Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ 8exec zbms6 cat /etc/nginx/nginx.conf
- # Configuration checksum: 16399570357895000238
- # setup custom paths that do not require root access
- pid /tmp/nginx.pid;
- daemon off;
- worker_processes 40;
- worker_rlimit_nofile 25190;
- worker_shutdown_timeout 10s ;
- events {
- multi_accept on;
- worker_connections 16384;
- use epoll;
- }
- http {
- lua_package_path "/usr/local/openresty/site/lualib/?.ljbc;/usr/local/openresty/site/lualib/?/init.ljbc;/usr/local/openresty/lualib/?.ljbc;/usr/local/openresty/lualib/?/init.ljbc;/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/site/lualib/?/init.lua;/usr/local/openresty/lualib/?.lua;/usr/local/openresty/lualib/?/init.lua;./?.lua;/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/openresty/luajit/share/lua/5.1/?.lua;/usr/local/openresty/luajit/share/lua/5.1/?/init.lua;/usr/local/lib/lua/?.lua;;";
- lua_package_cpath "/usr/local/openresty/site/lualib/?.so;/usr/local/openresty/lualib/?.so;./?.so;/usr/local/lib/lua/5.1/?.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so;;";
- lua_shared_dict configuration_data 15M;
- lua_shared_dict certificate_data 16M;
- init_by_lua_block {
- collectgarbage("collect")
- local lua_resty_waf = require("resty.waf")
- lua_resty_waf.init()
- -- init modules
- local ok, res
- ok, res = pcall(require, "lua_ingress")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- lua_ingress = res
- lua_ingress.set_config({
- use_forwarded_headers = false,
- is_ssl_passthrough_enabled = false,
- http_redirect_code = 308,
- listen_ports = { ssl_proxy = "442", https = "443" },
- })
- end
- ok, res = pcall(require, "configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- configuration = res
- configuration.nameservers = { "180.76.76.76", "172.31.90.17" }
- end
- ok, res = pcall(require, "balancer")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- balancer = res
- end
- ok, res = pcall(require, "monitor")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- monitor = res
- end
- ok, res = pcall(require, "certificate")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- certificate = res
- end
- ok, res = pcall(require, "plugins")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- plugins = res
- end
- -- load all plugins that'll be used here
- plugins.init({})
- }
- init_worker_by_lua_block {
- lua_ingress.init_worker()
- balancer.init_worker()
- monitor.init_worker()
- plugins.run()
- }
- geoip_country /etc/nginx/geoip/GeoIP.dat;
- geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
- geoip_org /etc/nginx/geoip/GeoIPASNum.dat;
- geoip_proxy_recursive on;
- aio threads;
- aio_write on;
- tcp_nopush on;
- tcp_nodelay on;
- log_subrequest on;
- reset_timedout_connection on;
- keepalive_timeout 75s;
- keepalive_requests 100;
- client_body_temp_path /tmp/client-body;
- fastcgi_temp_path /tmp/fastcgi-temp;
- proxy_temp_path /tmp/proxy-temp;
- ajp_temp_path /tmp/ajp-temp;
- client_header_buffer_size 1k;
- client_header_timeout 60s;
- large_client_header_buffers 4 8k;
- client_body_buffer_size 8k;
- client_body_timeout 60s;
- http2_max_field_size 4k;
- http2_max_header_size 16k;
- http2_max_requests 1000;
- types_hash_max_size 2048;
- server_names_hash_max_size 1024;
- server_names_hash_bucket_size 32;
- map_hash_bucket_size 64;
- proxy_headers_hash_max_size 512;
- proxy_headers_hash_bucket_size 64;
- variables_hash_bucket_size 128;
- variables_hash_max_size 2048;
- underscores_in_headers off;
- ignore_invalid_headers on;
- limit_req_status 503;
- limit_conn_status 503;
- include /etc/nginx/mime.types;
- default_type text/html;
- gzip on;
- gzip_comp_level 5;
- gzip_http_version 1.1;
- gzip_min_length 256;
- gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component;
- gzip_proxied any;
- gzip_vary on;
- # Custom headers for response
- server_tokens on;
- # disable warnings
- uninitialized_variable_warn off;
- # Additional available variables:
- # $namespace
- # $ingress_name
- # $service_name
- # $service_port
- log_format upstreaminfo '$the_real_ip - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id';
- map $request_uri $loggable {
- default 1;
- }
- access_log /var/log/nginx/access.log upstreaminfo if=$loggable;
- error_log /var/log/nginx/error.log notice;
- resolver 180.76.76.76 172.31.90.17 valid=30s;
- # See https://www.nginx.com/blog/websocket-nginx
- map $http_upgrade $connection_upgrade {
- default upgrade;
- # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
- '' '';
- }
- # The following is a sneaky way to do "set $the_real_ip $remote_addr"
- # Needed because using set is not allowed outside server blocks.
