API tools faq
paste
Advertisement
eg7eg7

Untitled

eg7eg7
Jan 5th, 2021
609
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.37 KB | None | 0 0
raw download clone embed print report
  1.  
  2. # Configuration checksum: 15722409614561727097
  3.  
  4. # setup custom paths that do not require root access
  5. pid /tmp/nginx.pid;
  6.  
  7. daemon off;
  8.  
  9. worker_processes 12;
  10.  
  11. worker_rlimit_nofile 86357;
  12.  
  13. worker_shutdown_timeout 240s ;
  14.  
  15. events {
  16. multi_accept on;
  17. worker_connections 16384;
  18. use epoll;
  19. }
  20.  
  21. http {
  22. lua_package_path "/etc/nginx/lua/?.lua;;";
  23.  
  24. lua_shared_dict balancer_ewma 10M;
  25. lua_shared_dict balancer_ewma_last_touched_at 10M;
  26. lua_shared_dict balancer_ewma_locks 1M;
  27. lua_shared_dict certificate_data 20M;
  28. lua_shared_dict certificate_servers 5M;
  29. lua_shared_dict configuration_data 20M;
  30. lua_shared_dict ocsp_response_cache 5M;
  31.  
  32. init_by_lua_block {
  33. collectgarbage("collect")
  34.  
  35. -- init modules
  36. local ok, res
  37.  
  38. ok, res = pcall(require, "lua_ingress")
  39. if not ok then
  40. error("require failed: " .. tostring(res))
  41. else
  42. lua_ingress = res
  43. lua_ingress.set_config({
  44. use_forwarded_headers = false,
  45. use_proxy_protocol = false,
  46. is_ssl_passthrough_enabled = true,
  47. http_redirect_code = 308,
  48. listen_ports = { ssl_proxy = "442", https = "443" },
  49.  
  50. hsts = true,
  51. hsts_max_age = 15724800,
  52. hsts_include_subdomains = true,
  53. hsts_preload = false,
  54. })
  55. end
  56.  
  57. ok, res = pcall(require, "configuration")
  58. if not ok then
  59. error("require failed: " .. tostring(res))
  60. else
  61. configuration = res
  62. end
  63.  
  64. ok, res = pcall(require, "balancer")
  65. if not ok then
  66. error("require failed: " .. tostring(res))
  67. else
  68. balancer = res
  69. end
  70.  
  71. ok, res = pcall(require, "monitor")
  72. if not ok then
  73. error("require failed: " .. tostring(res))
  74. else
  75. monitor = res
  76. end
  77.  
  78. ok, res = pcall(require, "certificate")
  79. if not ok then
  80. error("require failed: " .. tostring(res))
  81. else
  82. certificate = res
  83. certificate.is_ocsp_stapling_enabled = false
  84. end
  85.  
  86. ok, res = pcall(require, "plugins")
  87. if not ok then
  88. error("require failed: " .. tostring(res))
  89. else
  90. plugins = res
  91. end
  92. -- load all plugins that'll be used here
  93. plugins.init({ })
  94. }
  95.  
  96. init_worker_by_lua_block {
  97. lua_ingress.init_worker()
  98. balancer.init_worker()
  99.  
  100. monitor.init_worker(10000)
  101.  
  102. plugins.run()
  103. }
  104.  
  105. geoip_country /etc/nginx/geoip/GeoIP.dat;
  106. geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
  107. geoip_org /etc/nginx/geoip/GeoIPASNum.dat;
  108. geoip_proxy_recursive on;
  109.  
  110. aio threads;
  111. aio_write on;
  112.  
  113. tcp_nopush on;
  114. tcp_nodelay on;
  115.  
  116. log_subrequest on;
  117.  
  118. reset_timedout_connection on;
  119.  
  120. keepalive_timeout 75s;
  121. keepalive_requests 100;
  122.  
  123. client_body_temp_path /tmp/client-body;
  124. fastcgi_temp_path /tmp/fastcgi-temp;
  125. proxy_temp_path /tmp/proxy-temp;
  126. ajp_temp_path /tmp/ajp-temp;
  127.  
  128. client_header_buffer_size 1k;
  129. client_header_timeout 60s;
  130. large_client_header_buffers 4 8k;
  131. client_body_buffer_size 8k;
  132. client_body_timeout 60s;
  133.  
  134. http2_max_field_size 4k;
  135. http2_max_header_size 16k;
  136. http2_max_requests 1000;
  137. http2_max_concurrent_streams 128;
  138.  
  139. types_hash_max_size 2048;
  140. server_names_hash_max_size 1024;
  141. server_names_hash_bucket_size 32;
  142. map_hash_bucket_size 64;
  143.  
  144. proxy_headers_hash_max_size 512;
  145. proxy_headers_hash_bucket_size 64;
  146.  
  147. variables_hash_bucket_size 256;
  148. variables_hash_max_size 2048;
  149.  
  150. underscores_in_headers off;
  151. ignore_invalid_headers on;
  152.  
  153. limit_req_status 503;
  154. limit_conn_status 503;
  155.  
  156. include /etc/nginx/mime.types;
  157. default_type text/html;
  158.  
  159. # Custom headers for response
  160.  
  161. server_tokens off;
  162.  
  163. more_clear_headers Server;
  164.  
  165. # disable warnings
  166. uninitialized_variable_warn off;
  167.  
  168. # Additional available variables:
  169. # $namespace
  170. # $ingress_name
  171. # $service_name
  172. # $service_port
  173. log_format upstreaminfo '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id';
  174.  
  175. map $request_uri $loggable {
  176.  
  177. default 1;
  178. }
  179.  
  180. access_log /var/log/nginx/access.log upstreaminfo if=$loggable;
  181.  
  182. error_log /var/log/nginx/error.log notice;
  183.  
  184. resolver 10.96.0.10 valid=30s ipv6=off;
  185.  
  186. # See https://www.nginx.com/blog/websocket-nginx
  187. map $http_upgrade $connection_upgrade {
  188. default upgrade;
  189.  
  190. # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
  191. '' '';
  192.  
  193. }
  194.  
  195. # Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
  196. # If no such header is provided, it can provide a random value.
  197. map $http_x_request_id $req_id {
  198. default $http_x_request_id;
  199.  
  200. "" $request_id;
  201.  
  202. }
  203.  
  204. # Create a variable that contains the literal $ character.
  205. # This works because the geo module will not resolve variables.
  206. geo $literal_dollar {
  207. default "$";
  208. }
  209.  
  210. server_name_in_redirect off;
  211. port_in_redirect off;
  212.  
  213. ssl_protocols TLSv1.2 TLSv1.3;
  214.  
  215. ssl_early_data off;
  216.  
  217. # turn on session caching to drastically improve performance
  218.  
  219. ssl_session_cache builtin:1000 shared:SSL:10m;
  220. ssl_session_timeout 10m;
  221.  
  222. # allow configuring ssl session tickets
  223. ssl_session_tickets off;
  224.  
  225. # slightly reduce the time-to-first-byte
  226. ssl_buffer_size 4k;
  227.  
  228. # allow configuring custom ssl ciphers
  229. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
  230. ssl_prefer_server_ciphers on;
  231.  
  232. ssl_ecdh_curve auto;
  233.  
  234. # PEM sha: 2565c5673fb7e896600a2b2eb6374ff49b71dec2
  235. ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem;
  236. ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;
  237.  
  238. proxy_ssl_session_reuse on;
  239.  
  240. upstream upstream_balancer {
  241. ### Attention!!!
  242. #
  243. # We no longer create "upstream" section for every backend.
  244. # Backends are handled dynamically using Lua. If you would like to debug
  245. # and see what backends ingress-nginx has in its memory you can
  246. # install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
  247. # Once you have the plugin you can use "kubectl ingress-nginx backends" command to
  248. # inspect current backends.
  249. #
  250. ###
  251.  
  252. server 0.0.0.1; # placeholder
  253.  
  254. balancer_by_lua_block {
  255. balancer.balance()
  256. }
  257.  
  258. keepalive 320;
  259.  
  260. keepalive_timeout 60s;
  261. keepalive_requests 10000;
  262.  
  263. }
  264.  
  265. # Cache for internal auth checks
  266. proxy_cache_path /tmp/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
  267.  
  268. # Global filters
  269.  
  270. ## start server _
  271. server {
  272. server_name _ ;
  273.  
  274. listen 80 default_server reuseport backlog=4096 ;
  275. listen 442 proxy_protocol default_server reuseport backlog=4096 ssl http2 ;
  276.  
  277. set $proxy_upstream_name "-";
  278.  
  279. ssl_certificate_by_lua_block {
  280. certificate.call()
  281. }
  282.  
  283. location / {
  284.  
  285. set $namespace "";
  286. set $ingress_name "";
  287. set $service_name "";
  288. set $service_port "";
  289. set $location_path "";
  290.  
  291. rewrite_by_lua_block {
  292. lua_ingress.rewrite({
  293. force_ssl_redirect = false,
  294. ssl_redirect = false,
  295. force_no_ssl_redirect = false,
  296. use_port_in_redirects = false,
  297. })
  298. balancer.rewrite()
  299. plugins.run()
  300. }
  301.  
  302. # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
  303. # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
  304. # other authentication method such as basic auth or external auth useless - all requests will be allowed.
  305. #access_by_lua_block {
  306. #}
  307.  
  308. header_filter_by_lua_block {
  309. lua_ingress.header()
  310. plugins.run()
  311. }
  312.  
  313. body_filter_by_lua_block {
  314. }
  315.  
  316. log_by_lua_block {
  317. balancer.log()
  318.  
  319. monitor.call()
  320.  
  321. plugins.run()
  322. }
  323.  
  324. access_log off;
  325.  
  326. port_in_redirect off;
  327.  
  328. set $balancer_ewma_score -1;
  329. set $proxy_upstream_name "upstream-default-backend";
  330. set $proxy_host $proxy_upstream_name;
  331. set $pass_access_scheme $scheme;
  332.  
  333. set $pass_server_port $server_port;
  334.  
  335. set $best_http_host $http_host;
  336. set $pass_port $pass_server_port;
  337.  
  338. set $proxy_alternative_upstream_name "";
  339.  
  340. client_max_body_size 1m;
  341.  
  342. proxy_set_header Host $best_http_host;
  343.  
  344. # Pass the extracted client certificate to the backend
  345.  
  346. # Allow websocket connections
  347. proxy_set_header Upgrade $http_upgrade;
  348.  
  349. proxy_set_header Connection $connection_upgrade;
  350.  
  351. proxy_set_header X-Request-ID $req_id;
  352. proxy_set_header X-Real-IP $remote_addr;
  353.  
  354. proxy_set_header X-Forwarded-For $remote_addr;
  355.  
  356. proxy_set_header X-Forwarded-Host $best_http_host;
  357. proxy_set_header X-Forwarded-Port $pass_port;
  358. proxy_set_header X-Forwarded-Proto $pass_access_scheme;
  359.  
  360. proxy_set_header X-Scheme $pass_access_scheme;
  361.  
  362. # Pass the original X-Forwarded-For
  363. proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
  364.  
  365. # mitigate HTTPoxy Vulnerability
  366. # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  367. proxy_set_header Proxy "";
  368.  
  369. # Custom headers to proxied server
  370.  
  371. proxy_connect_timeout 5s;
  372. proxy_send_timeout 60s;
  373. proxy_read_timeout 60s;
  374.  
  375. proxy_buffering off;
  376. proxy_buffer_size 4k;
  377. proxy_buffers 4 4k;
  378.  
  379. proxy_max_temp_file_size 1024m;
  380.  
  381. proxy_request_buffering on;
  382. proxy_http_version 1.1;
  383.  
  384. proxy_cookie_domain off;
  385. proxy_cookie_path off;
  386.  
  387. # In case of errors try the next upstream server before returning an error
  388. proxy_next_upstream error timeout;
  389. proxy_next_upstream_timeout 0;
  390. proxy_next_upstream_tries 3;
  391.  
