34b6d083b8
Cleanup docs ( #5043 )
2020-02-09 20:50:27 -03:00
34b194c770
Update documentation and remove hack fixed by upstream cookie library
2020-02-08 11:54:52 -07:00
b3146354d4
Refactor mirror feature
2020-02-05 10:39:55 -03:00
beef9fae2d
Merge pull request #4949 from BrianKopp/same-site
...
Add SameSite support - omit None for old browsers
2020-01-31 03:50:21 -08:00
3f4da0fa0f
added hint why regular expressions might not be accepted
...
Kubernetes validates all regular expressions using RE2 which does not support the full syntax of PCRE which uses NGINX.
see: #4989
2020-01-30 19:22:41 +01:00
1b523390bb
Add SameSite=None support and conditionally omit SameSite=None for backwards compatibility
2020-01-29 14:30:00 -07:00
bc79fe1532
Add: documentation for proxy-ssl-location-only
2020-01-29 10:00:55 +01:00
74944b99e9
Enable download of GeoLite2 databases ( #4896 )
2020-01-08 19:46:43 -03:00
d7be5db7de
Support sample rate and global sampling configuration for Datadog in ConfigMap
2020-01-07 16:59:59 -08:00
8bf155d0d7
Fixed documentation for FCGI annotation.
2019-12-19 03:48:55 +03:00
0dce5be743
Migrate ingress definitions from extensions to networking.k8s.io
2019-12-12 21:25:00 -03:00
010ec6f159
Remove extra annotation when Enabling ModSecurity
...
Since version 0.25, if you try to use both annotations of:
nginx.ingress.kubernetes.io/modsecurity-snippet: |
Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
Include /etc/nginx/modsecurity/modsecurity.conf
and
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
it breaks nginx config and you will not catch it unless you have nginx admission controller enabled.
You do not need the annotation of `Include /etc/nginx/modsecurity/modsecurity.conf` from version 0.25
2019-11-28 15:16:09 +00:00
b286c2a336
Merge pull request #4732 from willthames/enable-opentracing-annotation
...
Allow enabling/disabling opentracing for ingresses
2019-11-26 17:31:21 -08:00
0ae463a5f3
Provide annotation to control opentracing
...
By default you might want opentracing off, but on for a particular
ingress.
Similarly, you might want opentracing globally on, but disabled for
a specific endpoint. To achieve this, `opentracing_propagate_context`
cannot be set when combined with `opentracing off`
A new annotation, `enable-opentracing` allows more fine grained control
of opentracing for specific ingresses.
2019-11-27 11:07:26 +10:00
6b0a6ec8b3
Fix extra word
2019-11-20 19:01:56 -06:00
73aaf0ff28
Update annotations.md
...
Add links to proxy-buffering section
2019-11-13 12:54:42 +09:00
0b38a48ac9
Update annotations.md
...
Add notes of limit-rate/limit-rate-after
2019-11-13 12:49:59 +09:00
d1eea794e9
Fix broken links in documentation ( #4746 )
2019-11-08 16:22:52 -03:00
2771095b8c
Merge pull request #4727 from nothinux/master
...
update docs, remove output in prometheus deploy command
2019-11-08 09:02:14 -08:00
0d244e1c41
Merge pull request #4730 from stamm/master
...
add configuration for http2_max_concurrent_streams
2019-11-08 07:12:29 -08:00
a0dc3a9a51
Merge pull request #4695 from janosi/secure-verify-ca-secret
...
Removing secure-verify-ca-secret support
2019-11-08 07:12:21 -08:00
d9cfad1894
add configuration for http2_max_concurrent_streams
2019-10-31 15:13:38 +03:00
d8c2d38a39
remove output in prometheus deploy command
2019-10-31 10:29:14 +07:00
40e0e5bef8
add proxy-max-temp-file-size doc
2019-10-23 09:55:46 +02:00
bd4b62029d
Merge pull request #4694 from panpan0000/add-remote-addr-into-l4-logs
...
Enhancement : add remote_addr in TCP access log
2019-10-20 19:39:37 -07:00
ee24bf1bbc
Doc: Add `remote_addr` into default values in configmap for TCP logging format
2019-10-21 10:18:17 +08:00
31227d61c2
Removing secure-verify-ca-secret support and writing an error log if that annotation is used in an Ingress definition
2019-10-18 10:58:57 +02:00
ad17d71387
Adding some documentation about the use of metrics-per-host and enable-metrics cmd line flags
2019-10-17 17:22:49 -06:00
fb025ab501
Merge pull request #4087 from MRoci/master
...
