daemon off; worker_processes 16; pid /run/nginx.pid; worker_rlimit_nofile 64512; worker_shutdown_timeout 10s ; events { multi_accept on; worker_connections 16384; use epoll; } http { real_ip_header X-Forwarded-For; real_ip_recursive on; set_real_ip_from 0.0.0.0/0; geoip_country /etc/nginx/GeoIP.dat; geoip_city /etc/nginx/GeoLiteCity.dat; geoip_proxy_recursive on; vhost_traffic_status_zone shared:vhost_traffic_status:10m; vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; sendfile on; aio threads; aio_write on; tcp_nopush on; tcp_nodelay on; log_subrequest on; reset_timedout_connection on; keepalive_timeout 0s; keepalive_requests 100; client_header_buffer_size 1k; client_header_timeout 60s; large_client_header_buffers 4 256k; client_body_buffer_size 8k; client_body_timeout 60s; http2_max_field_size 4k; http2_max_header_size 16k; types_hash_max_size 2048; server_names_hash_max_size 1024; server_names_hash_bucket_size 128; map_hash_bucket_size 64; proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 64; variables_hash_bucket_size 64; variables_hash_max_size 2048; underscores_in_headers off; ignore_invalid_headers on; include /etc/nginx/mime.types; default_type text/html; gzip on; gzip_comp_level 5; gzip_http_version 1.1; gzip_min_length 256; gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; gzip_proxied any; # Custom headers for response server_tokens off; # disable warnings uninitialized_variable_warn off; # Additional available variables: # $namespace # $ingress_name # $service_name log_format upstreaminfo '$the_real_ip - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; map $request_uri $loggable { default 1; } access_log off; error_log /var/log/nginx/error.log notice; resolver 10.3.z.a valid=30s; # Retain the default nginx handling of requests without a "Connection" header map $http_upgrade $connection_upgrade { default upgrade; '' keep-alive; } # Trust HTTP X-Forwarded-* Headers, but use direct values if they're missing. map $http_x_forwarded_for $the_real_ip { # Get IP address from X-Forwarded-For HTTP header default $http_x_forwarded_for; '' $remote_addr; } # trust http_x_forwarded_proto headers correctly indicate ssl offloading map $http_x_forwarded_proto $pass_access_scheme { default $http_x_forwarded_proto; '' $scheme; } map $http_x_forwarded_port $pass_server_port { default $http_x_forwarded_port; '' $server_port; } map $http_x_forwarded_host $best_http_host { default $http_x_forwarded_host; '' $this_host; } map $pass_server_port $pass_port { 443 443; default $pass_server_port; } # Map a response error watching the header Content-Type map $http_accept $httpAccept { default html; application/json json; application/xml xml; text/plain text; } map $httpAccept $httpReturnType { default text/html; json application/json; xml application/xml; text text/plain; } # Obtain best http host map $http_host $this_host { default $http_host; '' $host; } server_name_in_redirect off; port_in_redirect off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # turn on session caching to drastically improve performance ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 10m; # allow configuring ssl session tickets ssl_session_tickets on; # slightly reduce the time-to-first-byte ssl_buffer_size 4k; # allow configuring custom ssl ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_ecdh_curve auto; error_page 400 = @custom_400; error_page 402 = @custom_402; error_page 403 = @custom_403; error_page 404 = @custom_404; error_page 405 = @custom_405; error_page 406 = @custom_406; error_page 407 = @custom_407; error_page 408 = @custom_408; error_page 409 = @custom_409; error_page 410 = @custom_410; error_page 411 = @custom_411; error_page 412 = @custom_412; error_page 413 = @custom_413; error_page 414 = @custom_414; error_page 415 = @custom_415; error_page 416 = @custom_416; error_page 417 = @custom_417; error_page 418 = @custom_418; error_page 420 = @custom_420; error_page 422 = @custom_422; error_page 423 = @custom_423; error_page 424 = @custom_424; error_page 426 = @custom_426; error_page 428 = @custom_428; error_page 429 = @custom_429; error_page 431 = @custom_431; error_page 444 = @custom_444; error_page 449 = @custom_449; error_page 450 = @custom_450; error_page 451 = @custom_451; error_page 500 = @custom_500; error_page 501 = @custom_501; error_page 502 = @custom_502; error_page 503 = @custom_503; error_page 504 = @custom_504; error_page 505 = @custom_505; error_page 506 = @custom_506; error_page 507 = @custom_507; error_page 508 = @custom_508; error_page 509 = @custom_509; error_page 510 = @custom_510; error_page 511 = @custom_511; proxy_ssl_session_reuse on; upstream default-api-8000 { # Load balance algorithm; empty for round robin, which is the default least_conn; keepalive 32; server 10.1.x.a:8000 max_fails=0 fail_timeout=0; server 10.1.x.b:8000 max_fails=0 fail_timeout=0; server 10.1.x.c:8000 max_fails=0 fail_timeout=0; server 10.1.x.d:8000 max_fails=0 fail_timeout=0; server 10.1.x.e:8000 max_fails=0 fail_timeout=0; server 10.1.x.f:8000 max_fails=0 