  392. proxy_pass http://upstream_balancer;
  393.  
  394. proxy_redirect off;
  395.  
  396. }
  397.  
  398. # health checks in cloud providers require the use of port 80
  399. location /healthz {
  400.  
  401. access_log off;
  402. return 200;
  403. }
  404.  
  405. # this is required to avoid error if nginx is being monitored
  406. # with an external software (like sysdig)
  407. location /nginx_status {
  408.  
  409. allow 127.0.0.1;
  410.  
  411. deny all;
  412.  
  413. access_log off;
  414. stub_status on;
  415. }
  416.  
  417. }
  418. ## end server _
  419.  
  420. ## start server admin.d.co.il
  421. server {
  422. server_name admin.d.co.il ;
  423.  
  424. listen 80 ;
  425. listen 442 proxy_protocol ssl http2 ;
  426.  
  427. set $proxy_upstream_name "-";
  428.  
  429. ssl_certificate_by_lua_block {
  430. certificate.call()
  431. }
  432.  
  433. location / {
  434.  
  435. set $namespace "default";
  436. set $ingress_name "d-ingress";
  437. set $service_name "admin";
  438. set $service_port "443";
  439. set $location_path "/";
  440.  
  441. rewrite_by_lua_block {
  442. lua_ingress.rewrite({
  443. force_ssl_redirect = false,
  444. ssl_redirect = true,
  445. force_no_ssl_redirect = false,
  446. use_port_in_redirects = false,
  447. })
  448. balancer.rewrite()
  449. plugins.run()
  450. }
  451.  
  452. # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
  453. # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
  454. # other authentication method such as basic auth or external auth useless - all requests will be allowed.
  455. #access_by_lua_block {
  456. #}
  457.  
  458. header_filter_by_lua_block {
  459. lua_ingress.header()
  460. plugins.run()
  461. }
  462.  
  463. body_filter_by_lua_block {
  464. }
  465.  
  466. log_by_lua_block {
  467. balancer.log()
  468.  
  469. monitor.call()
  470.  
  471. plugins.run()
  472. }
  473.  
  474. port_in_redirect off;
  475.  
  476. set $balancer_ewma_score -1;
  477. set $proxy_upstream_name "default-admin-443";
  478. set $proxy_host $proxy_upstream_name;
  479. set $pass_access_scheme $scheme;
  480.  
  481. set $pass_server_port $server_port;
  482.  
  483. set $best_http_host $http_host;
  484. set $pass_port $pass_server_port;
  485.  
  486. set $proxy_alternative_upstream_name "";
  487.  
  488. client_max_body_size 1m;
  489.  
  490. proxy_set_header Host $best_http_host;
  491.  
  492. # Pass the extracted client certificate to the backend
  493.  
  494. # Allow websocket connections
  495. proxy_set_header Upgrade $http_upgrade;
  496.  
  497. proxy_set_header Connection $connection_upgrade;
  498.  
  499. proxy_set_header X-Request-ID $req_id;
  500. proxy_set_header X-Real-IP $remote_addr;
  501.  
  502. proxy_set_header X-Forwarded-For $remote_addr;
  503.  
  504. proxy_set_header X-Forwarded-Host $best_http_host;
  505. proxy_set_header X-Forwarded-Port $pass_port;
  506. proxy_set_header X-Forwarded-Proto $pass_access_scheme;
  507.  
  508. proxy_set_header X-Scheme $pass_access_scheme;
  509.  
  510. # Pass the original X-Forwarded-For
  511. proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
  512.  
  513. # mitigate HTTPoxy Vulnerability
  514. # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  515. proxy_set_header Proxy "";
  516.  
  517. # Custom headers to proxied server
  518.  
  519. proxy_connect_timeout 5s;
  520. proxy_send_timeout 60s;
  521. proxy_read_timeout 60s;
  522.  
  523. proxy_buffering off;
  524. proxy_buffer_size 4k;
  525. proxy_buffers 4 4k;
  526.  
