Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## start server <hostname>
- server {
- server_name <hostname> ;
- listen 80 ;
- listen 443 ssl http2 ;
- set $proxy_upstream_name "-";
- ssl_certificate_by_lua_block {
- certificate.call()
- }
- location ~* "^/154--push-to-gi(/|$)(.*)" {
- set $namespace "...";
- set $ingress_name "...";
- set $service_name "...";
- set $service_port "5000";
- set $location_path "/154--push-to-gi(/|${literal_dollar})(.*)";
- set $global_rate_limit_exceeding n;
- rewrite_by_lua_block {
- lua_ingress.rewrite({
- force_ssl_redirect = false,
- ssl_redirect = true,
- force_no_ssl_redirect = false,
- preserve_trailing_slash = false,
- use_port_in_redirects = false,
- global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
- })
- balancer.rewrite()
- plugins.run()
- }
- # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
- # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
- # other authentication method such as basic auth or external auth useless - all requests will be allowed.
- #access_by_lua_block {
- #}
- header_filter_by_lua_block {
- lua_ingress.header()
- plugins.run()
- }
- body_filter_by_lua_block {
- plugins.run()
- }
- log_by_lua_block {
- balancer.log()
- monitor.call()
- plugins.run()
- }
- port_in_redirect off;
- set $balancer_ewma_score -1;
- set $proxy_upstream_name "...";
- set $proxy_host $proxy_upstream_name;
- set $pass_access_scheme $scheme;
- set $pass_server_port $server_port;
- set $best_http_host $http_host;
- set $pass_port $pass_server_port;
- set $proxy_alternative_upstream_name "";
- client_max_body_size 1m;
- proxy_set_header Host $best_http_host;
- # Pass the extracted client certificate to the backend
- # Allow websocket connections
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- proxy_set_header X-Request-ID $req_id;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header X-Forwarded-Host $best_http_host;
- proxy_set_header X-Forwarded-Port $pass_port;
- proxy_set_header X-Forwarded-Proto $pass_access_scheme;
- proxy_set_header X-Forwarded-Scheme $pass_access_scheme;
- proxy_set_header X-Scheme $pass_access_scheme;
- # Pass the original X-Forwarded-For
- proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
- # mitigate HTTPoxy Vulnerability
- # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
- proxy_set_header Proxy "";
- # Custom headers to proxied server
- proxy_connect_timeout 5s;
- proxy_send_timeout 60s;
- proxy_read_timeout 60s;
- proxy_buffering off;
- proxy_buffer_size 4k;
- proxy_buffers 4 4k;
- proxy_max_temp_file_size 1024m;
- proxy_request_buffering on;
- proxy_http_version 1.1;
- proxy_cookie_domain off;
- proxy_cookie_path off;
- # In case of errors try the next upstream server before returning an error
- proxy_next_upstream error timeout;
- proxy_next_upstream_timeout 0;
- proxy_next_upstream_tries 3;
- rewrite "(?i)/154--push-to-gi(/|$)(.*)" /$2 break;
- proxy_pass http://upstream_balancer;
- proxy_redirect off;
- }
- location ~* "^/" {
- set $namespace "ichor";
- set $ingress_name "...";
- set $service_name "...";
- set $service_port "5000";
- set $location_path "/";
- set $global_rate_limit_exceeding n;
- rewrite_by_lua_block {
- lua_ingress.rewrite({
- force_ssl_redirect = false,
- ssl_redirect = true,
- force_no_ssl_redirect = false,
- preserve_trailing_slash = false,
- use_port_in_redirects = false,
- global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
- })
- balancer.rewrite()
- plugins.run()
- }
- # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
- # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
- # other authentication method such as basic auth or external auth useless - all requests will be allowed.
- #access_by_lua_block {
- #}
- header_filter_by_lua_block {
- lua_ingress.header()
- plugins.run()
- }
- body_filter_by_lua_block {
- plugins.run()
- }
- log_by_lua_block {
- balancer.log()
- monitor.call()
- plugins.run()
- }
- port_in_redirect off;
- set $balancer_ewma_score -1;
- set $proxy_upstream_name "...";
- set $proxy_host $proxy_upstream_name;
- set $pass_access_scheme $scheme;
- set $pass_server_port $server_port;
- set $best_http_host $http_host;
- set $pass_port $pass_server_port;
- set $proxy_alternative_upstream_name "";
- client_max_body_size 1m;
- proxy_set_header Host $best_http_host;
- # Pass the extracted client certificate to the backend
- # Allow websocket connections
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- proxy_set_header X-Request-ID $req_id;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header X-Forwarded-Host $best_http_host;
- proxy_set_header X-Forwarded-Port $pass_port;
- proxy_set_header X-Forwarded-Proto $pass_access_scheme;
- proxy_set_header X-Forwarded-Scheme $pass_access_scheme;
- proxy_set_header X-Scheme $pass_access_scheme;
- # Pass the original X-Forwarded-For
- proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
- # mitigate HTTPoxy Vulnerability
- # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
- proxy_set_header Proxy "";
- # Custom headers to proxied server
- proxy_connect_timeout 5s;
- proxy_send_timeout 60s;
- proxy_read_timeout 60s;
- proxy_buffering off;
- proxy_buffer_size 4k;
- proxy_buffers 4 4k;
- proxy_max_temp_file_size 1024m;
- proxy_request_buffering on;
- proxy_http_version 1.1;
- proxy_cookie_domain off;
- proxy_cookie_path off;
- # In case of errors try the next upstream server before returning an error
- proxy_next_upstream error timeout;
- proxy_next_upstream_timeout 0;
- proxy_next_upstream_tries 3;
- rewrite "(?i)/" /$2 break;
- proxy_pass http://upstream_balancer;
- proxy_redirect off;
- }
- }
- ## end server <hostname>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement