-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathnginx-gateway.conf.template
251 lines (208 loc) · 9.85 KB
/
nginx-gateway.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# vim: set filetype=nginx:
js_import gateway from conf.d/nginx.js;
js_set $decodeRedirectUri gateway.decodeRedirectUri;
proxy_cache_path /var/cache/nginx/pods levels=1:2 keys_zone=pods:2m max_size=4m inactive=60m use_temp_path=off;
proxy_cache_path /var/cache/nginx/rbac levels=1:2 keys_zone=rbac:256k max_size=3m inactive=60m use_temp_path=off;
proxy_cache_path /var/cache/nginx/rbac2 levels=1:2 keys_zone=rbac2:256k max_size=3m inactive=60m use_temp_path=off;
map $uri $new {
/ /online/;
/online /online/;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8443 ssl;
server_name localhost;
ssl_certificate /etc/tls/private/serving/tls.crt;
ssl_certificate_key /etc/tls/private/serving/tls.key;
absolute_redirect off;
gzip on;
gzip_types text/plain application/javascript text/javascript;
root /usr/share/nginx/html/;
# Limit the keepalive of connections (60s default)
keepalive_timeout 60s;
# Do not show server version
server_tokens off;
# Performance tuning
subrequest_output_buffer_size ${NGINX_SUBREQUEST_OUTPUT_BUFFER_SIZE};
client_body_buffer_size ${NGINX_CLIENT_BODY_BUFFER_SIZE};
proxy_buffers ${NGINX_PROXY_BUFFERS};
# For debugging location rewrite
#rewrite_log on;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# Prevent click jacking attacks
add_header X-Frame-Options "SAMEORIGIN";
# Ensure only https is used for this server
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Govern what content can be loaded by the server and from where
# Click jacking prevention to be used in addition to X-Frame-Options
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self'; ";
# Only accept newer ssl protocols
ssl_protocols TLSv1.2 TLSv1.3;
if ($new) {
rewrite ^ $new redirect;
}
error_page 404 /hawtio-404.html;
location = /hawtio-404.html {
internal;
}
error_page 500 502 503 504 /hawtio-50x.html;
location = /hawtio-50x.html {
internal;
}
location /auth/logout {
if ( $arg_redirect_uri = '') {
return 200 "Acknowledge logout but nothing further to do";
}
# Do not specify "storage" as local storage contains persistent data such as
# preferences and connections but without credentials.
add_header Clear-Site-Data "\"cache\", \"cookies\"";
add_header Cache-Control "no-store";
# Prevent click jacking attacks
# Note: must be re-declared since other headers have been added
add_header X-Frame-Options "SAMEORIGIN";
# Ensure only https is used for this server
# Note: must be re-declared since other headers have been added
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Govern what content can be loaded by the server and from where
# Click jacking prevention to be used in addition to X-Frame-Options
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self'; ";
return 307 $decodeRedirectUri;
}
# Static content serving
location /online {
add_header location-rule ONLINE always;
# Prevent click jacking attacks
# Note: must be re-declared since other headers have been added
add_header X-Frame-Options "SAMEORIGIN";
# Ensure only https is used for this server
# Note: must be re-declared since other headers have been added
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Govern what content can be loaded by the server and from where
# Click jacking prevention to be used in addition to X-Frame-Options
# Requires allowing inline-styles and inline data objects (svg imgs)
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self'; form-action 'self'; ";
alias /usr/share/nginx/html/online;
try_files $uri$args $uri /online/index.html;
gzip_static on;
}
#
# External location which checks whether the
# requested uri is accessible before redirecting
# to the internal /masterinternal
#
location /master {
add_header location-rule MASTER always;
js_content gateway.proxyMasterGuard;
}
#
# Kubernetes master API reverse proxying
#
# Configured as internal so that all requests should be submitted
# through the /master location and checked with the proxyMasterGuard
#
location /masterinternal {
internal;
add_header location-rule MASTER-INTERNAL always;
# Prevent click jacking attacks
# Note: must be re-declared since other headers have been added
add_header X-Frame-Options "SAMEORIGIN";
# Ensure only https is used for this server
# Note: must be re-declared since other headers have been added
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Govern what content can be loaded by the server and from where
# Click jacking prevention to be used in addition to X-Frame-Options
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self'; ";
proxy_pass https://kubernetes.default/;
rewrite /masterinternal/(.*) /$1 break;
proxy_pass_request_headers on;
proxy_pass_request_body on;
proxy_redirect off;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /var/run/secrets/kubernetes.io/serviceaccount/ca.crt;
proxy_ssl_session_reuse on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /management {
add_header location-rule MANAGEMENT always;
# Prevent click jacking attacks
# Note: must be re-declared since other headers have been added
add_header X-Frame-Options "SAMEORIGIN";
# Ensure only https is used for this server
# Note: must be re-declared since other headers have been added
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Govern what content can be loaded by the server and from where
# Click jacking prevention to be used in addition to X-Frame-Options
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self'; ";
js_content gateway.proxyJolokiaAgent;
}
# Self-LocalSubjectAccessReview requests cache
location /authorization {
internal;
proxy_pass https://kubernetes.default/;
rewrite /authorization/([^/]+)/(.*) /apis/$1/v1/$2 break;
proxy_set_header Content-Type application/json;
proxy_pass_request_headers on;
proxy_pass_request_body on;
proxy_redirect off;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /var/run/secrets/kubernetes.io/serviceaccount/ca.crt;
proxy_ssl_session_reuse on;
proxy_cache rbac;
proxy_cache_methods POST;
proxy_cache_key $uri$is_args$args|$http_authorization;
proxy_cache_valid 201 10s;
proxy_ignore_headers Cache-Control;
}
# Duplicated location, as it seems caching does not handle multiple sub-requests calling the same location
# leading to different hash keys :(
location /authorization2 {
internal;
proxy_pass https://kubernetes.default/;
rewrite /authorization2/([^/]+)/(.*) /apis/$1/v1/$2 break;
proxy_set_header Content-Type application/json;
proxy_pass_request_headers on;
proxy_pass_request_body on;
proxy_redirect off;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /var/run/secrets/kubernetes.io/serviceaccount/ca.crt;
proxy_ssl_session_reuse on;
proxy_cache rbac2;
proxy_cache_methods POST;
proxy_cache_key $uri$is_args$args|$http_authorization;
proxy_cache_valid 201 10s;
proxy_ignore_headers Cache-Control;
}
# Pod details requests cache
location /podIP {
add_header location-rule POD_IP always;
internal;
proxy_pass https://kubernetes.default/;
rewrite /podIP/(.+)/(.+) /api/v1/namespaces/$1/pods/$2 break;
proxy_pass_request_headers on;
proxy_redirect off;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /var/run/secrets/kubernetes.io/serviceaccount/ca.crt;
proxy_ssl_session_reuse on;
proxy_cache pods;
proxy_cache_valid 200 1m;
proxy_ignore_headers Cache-Control;
}
# Proxy pod addressed by podIP
location ~ ^/proxy/(http|https):(.+):(\d+)/(.*)$ {
internal;
proxy_pass $1://$2:$3/$4$is_args$args;
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
${PROXY_SSL_CERTIFICATE}
${PROXY_SSL_KEY}
# Do not foward authorization header
proxy_set_header Authorization "";
}
}