  527. proxy_max_temp_file_size 1024m;
  528.  
  529. proxy_request_buffering on;
  530. proxy_http_version 1.1;
  531.  
  532. proxy_cookie_domain off;
  533. proxy_cookie_path off;
  534.  
  535. # In case of errors try the next upstream server before returning an error
  536. proxy_next_upstream error timeout;
  537. proxy_next_upstream_timeout 0;
  538. proxy_next_upstream_tries 3;
  539.  
  540. proxy_pass https://upstream_balancer;
  541.  
  542. proxy_redirect off;
  543.  
  544. }
  545.  
  546. }
  547. ## end server admin.d.co.il
  548.  
  549. # backend for when default-backend-service is not configured or it does not have endpoints
  550. server {
  551. listen 8181 default_server reuseport backlog=4096;
  552.  
  553. set $proxy_upstream_name "internal";
  554.  
  555. access_log off;
  556.  
  557. location / {
  558. return 404;
  559. }
  560. }
  561.  
  562. # default server, used for NGINX healthcheck and access to nginx stats
  563. server {
  564. listen 127.0.0.1:10246;
  565. set $proxy_upstream_name "internal";
  566.  
  567. keepalive_timeout 0;
  568. gzip off;
  569.  
  570. access_log off;
  571.  
  572. location /healthz {
  573. return 200;
  574. }
  575.  
  576. location /is-dynamic-lb-initialized {
  577. content_by_lua_block {
  578. local configuration = require("configuration")
  579. local backend_data = configuration.get_backends_data()
  580. if not backend_data then
  581. ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
  582. return
  583. end
  584.  
  585. ngx.say("OK")
  586. ngx.exit(ngx.HTTP_OK)
  587. }
  588. }
  589.  
  590. location /nginx_status {
  591. stub_status on;
  592. }
  593.  
  594. location /configuration {
  595. client_max_body_size 21m;
  596. client_body_buffer_size 21m;
  597. proxy_buffering off;
  598.  
  599. content_by_lua_block {
  600. configuration.call()
  601. }
  602. }
  603.  
  604. location / {
  605. content_by_lua_block {
  606. ngx.exit(ngx.HTTP_NOT_FOUND)
  607. }
  608. }
  609. }
  610. }
  611.  
  612. stream {
  613. lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
  614.  
  615. lua_shared_dict tcp_udp_configuration_data 5M;
  616.  
  617. init_by_lua_block {
  618. collectgarbage("collect")
  619.  
  620. -- init modules
  621. local ok, res
  622.  
  623. ok, res = pcall(require, "configuration")
  624. if not ok then
  625. error("require failed: " .. tostring(res))
  626. else
  627. configuration = res
  628. end
  629.  
  630. ok, res = pcall(require, "tcp_udp_configuration")
  631. if not ok then
  632. error("require failed: " .. tostring(res))
  633. else
  634. tcp_udp_configuration = res
  635. end
  636.  
  637. ok, res = pcall(require, "tcp_udp_balancer")
  638. if not ok then
  639. error("require failed: " .. tostring(res))
  640. else
  641. tcp_udp_balancer = res
  642. end
  643. }
  644.  
  645. init_worker_by_lua_block {
  646. tcp_udp_balancer.init_worker()
  647. }
  648.  
  649. lua_add_variable $proxy_upstream_name;
  650.  
  651. log_format log_stream '[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time';
  652.  
  653. access_log /var/log/nginx/access.log log_stream ;
  654.  
  655. error_log /var/log/nginx/error.log notice;
  656.  
  657. upstream upstream_balancer {
  658. server 0.0.0.1:1234; # placeholder
  659.  
  660. balancer_by_lua_block {
  661. tcp_udp_balancer.balance()
  662. }
  663. }
  664.  
  665. server {
  666. listen 127.0.0.1:10247;
  667.  
  668. access_log off;
  669.  
  670. content_by_lua_block {
  671. tcp_udp_configuration.call()
  672. }
  673. }
  674.  
  675. # TCP services
  676.  
  677. # UDP services
  678.  
  679. }
  680.  
  681.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!