- map '' $the_real_ip {
- default $remote_addr;
- }
- # Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
- # If no such header is provided, it can provide a random value.
- map $http_x_request_id $req_id {
- default $http_x_request_id;
- "" $request_id;
- }
- # Create a variable that contains the literal $ character.
- # This works because the geo module will not resolve variables.
- geo $literal_dollar {
- default "$";
- }
- server_name_in_redirect off;
- port_in_redirect off;
- ssl_protocols TLSv1.2;
- # turn on session caching to drastically improve performance
- ssl_session_cache builtin:1000 shared:SSL:10m;
- ssl_session_timeout 10m;
- # allow configuring ssl session tickets
- ssl_session_tickets on;
- # slightly reduce the time-to-first-byte
- ssl_buffer_size 4k;
- # allow configuring custom ssl ciphers
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_prefer_server_ciphers on;
- ssl_ecdh_curve auto;
- proxy_ssl_session_reuse on;
- upstream upstream_balancer {
- server 0.0.0.1; # placeholder
- balancer_by_lua_block {
- balancer.balance()
- }
- keepalive 32;
- keepalive_timeout 60s;
- keepalive_requests 100;
- }
- # Global filters
- ## start server _
- server {
- server_name _ ;
- listen 80 default_server reuseport backlog=32768;
- listen [::]:80 default_server reuseport backlog=32768;
- set $proxy_upstream_name "-";
- set $pass_access_scheme $scheme;
- set $pass_server_port $server_port;
- set $best_http_host $http_host;
- set $pass_port $pass_server_port;
- listen 443 default_server reuseport backlog=32768 ssl http2;
- listen [::]:443 default_server reuseport backlog=32768 ssl http2;
- # PEM sha: 468312431f9e5fa991282a5dcab937301b6c9e65
- ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem;
- ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;
- ssl_certificate_by_lua_block {
- certificate.call()
- }
- location / {
- set $namespace "";
- set $ingress_name "";
- set $service_name "";
- set $service_port "0";
- set $location_path "/";
- rewrite_by_lua_block {
- lua_ingress.rewrite({
- force_ssl_redirect = false,
- use_port_in_redirects = false,
- })
- balancer.rewrite()
- plugins.run()
- }
- header_filter_by_lua_block {
- plugins.run()
- }
- body_filter_by_lua_block {
- }
- log_by_lua_block {
- balancer.log()
- monitor.call()
- plugins.run()
- }
- if ($scheme = https) {
- more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains";
- }
- access_log off;
- port_in_redirect off;
- set $balancer_ewma_score -1;
- set $proxy_upstream_name "upstream-default-backend";
- set $proxy_host $proxy_upstream_name;
- set $proxy_alternative_upstream_name "";
- client_max_body_size 1m;
- proxy_set_header Host $best_http_host;
- # Pass the extracted client certificate to the backend
- # Allow websocket connections
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- proxy_set_header X-Request-ID $req_id;
- proxy_set_header X-Real-IP $the_real_ip;
- proxy_set_header X-Forwarded-For $the_real_ip;
- proxy_set_header X-Forwarded-Host $best_http_host;
- proxy_set_header X-Forwarded-Port $pass_port;
- proxy_set_header X-Forwarded-Proto $pass_access_scheme;
- proxy_set_header X-Original-URI $request_uri;
- proxy_set_header X-Scheme $pass_access_scheme;
- # Pass the original X-Forwarded-For
- proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
- # mitigate HTTPoxy Vulnerability
- # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
- proxy_set_header Proxy "";
- # Custom headers to proxied server
- proxy_connect_timeout 5s;
- proxy_send_timeout 60s;
- proxy_read_timeout 60s;
- proxy_buffering off;
- proxy_buffer_size 4k;
- proxy_buffers 4 4k;
- proxy_request_buffering on;
- proxy_http_version 1.1;
- proxy_cookie_domain off;
- proxy_cookie_path off;
- # In case of errors try the next upstream server before returning an error
- proxy_next_upstream error timeout;
- proxy_next_upstream_timeout 0;
- proxy_next_upstream_tries 3;
- proxy_pass http://upstream_balancer;
- proxy_redirect off;
- }
- # health checks in cloud providers require the use of port 80
- location /healthz {
- access_log off;
- return 200;
- }
- # this is required to avoid error if nginx is being monitored
- # with an external software (like sysdig)
- location /nginx_status {
- allow 127.0.0.1;
- allow ::1;
- deny all;
- access_log off;
- stub_status on;
- }
- }
- ## end server _
- ## start server fs.example.com
- server {
- server_name fs.example.com ;
- listen 80;
- listen [::]:80;
- set $proxy_upstream_name "-";
- set $pass_access_scheme $scheme;
- set $pass_server_port $server_port;
- set $best_http_host $http_host;
- set $pass_port $pass_server_port;
- location / {
- set $namespace "yunwei";
