  16384;
  18.     use                 epoll;
  19. }
  20.  
  21. http {
  22.     lua_package_path "/etc/nginx/lua/?.lua;;";
  23.    
  24.     lua_shared_dict balancer_ewma 10M;
  25.     lua_shared_dict balancer_ewma_last_touched_at 10M;
  26.     lua_shared_dict balancer_ewma_locks 1M;
  27.     lua_shared_dict certificate_data 20M;
  28.     lua_shared_dict certificate_servers 5M;
  29.     lua_shared_dict configuration_data 20M;
  30.     lua_shared_dict global_throttle_cache 10M;
  31.     lua_shared_dict ocsp_response_cache 5M;
  32.    
  33.     init_by_lua_block {
  34.         collectgarbage("collect")
  35.        
  36.         -- init modules
  37.         local ok, res
  38.        
  39.         ok, res = pcall(require, "lua_ingress")
  40.         if not ok then
  41.         error("require failed: " .. tostring(res))
  42.         else
  43.         lua_ingress = res
  44.         lua_ingress.set_config({
  45.             use_forwarded_headers = false,
  46.             use_proxy_protocol = false,
  47.             is_ssl_passthrough_enabled = false,
  48.             http_redirect_code = 308,
  49.             listen_ports = { ssl_proxy = "442", https = "443" },
  50.            
  51.             hsts = false,
  52.             hsts_max_age = 15724800,
  53.             hsts_include_subdomains = true,
  54.             hsts_preload = false,
  55.            
  56.             global_throttle = {
  57.                 memcached = {
  58.                     host = "", port = 11211, connect_timeout = 50, max_idle_timeout = 10000, pool_size = 50,
  59.                 },
  60.                 status_code = 429,
  61.             }
  62.         })
  63.         end
  64.        
  65.         ok, res = pcall(require, "configuration")
  66.         if not ok then
  67.         error("require failed: " .. tostring(res))
  68.         else
  69.         configuration = res
  70.         configuration.prohibited_localhost_port = '10246'
  71.         end
  72.        
  73.         ok, res = pcall(require, "balancer")
  74.         if not ok then
  75.         error("require failed: " .. tostring(res))
  76.         else
  77.         balancer = res
  78.         end
  79.        
  80.         ok, res = pcall(require, "monitor")
  81.         if not ok then
  82.         error("require failed: " .. tostring(res))
  83.         else
  84.         monitor = res
  85.         end
  86.        
  87.         ok, res = pcall(require, "certificate")
  88.         if not ok then
  89.         error("require failed: " .. tostring(res))
  90.         else
  91.         certificate = res
  92.         certificate.is_ocsp_stapling_enabled = false
  93.         end
  94.        
  95.         ok, res = pcall(require, "plugins")
  96.         if not ok then
  97.         error("require failed: " .. tostring(res))
  98.         else
  99.         plugins = res
  100.         end
  101.         -- load all plugins that'll be used here
  102.         plugins.init({  })
  103.     }
  104.    
  105.     init_worker_by_lua_block {
  106.         lua_ingress.init_worker()
  107.         balancer.init_worker()
  108.        
  109.         monitor.init_worker(10000)
  110.        
  111.         plugins.run()
  112.     }
  113.    
  114.     geoip_country       /etc/nginx/geoip/GeoIP.dat;
  115.     geoip_city          /etc/nginx/geoip/GeoLiteCity.dat;
  116.     geoip_org           /etc/nginx/geoip/GeoIPASNum.dat;
  117.     geoip_proxy_recursive on;
  118.    
  119.     aio                 threads;
  120.     aio_write           on;
  121.    
  122.     tcp_nopush          on;
  123.     tcp_nodelay         on;
  124.    
  125.     log_subrequest      on;
  126.    
  127.     reset_timedout_connection on;
  128.    
  129.     keepalive_timeout  75s;
  130.     keepalive_requests 100;
  131.    
  132.     client_body_temp_path           /tmp/client-body;
  133.     fastcgi_temp_path               /tmp/fastcgi-temp;
  134.     proxy_temp_path                 /tmp/proxy-temp;
  135.     ajp_temp_path                   /tmp/ajp-temp;
  136.    
  137.     client_header_buffer_size       1k;
  138.     client_header_timeout           60s;
  139.     large_client_header_buffers     4 8k;
  140.     client_body_buffer_size         8k;
  141.     client_body_timeout             60s;
  142.    
  143.     http2_max_field_size            4k;
  144.     http2_max_header_size           16k;
  145.     http2_max_requests              1000;
  146.     http2_max_concurrent_streams    128;
  147.    
  148.     types_hash_max_size             2048;
  149.     server_names_hash_max_size      1024;
  150.     server_names_hash_bucket_size   32;
  151.     map_hash_bucket_size            64;
  152.    
  153.     proxy_headers_hash_max_size     512;
  154.     proxy_headers_hash_bucket_size  64;
  155.    
  156.     variables_hash_bucket_size      256;
  157.     variables_hash_max_size         2048;
  158.    
  159.     underscores_in_headers          off;
  160.     ignore_invalid_headers          on;
  161.    
  162.     limit_req_status                503;
  163.     limit_conn_status               503;
  164.    
  165.     include /etc/nginx/mime.types;
  166.     default_type text/html;
  167.    
  168.     # Custom headers for response
  169.    
  170.     server_tokens off;
  171.    
  172.     more_clear_headers Server;
  173.    
  174.     # disable warnings
  175.     uninitialized_variable_warn off;
  176.    
  177.     # Additional available variables:
  178.     # $namespace
  179.     # $ingress_name
  180.     # $service_name
  181.     # $service_port
  182.     log_format upstreaminfo '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id';
  183.    
  184.     map $request_uri $loggable {
  185.        
  186.         default 1;
  187.     }
  188.    
  189.     access_log /var/log/nginx/access.log upstreaminfo  if=$loggable;
  190.    
  191.     error_log  /var/log/nginx/error.log notice;
  192.    
  193.     resolver 10.96.0.10 valid=30s ipv6=off;
  194.    
  195.     # See https://www.nginx.com/blog/websocket-nginx
  196.     map $http_upgrade $connection_upgrade {
  197.         default          upgrade;
  198.        
  199.         # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
  200.         ''               '';
  201.        
  202.     }
  203.    
  204.     # Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
  205.     # If no such header is provided, it can provide a random value.
  206.     map $http_x_request_id $req_id {
  207.         default   $http_x_request_id;
  208.        
  209.         ""        $request_id;
  210.        
  211.     }
  212.    
  213.     # Create a variable that contains the literal $ character.
  214.     # This works because the geo module will not resolve variables.
  215.     geo $literal_dollar {
  216.         default "$";
  217.     }
  218.    
  219.     server_name_in_redirect off;
  220.     port_in_redirect        off;
  221.    
  222.     ssl_protocols TLSv1.2 TLSv1.3;
  223.    
  224.     ssl_early_data off;
  225.    
  226.     # turn on session caching to drastically improve performance
  227.    
  228.     ssl_session_cache shared:SSL:10m;
  229.     ssl_session_timeout 10m;
  230.    
  231.     # allow configuring ssl session tickets
  232.     ssl_session_tickets off;
  233.    
  234.     # slightly reduce the time-to-first-byte
  235.     ssl_buffer_size 4k;
  236.    
  237.     # allow configuring custom ssl ciphers
  238.     ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
  239.     ssl_prefer_server_ciphers on;
  240.    
  241.     ssl_ecdh_curve auto;
  242.    
  243.     # PEM sha: f6c6a63f2ffbb547201e57d0b6c645b728104652
  244.     ssl_certificate     /etc/ingress-controller/ssl/default-fake-certificate.pem;
  245.     ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;
  246.    
  247.     proxy_ssl_session_reuse on;
  248.    
  249.     upstream upstream_balancer {
  250.         ### Attention!!!
  251.         #
  252.         # We no longer create "upstream" section for every backend.
  253.         # Backends are handled dynamically using Lua. If you would like to debug
  254.         # and see what backends ingress-nginx has in its memory you can
  255.         # install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
  256.         # Once you have the plugin you can use "kubectl ingress-nginx backends" command to
  257.         # inspect current backends.
  258.         #
  259.         ###
  260.        
  261.         server 0.0.0.1; # placeholder
  262.        
  263.         balancer_by_lua_block {
  264.             balancer.balance()
  265.         }
  266.        
  267.         keepalive 320;
  268.        
  269.         keepalive_timeout  60s;
  270.         keepalive_requests 10000;
  271.        
  272.     }
  273.    
  274.     # Cache for internal auth checks
  275.     proxy_cache_path /tmp/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
  276.    
  277.     # Global filters
  278.    
  279.     ## start server _
  280.     server {
  281.         server_name _ ;
  282.        
  283.         listen 80 default_server reuseport backlog=4096 ;
  284.         listen 443 default_server reuseport backlog=4096 ssl http2 ;
  285.        
  286.         set $proxy_upstream_name "-";
  287.        
  288.         ssl_reject_handshake off;
  289.        
  290.         ssl_certificate_by_lua_block {
  291.             certificate.call()
  292.         }
  293.        
  294.         # Custom code snippet configured for host _
  295.         location = /mirror {
  296.             set $target_service "target-service";
  297.             set $auth_type "jwt";
  298.            
  299.             proxy_set_header x-request-uri $request_uri;
  300.             proxy_set_header x-target-service $target_service;
  301.            
  302.             internal;
  303.             log_subrequest on;
  304.             proxy_pass http://monitoring-producer-service:8080/$auth_type;
  305.             proxy_connect_timeout 200ms;
  306.             proxy_read_timeout 200ms;
  307.         }
  308.        
  309.         location / {
  310.            
  311.             set $namespace      "default";
  312.             set $ingress_name   "mirroring-ingress";
  313.             set $service_name   "target-service";
  314.             set $service_port   "80";
  315.             set $location_path  "/";
  316.             set $global_rate_limit_exceeding n;
  317.            
  318.             rewrite_by_lua_block {
  319.                 lua_ingress.rewrite({
  320.                     force_ssl_redirect = false,
  321.                     ssl_redirect = true,
  322.                     force_no_ssl_redirect = false,
  323.                     preserve_trailing_slash = false,
  324.                     use_port_in_redirects = false,
  325.                     global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
  326.                 })
  327.                 balancer.rewrite()
  328.                 plugins.run()
  329.             }
  330.            
  331.             # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
  332.             # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
  333.             # other authentication method such as basic auth or external auth useless - all requests will be allowed.
  334.             #access_by_lua_block {
  335.             #}
  336.            
  337.             header_filter_by_lua_block {
  338.                 lua_ingress.header()
  339.                 plugins.run()
  340.             }
  341.            
  342.             body_filter_by_lua_block {
  343.                 plugins.run()
  344.             }
  345.            
  346.             log_by_lua_block {
  347.                 balancer.log()
  348.                
  349.                 monitor.call()
  350.                
  351.                 plugins.run()
  352.             }
  353.            
  354.             port_in_redirect off;
  355.            
  356.             set $balancer_ewma_score -1;
  357.             set $proxy_upstream_name "default-target-service-80";
  358.             set $proxy_host          $proxy_upstream_name;
  359.             set $pass_access_scheme  $scheme;
  360.            
  361.             set $pass_server_port    $server_port;
  362.            
  363.             set $best_http_host      $http_host;
  364.             set $pass_port           $pass_server_port;
  365.            
  366.             set $proxy_alternative_upstream_name "";
  367.            
  368.             client_max_body_size                    1m;
  369.            
  370.             proxy_set_header Host                   $best_http_host;
  371.            
  372.             # Pass the extracted client certificate to the backend
  373.            
  374.             # Allow websocket connections
  375.             proxy_set_header                        Upgrade           $http_upgrade;
  376.            
  377.             proxy_set_header                        Connection        $connection_upgrade;
  378.            
  379.             proxy_set_header X-Request-ID           $req_id;
  380.             proxy_set_header X-Real-IP              $remote_addr;
  381.            
  382.             proxy_set_header X-Forwarded-For        $remote_addr;
  383.            
  384.             proxy_set_header X-Forwarded-Host       $best_http_host;
  385.             proxy_set_header X-Forwarded-Port       $pass_port;
  386.             proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
  387.             proxy_set_header X-Forwarded-Scheme     $pass_access_scheme;
  388.            
  389.             proxy_set_header X-Scheme               $pass_access_scheme;
  390.            
  391.             # Pass the original X-Forwarded-For
  392.             proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
  393.            
  394.             # mitigate HTTPoxy Vulnerability
  395.             # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  396.             proxy_set_header Proxy                  "";
  397.            
  398.             # Custom headers to proxied server
  399.            
  400.             proxy_connect_timeout                   5s;
  401.             proxy_send_timeout                      60s;
  402.             proxy_read_timeout                      60s;
  403.            
  404.             proxy_buffering                         off;
  405.             proxy_buffer_size                       4k;
  406.             proxy_buffers                           4 4k;
  407.            
  408.             proxy_max_temp_file_size                1024m;
  409.            
  410.             proxy_request_buffering                 on;
  411.             proxy_http_version                      1.1;
  412.            
  413.             proxy_cookie_domain                     off;
  414.             proxy_cookie_path                       off;
  415.            
  416.             # In case of errors try the next upstream server before returning an error
  417.             proxy_next_upstream                     error timeout;
  418.             proxy_next_upstream_timeout             0;
  419.             proxy_next_upstream_tries               3;
  420.            