Define Modsecurity Snippet via ConfigMap
2019-09-30 15:19:32 -07:00
d5d2b4037c
Fix ports collision when hostNetwork=true ( #4617 )
2019-09-28 17:30:57 -03:00
72c4ffa8b5
add modsecurity-snippet key
2019-09-28 09:54:07 +02:00
6715108d8a
Release 0.26.0
2019-09-27 10:23:12 -03:00
50b6715f06
Merge pull request #4604 from aledbf/2353
...
Change default for proxy-add-original-uri-header
2019-09-25 07:28:00 -07:00
2bd8121338
Change default for proxy-add-original-uri-header
2019-09-25 10:57:31 -03:00
ceddec4ea0
Merge pull request #4588 from multi-io/patch-1
...
tls user guide --default-ssl-certificate clarification
2019-09-25 06:14:00 -07:00
ea5add6f5c
Rollback change of ModSecurity setting SecAuditLog
2019-09-24 14:53:44 -03:00
786a3b6862
Add support for configmap of headers to be sent to external auth service
2019-09-24 10:53:23 -04:00
f6c2f5fb97
Merge pull request #4514 from alexmaret/4475-stickyness-mode
...
Added new affinity mode for maximum session stickyness.
2019-09-24 05:09:27 -07:00
1a5e2d57a6
tls user guide --default-ssl-certificate clarification
...
Evidently the `--default-ssl-certificate` option is used not only for the catch-all server, but also for all ingress `tls:` sections that don't have a `secretName` option. This doesn't seem to be documented anywhere, hence this change.
2019-09-23 12:35:10 +02:00
c1ed6db468
Fix spelling and remove local reference of 404 docker image ( #4581 )
2019-09-22 16:08:47 -03:00
4b4176c830
Fix log format after #4557
2019-09-18 12:52:09 -03:00
87ad033483
Merge pull request #4569 from mkabischev/jaeger-header-configuration
...
allow to configure jaeger header names
2019-09-17 20:29:29 -07:00
d5563a7e47
allow to configure jaeger header names
2019-09-17 12:35:53 +03:00
846ff00363
Merge pull request #4560 from Shopify/basic-auth-map
...
Support configuring basic auth credentials as a map of user/password hashes
2019-09-16 07:52:39 -07:00
376b862c23
Add annotation to support map of user/pass pairs in basic auth
2019-09-13 11:33:33 -04:00
9af574a234
Remove the_real_ip variable
2019-09-12 20:01:33 -03:00
d7dc7be276
Fix relative links ( #4522 )
2019-09-03 09:02:07 -04:00
2ba1a9e71a
fix typo ( #4520 )
2019-09-02 17:29:37 -04:00
9170591185
Added new affinity mode for maximum session stickyness. Fixes kubernetes/ingress-nginx#4475
2019-08-30 11:40:29 +02:00
8def5ef7ca
Add support for multiple alias and remove duplication of SSL certificates ( #4472 )
2019-08-26 10:58:44 -04:00
7d6ce5701f
Fix log format markdown ( #4489 )
2019-08-24 22:48:17 -04:00
2c604e7d38
Add rate limit units and error status
...
Signed-off-by: Tim Hobbs <timothy.hobbs@ic-consult.com>
2019-08-22 16:03:41 +02:00
65b9e2c574
Merge branch 'master' of https://github.com/kubernetes/ingress-nginx into proxyssl
2019-08-16 06:21:53 +02:00
0b375989f3
Merge pull request #4412 from Shopify/ssl-early-data
...
Add nginx ssl_early_data option support
2019-08-15 10:08:35 -07:00
b21c721196
lua-shared-dicts improvements, fixes and documentation
2019-08-14 22:10:56 -04:00
adef152db8
Merge pull request #4379 from diazjf/mirror
...
Allow Requests to be Mirrored to different backends
2019-08-13 17:52:24 -07:00
f459515d0d
Add quote function in template
...
Co-authored-by: Charle Demers <charle.demers@gmail.com>
2019-08-09 15:47:29 -04:00
4a9b02bc03
Remove dynamic TLS records
2019-08-08 15:52:56 -04:00
7219130da4
Add nginx ssl_early_data option support
2019-08-07 16:04:09 -04:00
386486e969
Allow Requests to be Mirrored to different backends
...
Add a feature which allows traffic to be mirrored to
additional backends. This is useful for testing how
requests will behave on different "test" backends.
See https://nginx.org/en/docs/http/ngx_http_mirror_module.html
2019-08-01 11:53:58 -05:00
72271e9313
FastCGI backend support ( #2982 )
...
Co-authored-by: Pierrick Charron <pierrick@adoy.net>
2019-07-31 10:39:21 -04:00
cbc5d3a917
duplicate argument "--disable-catch-all"
2019-07-22 14:48:23 +03:00
5e64b6834c
Add [$proxy_alternative_upstream_name]
...
https://github.com/kubernetes/ingress-nginx/pull/4246
2019-07-19 07:36:13 +08:00
def13fc06c
Add proxy_ssl_* directives
...
Add support for backends which require client certificate (eg. NiFi)
authentication. The `proxy-ssl-secret` k8s annotation references a
secret which is used to authenticate to the backend server. All other
directives fine tune the backend communication.
The following annotations are supported:
* proxy-ssl-secret
* proxy-ssl-ciphers
* proxy-ssl-protocol
* proxy-ssl-verify
* proxy-ssl-verify-depth
2019-07-18 03:21:52 +02:00
589c9a20f9
Merge pull request #4278 from moolen/feat/auth-req-cache
...
feat: auth-req caching
2019-07-17 12:06:12 -07:00
23504db770
feat: auth-req caching
...
add a way to configure the `proxy_cache_*` [1] directive for external-auth.
The user-defined cache_key may contain sensitive information
(e.g. Authorization header).
We want to store *only* a hash of that key, not the key itself on disk.
[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2019-07-17 18:39:04 +02:00
3b0c523e49
added proxy-http-version annotation to override the HTTP/1.1 default connection type to reverse proxy backends
2019-07-08 14:32:00 -04:00
cd25a0c17a
adjust docs
2019-07-01 10:24:09 -04:00
ef4b560499
Update annotations.md
2019-06-20 20:19:11 -04:00
f77eaaee50
Add opentracing-operation-name and opentracing-location-operation-name config settings
...
With these settings custom span names can be used for the server span and location span
Signed-off-by: Jorrit Salverda <jsalverda@travix.com>
2019-06-07 14:19:34 +02:00
e76418cd99
Merge pull request #4162 from stramel/patch-1
...
Add "text/javascript" to compressible MIME types
2019-06-06 11:35:34 -07:00
686f2310e4
Add "text/javascript" to compressible MIME types
...
Based on the HTML Standard, https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages , servers _should_ use `text/javascript`.
2019-06-06 13:11:56 -05:00
286ff13af2
Merge pull request #4048 from fedunineyu/change-upstream-on-error-with-sticky-session
...
Change upstream on error when sticky session balancer is used
2019-06-06 07:22:17 -07:00
4a913fac2a
Add clarification on how to enable path matching
...
The fact that you need to explicitly add the annotation is easy to miss.
This makes this more explicit, while leaving the finer details to the
linked annotations document.
2019-06-05 11:14:50 +10:00
413450d7f6
Fix typo in docs
2019-06-01 11:07:24 +02:00
3ee5161cca
Always collect metrics when --metrics-per-host=false
2019-05-31 12:31:10 +02:00
254629cf16
Added support for annotation `session-cookie-change-on-failure`
...
1. Session cookie is updated on previous attempt failure when `session-cookie-change-on-failure = true` (default value is `false`).
2. Added tests to check both cases.
3. Updated docs.
Co-Authored-By: Vladimir Grishin <yadolov@users.noreply.github.com>
2019-05-27 13:00:07 +03:00
dfa7f10fc9
Merge pull request #4055 from nicknovitski/kustomize
...
Rearrange deployment files into kustomizations
2019-05-25 14:43:50 -07:00
73c70e28b4
Clear up some inconsistent / unclear wording
...
IPv6 enabled/disabled working was confusing or contradicting itself. This updates the wording to what is expected, based on the default values in the table above, and the behaviour that I could find in code.
2019-05-21 15:27:58 +02:00
616b1e239a
UPT: Opentracing configmap documentation
2019-05-21 18:14:33 +08:00
d468cd5ec5
UPT: Modify configmap to include jaeger sampler host and jaeger sampler port
2019-05-21 17:54:29 +08:00
51ad0bc54b
Rearrange deployment files into kustomizations
2019-05-19 12:35:54 -07:00
19501b217d
Merge pull request #4089 from alanjcastonguay/docs/use-gzip-configmap-defaults
...