fail_timeout=0; } upstream upstream-default-backend { # Load balance algorithm; empty for round robin, which is the default least_conn; keepalive 32; server 10.1.x.g:8080 max_fails=0 fail_timeout=0; server 10.1.x.h:8080 max_fails=0 fail_timeout=0; server 10.1.x.i:8080 max_fails=0 fail_timeout=0; server 10.1.x.j:8080 max_fails=0 fail_timeout=0; server 10.1.x.k:8080 max_fails=0 fail_timeout=0; server 10.1.x.l:8080 max_fails=0 fail_timeout=0; } upstream default-developer-kibana-ui { # Load balance algorithm; empty for round robin, which is the default least_conn; keepalive 32; server 10.1.x.m:5601 max_fails=0 fail_timeout=0; } upstream default-portal-80 { # Load balance algorithm; empty for round robin, which is the default least_conn; keepalive 32; server 10.1.x.n:80 max_fails=0 fail_timeout=0; server 10.1.x.o:80 max_fails=0 fail_timeout=0; } upstream default-admin-console-80 { # Load balance algorithm; empty for round robin, which is the default least_conn; keepalive 32; server 10.1.x.p:80 max_fails=0 fail_timeout=0; server 10.1.x.q:80 max_fails=0 fail_timeout=0; } upstream kube-system-monitoring-grafana-80 { # Load balance algorithm; empty for round robin, which is the default least_conn; keepalive 32; server 10.1.x.r:3000 max_fails=0 fail_timeout=0; } geo $the_real_ip $deny_c68f1d69a41aabcda3bb64d44505abcd { default 1; x.y.z.o/23 0; a.b.c.d/24 0; } server { server_name _; listen 80 default_server reuseport backlog=511; listen [::]:80 default_server reuseport backlog=511; set $proxy_upstream_name "-"; listen 443 default_server reuseport backlog=511 ssl http2; listen [::]:443 default_server reuseport backlog=511 ssl http2; # PEM sha: fbd084db1c225e76283b57e529c8009436d98d14 ssl_certificate /ingress-controller/ssl/default-fake-certificate.pem; ssl_certificate_key /ingress-controller/ssl/default-fake-certificate.pem; more_set_headers "Strict-Transport-Security: max-age=10886400; includeSubDomains; preload"; location / { set $proxy_upstream_name "upstream-default-backend"; set $namespace ""; set $ingress_name ""; set $service_name ""; port_in_redirect off; client_max_body_size "5500m"; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 300s; proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; proxy_buffers 4 "4k"; proxy_request_buffering "on"; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_pass http://upstream-default-backend; } # health checks in cloud providers require the use of port 80 location /healthz { access_log off; return 200; } # this is required to avoid error if nginx is being monitored # with an external software (like sysdig) location /nginx_status { allow 127.0.0.1; allow ::1; deny all; access_log off; stub_status on; } location @custom_400 { internal; proxy_intercept_errors off; proxy_set_header X-Code 400; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } # Removed similar location blocks location @custom_511 { internal; proxy_intercept_errors off; proxy_set_header X-Code 511; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } } server { server_name admin.example.com; listen 80; listen [::]:80; set $proxy_upstream_name "-"; more_set_headers "Strict-Transport-Security: max-age=10886400; includeSubDomains; preload"; location / { set $proxy_upstream_name "default-admin-console-80"; set $namespace "default"; set $ingress_name "cloud"; set $service_name "portal"; port_in_redirect off; client_max_body_size "5500m"; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 300s; proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; proxy_buffers 4 "4k"; proxy_request_buffering "on"; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_pass http://default-admin-console-80; } location @custom_400 { internal; proxy_intercept_errors off; proxy_set_header X-Code 400; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } # Removed similar location blocks location @custom_511 { internal; proxy_intercept_errors off; proxy_set_header X-Code 511; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } } server { server_name api.example.com; listen 80; listen [::]:80; set $proxy_upstream_name "-"; more_set_headers "Strict-Transport-Security: max-age=10886400; includeSubDomains; preload"; location / { set $proxy_upstream_name "default-api-8000"; set $namespace "default"; set $ingress_name "api"; set $service_name "api"; port_in_redirect off; client_max_body_size "5500m"; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 300s; proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; proxy_buffers 4 "4k"; proxy_request_buffering "on"; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_pass http://default-api-8000; } location @custom_400 { internal; proxy_intercept_errors off; proxy_set_header X-Code 400; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } # Removed similar location blocks location @custom_511 { internal; proxy_intercept_errors off; proxy_set_header X-Code 511; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } } server { server_name grafana.example.com; listen 80; listen [::]:80; set $proxy_upstream_name "-"; more_set_headers "Strict-Transport-Security: max-age=10886400; includeSubDomains; preload"; location / { set $proxy_upstream_name "kube-system-monitoring-grafana-80"; set $namespace "kube-system"; set $ingress_name "monitoring-grafana"; set $service_name "monitoring-grafana"; port_in_redirect off; client_max_body_size "5500m"; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 300s; proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; proxy_buffers 4 "4k"; proxy_request_buffering "on"; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_pass http://kube-system-monitoring-grafana-80; } location @custom_400 { internal; proxy_intercept_errors off; proxy_set_header X-Code 400; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } # Removed similar location blocks location @custom_511 { internal; proxy_intercept_errors off; proxy_set_header X-Code 511; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } } server { server_name portal.example.com; listen 80; listen [::]:80; set $proxy_upstream_name "-"; more_set_headers "Strict-Transport-Security: max-age=10886400; includeSubDomains; preload"; location / { set $proxy_upstream_name "default-portal-80"; set $namespace "default"; set $ingress_name "cloud"; set $service_name "portal"; port_in_redirect off; client_max_body_size "5500m"; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 300s; proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; proxy_buffers 4 "4k"; proxy_request_buffering "on"; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_pass http://default-portal-80; } location @custom_400 { internal; proxy_intercept_errors off; proxy_set_header X-Code 400; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } # Removed similar location blocks location @custom_511 { internal; proxy_intercept_errors off; proxy_set_header X-Code 511; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } } server { server_name kibana.example.com; listen 80; listen [::]:80; set $proxy_upstream_name "-"; more_set_headers "Strict-Transport-Security: max-age=10886400; includeSubDomains; preload"; location / { set $proxy_upstream_name "default-developer-kibana-ui"; set $namespace "default"; set $ingress_name "developer"; set $service_name "developer-kibana"; if ($deny_c68f1d69a41aabcda3bb64d44505abcd) { return 403; } port_in_redirect off; auth_basic "Developer Access"; auth_basic_user_file /etc/ingress-controller/auth/default-developer.passwd; proxy_set_header Authorization ""; client_max_body_size "5500m"; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 300s; proxy_redirect off; proxy_buffering off; proxy_buffer_size "4k"; proxy_buffers 4 "4k"; proxy_request_buffering "on"; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_pass http://default-developer-kibana-ui; } location @custom_400 { internal; proxy_intercept_errors off; proxy_set_header X-Code 400; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } # Removed similar location blocks location @custom_511 { internal; proxy_intercept_errors off; proxy_set_header X-Code 511; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } } # default server, used for NGINX healthcheck and access to nginx stats server { # Use the port 18080 (random value just to avoid known ports) as default port for nginx. # Changing this value requires a change in: # https://github.com/kubernetes/ingress/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go listen 18080 default_server reuseport backlog=511; listen [::]:18080 default_server reuseport backlog=511; set $proxy_upstream_name "-"; location /healthz { access_log off; return 200; } location /nginx_status { set $proxy_upstream_name "internal"; vhost_traffic_status_display; vhost_traffic_status_display_format html; } location / { proxy_set_header X-Code 404; set $proxy_upstream_name "upstream-default-backend"; proxy_pass http://upstream-default-backend; } location @custom_400 { internal; proxy_intercept_errors off; proxy_set_header X-Code 400; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } # Removed similar location blocks location @custom_511 { internal; proxy_intercept_errors off; proxy_set_header X-Code 511; proxy_set_header X-Format $http_accept; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Namespace $namespace; proxy_set_header X-Ingress-Name $ingress_name; proxy_set_header X-Service-Name $service_name; rewrite (.*) / break; proxy_pass http://upstream-default-backend; } } } stream { log_format log_stream [$time_local] $protocol $status $bytes_sent $bytes_received $session_time; access_log off; error_log /var/log/nginx/error.log; # TCP services # UDP services upstream udp-515-kube-system-fluentd-syslog-10515 { server 10.1.x.a:10515; server 10.1.x.b:10515; } server { listen 515 udp; listen [::]:515 udp; proxy_responses 0; proxy_timeout 600s; proxy_pass udp-515-kube-system-fluentd-syslog-10515; } upstream udp-514-kube-system-fluentd-syslog-10514 { server 10.1.x.a:10514; server 10.1.x.b:10514; } server { listen 514 udp; listen [::]:514 udp; proxy_responses 0; proxy_timeout 600s; proxy_pass udp-514-kube-system-fluentd-syslog-10514; } }