  421.             mirror /mirror;
  422.             mirror_request_body off;
  423.            
  424.             proxy_pass http://upstream_balancer;
  425.            
  426.             proxy_redirect                          off;
  427.            
  428.         }
  429.        
  430.         # health checks in cloud providers require the use of port 80
  431.         location /healthz {
  432.            
  433.             access_log off;
  434.             return 200;
  435.         }
  436.        
  437.         # this is required to avoid error if nginx is being monitored
  438.         # with an external software (like sysdig)
  439.         location /nginx_status {
  440.            
  441.             allow 127.0.0.1;
  442.            
  443.             deny all;
  444.            
  445.             access_log off;
  446.             stub_status on;
  447.         }
  448.        
  449.     }
  450.     ## end server _
  451.    
  452.     # backend for when default-backend-service is not configured or it does not have endpoints
  453.     server {
  454.         listen 8181 default_server reuseport backlog=4096;
  455.        
  456.         set $proxy_upstream_name "internal";
  457.        
  458.         access_log off;
  459.        
  460.         location / {
  461.             return 404;
  462.         }
  463.     }
  464.    
  465.     # default server, used for NGINX healthcheck and access to nginx stats
  466.     server {
  467.         listen 127.0.0.1:10246;
  468.         set $proxy_upstream_name "internal";
  469.        
  470.         keepalive_timeout 0;
  471.         gzip off;
  472.        
  473.         access_log off;
  474.        
  475.         location /healthz {
  476.             return 200;
  477.         }
  478.        
  479.         location /is-dynamic-lb-initialized {
  480.             content_by_lua_block {
  481.                 local configuration = require("configuration")
  482.                 local backend_data = configuration.get_backends_data()
  483.                 if not backend_data then
  484.                 ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
  485.                 return
  486.                 end
  487.                
  488.                 ngx.say("OK")
  489.                 ngx.exit(ngx.HTTP_OK)
  490.             }
  491.         }
  492.        
  493.         location /nginx_status {
  494.             stub_status on;
  495.         }
  496.        
  497.         location /configuration {
  498.             client_max_body_size                    21M;
  499.             client_body_buffer_size                 21M;
  500.             proxy_buffering                         off;
  501.            
  502.             content_by_lua_block {
  503.                 configuration.call()
  504.             }
  505.         }
  506.        
  507.         location / {
  508.             content_by_lua_block {
  509.                 ngx.exit(ngx.HTTP_NOT_FOUND)
  510.             }
  511.         }
  512.     }
  513. }
  514.  
  515. stream {
  516.     lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
  517.    
  518.     lua_shared_dict tcp_udp_configuration_data 5M;
  519.    
  520.     init_by_lua_block {
  521.         collectgarbage("collect")
  522.        
  523.         -- init modules
  524.         local ok, res
  525.        
  526.         ok, res = pcall(require, "configuration")
  527.         if not ok then
  528.         error("require failed: " .. tostring(res))
  529.         else
  530.         configuration = res
  531.         end
  532.        
  533.         ok, res = pcall(require, "tcp_udp_configuration")
  534.         if not ok then
  535.         error("require failed: " .. tostring(res))
  536.         else
  537.         tcp_udp_configuration = res
  538.         tcp_udp_configuration.prohibited_localhost_port = '10246'
  539.        
  540.         end
  541.        
  542.         ok, res = pcall(require, "tcp_udp_balancer")
  543.         if not ok then
  544.         error("require failed: " .. tostring(res))
  545.         else
  546.         tcp_udp_balancer = res
  547.         end
  548.     }
  549.    
  550.     init_worker_by_lua_block {
  551.         tcp_udp_balancer.init_worker()
  552.     }
  553.    
  554.     lua_add_variable $proxy_upstream_name;
  555.    
  556.     log_format log_stream '[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time';
  557.    
  558.     access_log /var/log/nginx/access.log log_stream ;
  559.    
  560.     error_log  /var/log/nginx/error.log notice;
  561.    
  562.     upstream upstream_balancer {
  563.         server 0.0.0.1:1234; # placeholder
  564.        
  565.         balancer_by_lua_block {
  566.             tcp_udp_balancer.balance()
  567.         }
  568.     }
  569.    
  570.     server {
  571.         listen 127.0.0.1:10247;
  572.        
  573.         access_log off;
  574.        
  575.         content_by_lua_block {
  576.             tcp_udp_configuration.call()
  577.         }
  578.     }
  579.    
  580.     # TCP services
  581.    
  582.     # UDP services
  583.    
  584.     # Stream Snippets
  585.    
  586. }
  587.  
  588.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!