Docs: configmap: use-gzip
2019-05-18 04:09:14 -07:00
ddc2ce5c70
Update configmap about adding custom locations
2019-05-17 21:39:40 +02:00
f5b090518d
Docs: configmap: use-gzip
...
Move the "gzip-types" value default from the "use-gzip" to the "gzip-types"
heading, and link to it from use-gzip.
Document that the "use-gzip" default is "true", matching the style of other
configmap items.
2019-05-15 13:09:45 -04:00
4811168d2a
Fixed typos
2019-05-06 09:04:12 +02:00
8cc9afe8ee
Added Global External Authentication settings to configmap parameters incl. addons
2019-05-03 12:08:16 +02:00
1cd17cd12c
Implement a validation webhook
...
In case some ingress have a syntax error in the snippet configuration,
the freshly generated configuration will not be reloaded to prevent tearing down existing rules.
Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster.
To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses.
In case the generated configuration is not validated by nginx, deny the insertion of the ingress.
In case certificates are mounted using kubernetes secrets, when those
changes, keys are automatically updated in the container volume, and the
controller reloads it using the filewatcher.
Related changes:
- Update vendors
- Extract useful functions to check configuration with an additional ingress
- Update documentation for validating webhook
- Add validating webhook examples
- Add a metric for each syntax check success and errors
- Add more certificate generation examples
2019-04-18 19:07:04 +02:00
ffeb1fe348
Support proxy_next_upstream_timeout
2019-04-15 11:08:57 -04:00
39ecab8d5a
Merge pull request #3954 from Shopify/lb-configmap
...
Fix load-balance configmap value
2019-04-02 05:10:34 -07:00
4f819b6256
Fix load-balance configmap value
2019-04-01 15:55:36 -04:00
fd1f200eb4
fix typo: delete '`'
...
fix typo: delete '`'
2019-03-29 13:42:03 +08:00
1bef3e75b2
Set `X-Request-ID` for the `default-backend`, too.
2019-03-22 11:33:11 +01:00
1d59e4f1fe
enable dynamic SSL mode by default
2019-03-17 14:58:06 -04:00
1e96671e26
Remove sort-backends flag from cli docs
2019-03-12 14:48:05 -04:00
68038eec63
Make sure cli-arguments doc is in alphabetical order
2019-03-12 14:43:05 -04:00
d8fe2d992b
Remove useless nodeip call and deprecate --force-namespace-isolation
2019-03-11 18:19:13 -04:00
d3ac73be79
Remove session-cookie-hash annotation
2019-03-04 10:34:48 -05:00
8b3702c829
Enable access log for default backend
...
disable log on default_server
2019-02-26 11:14:31 +03:00
3865e30a00
Changes CustomHTTPErrors annotation to use custom default backend
...
Updates e2e test
Removes focus from e2e test
Fixes renamed function
Adds tests for new template funcs
Addresses gofmt
Updates e2e test, fixes custom-default-backend test by creating service
Updates docs
2019-02-24 22:48:56 +01:00
Manuel Alejandro de Brito Fontes
BrianKopp
Kubernetes Prow Robot
Herr-Sepp
Laszlo Janosi
Sungmin Lee
Denis Boulas
Sablu Miah
Will Thames
Matt Busche
Syunsuke Komma
Rustam Zagirov
nothinux
Carlos Panato
Peter Pan
Matthew Wickman
MRoci
A Gardner
Olaf Klischat
Mike Kabischev
Tobias Bradtke
Rui Lopes
Alexander Maret-Huskinson
Tim Hobbs
Gabor Lekeny
Elvin Efendi
Pierrick Charron
Maxime Ginters
Fernando Diaz
Charle Demers
Oguzhan Inan
Jude Zhu
Moritz Johner
E. Stuart Hicks
Tristan Matthews
Jorrit Salverda
Michael Stramel
Nikolas Skoufis
Christian Hoffmeister
Eugene Fedunin
MMeent
reynaldi.wijaya
Nick Novitski
Kevin Simper
Alan J Castonguay
okryvoshapka-connyun
Thibault Jamet
Alex Kursell
Alan
Gregor Noczinski
Mikhail Marchenko
jasongwartz