- set $ingress_name "fs1";
- set $service_name "fs";
- set $service_port "web";
- set $location_path "/";
- rewrite_by_lua_block {
- lua_ingress.rewrite({
- force_ssl_redirect = false,
- use_port_in_redirects = false,
- })
- balancer.rewrite()
- plugins.run()
- }
- header_filter_by_lua_block {
- plugins.run()
- }
- body_filter_by_lua_block {
- }
- log_by_lua_block {
- balancer.log()
- monitor.call()
- plugins.run()
- }
- port_in_redirect off;
- set $balancer_ewma_score -1;
- set $proxy_upstream_name "yunwei-fs-web";
- set $proxy_host $proxy_upstream_name;
- set $proxy_alternative_upstream_name "";
- client_max_body_size 1m;
- proxy_set_header Host $best_http_host;
- # Pass the extracted client certificate to the backend
- # Allow websocket connections
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- proxy_set_header X-Request-ID $req_id;
- proxy_set_header X-Real-IP $the_real_ip;
- proxy_set_header X-Forwarded-For $the_real_ip;
- proxy_set_header X-Forwarded-Host $best_http_host;
- proxy_set_header X-Forwarded-Port $pass_port;
- proxy_set_header X-Forwarded-Proto $pass_access_scheme;
- proxy_set_header X-Original-URI $request_uri;
- proxy_set_header X-Scheme $pass_access_scheme;
- # Pass the original X-Forwarded-For
- proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
- # mitigate HTTPoxy Vulnerability
- # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
- proxy_set_header Proxy "";
- # Custom headers to proxied server
- proxy_connect_timeout 5s;
- proxy_send_timeout 60s;
- proxy_read_timeout 60s;
- proxy_buffering off;
- proxy_buffer_size 4k;
- proxy_buffers 4 4k;
- proxy_request_buffering on;
- proxy_http_version 1.1;
- proxy_cookie_domain off;
- proxy_cookie_path off;
- # In case of errors try the next upstream server before returning an error
- proxy_next_upstream error timeout;
- proxy_next_upstream_timeout 0;
- proxy_next_upstream_tries 3;
- proxy_pass http://upstream_balancer;
- proxy_redirect off;
- }
- }
- ## end server fs.example.com
- # backend for when default-backend-service is not configured or it does not have endpoints
- server {
- listen 8181 default_server reuseport backlog=32768;
- listen [::]:8181 default_server reuseport backlog=32768;
- set $proxy_upstream_name "internal";
- access_log off;
- location / {
- return 404;
- }
- }
- # default server, used for NGINX healthcheck and access to nginx stats
- server {
- listen unix:/tmp/nginx-status-server.sock;
- set $proxy_upstream_name "internal";
- keepalive_timeout 0;
- gzip off;
- access_log off;
- location /healthz {
- return 200;
- }
- location /is-dynamic-lb-initialized {
- content_by_lua_block {
- local configuration = require("configuration")
- local backend_data = configuration.get_backends_data()
- if not backend_data then
- ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
- return
- end
- ngx.say("OK")
- ngx.exit(ngx.HTTP_OK)
- }
- }
- location /nginx_status {
- stub_status on;
- }
- location /configuration {
- # this should be equals to configuration_data dict
- client_max_body_size 10m;
- client_body_buffer_size 10m;
- proxy_buffering off;
- content_by_lua_block {
- configuration.call()
- }
- }
- location / {
- content_by_lua_block {
- ngx.exit(ngx.HTTP_NOT_FOUND)
- }
- }
- }
- }
- stream {
- lua_package_cpath "/usr/local/lib/lua/?.so;/usr/lib/lua-platform-path/lua/5.1/?.so;;";
- lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;/usr/local/lib/lua/?.lua;;";
- lua_shared_dict tcp_udp_configuration_data 5M;
- init_by_lua_block {
- collectgarbage("collect")
- -- init modules
- local ok, res
- ok, res = pcall(require, "configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- configuration = res
- configuration.nameservers = { "180.76.76.76", "172.31.90.17" }
- end
- ok, res = pcall(require, "tcp_udp_configuration")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- tcp_udp_configuration = res
- end
- ok, res = pcall(require, "tcp_udp_balancer")
- if not ok then
- error("require failed: " .. tostring(res))
- else
- tcp_udp_balancer = res
- end
- }
- init_worker_by_lua_block {
- tcp_udp_balancer.init_worker()
- }
- lua_add_variable $proxy_upstream_name;
- log_format log_stream [$time_local] $protocol $status $bytes_sent $bytes_received $session_time;
- access_log /var/log/nginx/access.log log_stream ;
- error_log /var/log/nginx/error.log;
- upstream upstream_balancer {
- server 0.0.0.1:1234; # placeholder
- balancer_by_lua_block {
- tcp_udp_balancer.balance()
- }
- }
- server {
- listen unix:/tmp/ingress-stream.sock;
- content_by_lua_block {
- tcp_udp_configuration.call()
- }
- }
- # TCP services
- # UDP services
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement