5cff197bc5
add canary-weight-total annotation ( #6338 )
2021-12-07 08:40:00 -08:00
6163231ef6
fix to really execute plugins in order ( #8018 )
2021-12-07 08:01:02 -08:00
a03895d91e
Add ssl_reject_handshake to defaul server ( #7977 )
...
* Add ssl_reject_handshake to defaul server
* Added SSLRejectHandshake to NewDefault
* Added documentation
2021-11-29 08:33:23 -08:00
65b8eeddec
Support cors-allow-origin with multiple origins ( #7614 )
...
* Add Initial support for multiple cors origins in nginx
- bump cluster version for `make dev-env`
- add buildOriginRegex function in nginx.tmpl
- add e2e 4 e2e tests for cors.go
- refers to feature request #5496
* add tests + use search to identify '*' origin
* add tests + use search to identify '*' origin
Signed-off-by: Christopher Larivière <lariviere.c@gmail.com>
* fix "should enable cors test" looking at improper values
* Modify tests and add some logic for origin validation
- add origin validation in cors ingress annotations
- add extra tests to validate regex
- properly escape regex using "QuoteMeta"
- fix some copy/paste errors
* add TrimSpace and length validation before adding a new origin
* modify documentation for cors and remove dangling comment
* add support for optional port mapping on origin
* support single-level wildcard subdomains + tests
* Remove automatic `*` fonctionality from incorrect origins
- use []string instead of basic string to avoid reparsing in template.go
- fix typo in docs
- modify template to properly enable only if the whole block is enabled
- modify cors parsing
- test properly by validating that the value returned is the proper
origin
- update unit tests and annotation tests
* Re-add `*` when no cors origins are supplied + fix tests
- fix e2e tests to allow for `*`
- re-add `*` to cors parsing if trimmed cors-allow-origin is empty
(supplied but empty) and if it wasn't supplied at all.
* remove unecessary logic for building cors origin + remove comments
- add some edge cases in e2e tests
- rework logic for building cors origin
there was no need for logic in template.go for buildCorsOriginRegex
if there is a `*` it ill be short-circuited by first if.
if it's a wildcard domain or any domain (without a wildcard), it MUST
match the main/cors.go regex format.
if there's a star in a wildcard domain, it must be replaced with
`[A-Za-z0-9]+`
* add missing check in e2e tests
2021-11-02 12:31:42 -07:00
c8ab4dc307
add `brotli-min-length` configuration option ( #7854 )
...
* add `brotli-min-length` configuration option
* add e2e tests for brotli
* include check for expected content type
* fix header and format
2021-11-02 04:52:59 -07:00
7d5452d00b
configmap: option to not trust incoming tracing spans ( #7045 )
...
* validate the sender of tracing spans
* add location-specific setting
2021-10-24 14:36:21 -07:00
9e3c528640
Disable builtin ssl_session_cache ( #7777 )
...
Signed-off-by: Alex R <i@sepa.spb.ru>
2021-10-08 11:47:23 -07:00
ddbb0be0a0
add canary backend name for requests metrics ( #7696 )
2021-09-26 10:54:22 -07:00
557a765754
fix typos. ( #7640 )
2021-09-15 11:30:12 -07:00
f2e743f561
feat: add session-cookie-secure annotation ( #7399 )
2021-09-01 15:23:40 -07:00
b591adac48
allow kb granularity for lua shared dicts ( #6750 )
...
Update internal/ingress/controller/template/configmap.go
Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
2021-08-12 11:13:50 -07:00
9a9ad47857
Fix forwarding of auth-response-headers to gRPC backends ( #7331 )
...
* add e2e test for auth-response-headers annotation
* add e2e test for grpc with auth-response-headers
* fix forwarding of auth header to GRPC backends
* add test case for proxySetHeader(nil)
2021-08-10 11:24:39 -07:00
2d90ba14f5
Change all master reference to main ( #7369 )
2021-08-06 17:07:29 -07:00
9efea320b9
Fix cap for NET_BIND_SERVICE ( #7449 )
...
Signed-off-by: Tobias Giese <tobias.giese@daimler.com>
2021-08-06 12:45:30 -07:00
f222c752be
Enable session affinity for canaries ( #7371 )
2021-07-29 14:23:19 -07:00
191b27a8bb
Automatically add area labels to help triaging ( #7387 )
2021-07-22 17:29:16 -07:00
12a2a6d0e0
Fix definition order of modsecurity directives for controller to match PR 5315 ( #6940 ) ( #7323 )
...
* Fix definition order of modsecurity directives for controller to match PR 5315
* Add a test
2021-07-06 19:24:43 -07:00
a064337621
Rewrite clean-nginx-conf.sh in Go to speed up admission webhook ( #7076 ) ( #7322 )
...
* Rewrite clean-nginx-conf.sh to speed up admission webhook
* Less diff with original clean-nginx-conf.sh
* Add error handling, add documentation, add unit test
* indent code
* Don't ignore Getwd() error
2021-07-06 10:50:19 -07:00
68ec350388
perf: json encoding share to eatch request ( #6955 )
...
* perf: json encoding share to eatch request
* fix: fix lint lua
2021-05-23 17:57:38 -07:00
b3dfee6ada
Allow preservation of trailing slashes on TLS redirects via annotation. ( #7144 )
...
* allow retaining a trailing slash in a TLS redirect via annotation.
Signed-off-by: mamiller <mamiller@rosettastone.com>
* requested changes
* gofmt
2021-05-23 08:51:38 -07:00
9b00a4912f
set x-forwarded-scheme like x-forwarded-proto
2021-05-13 09:26:27 -04:00
0dceedfad7
Remove localhost calls from external names
...
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
2021-04-30 16:49:35 -03:00
9123820584
Expose Geo IP subdivision 1 as variables
2021-03-22 17:30:16 +00:00
ff74d0ff33
Merge pull request #6726 from afrouzMashaykhi/add-body-filter-by-lua
...
add body_filter_by_lua_block lua plugin to ingress-nginx
2021-01-06 16:55:45 -08:00
37ee5d98bf
Merge pull request #6679 from nic-6443/bug-fix
...
Bugfix: fix incomplete log
2021-01-06 15:01:45 -08:00
b65ceee1a8
Bugfix: fix incomplete log
2021-01-06 10:51:05 +08:00
8662144511
Update rootfs/etc/nginx/lua/plugins/README.md
...
Co-authored-by: Elvin Efendi <elvin.efendiyev@gmail.com>
2021-01-05 21:14:35 +03:30
ed6debb194
add body_filter_by_lua_block lua plugin to ingress-nginx
2021-01-05 20:56:13 +03:30
e0dece48f7
Add Global Rate Limiting support
2021-01-04 17:47:07 -05:00
2cff9fa41d
generalize cidr parsing and improve lua tests
2021-01-04 15:01:55 -05:00
b022ea8c40
Merge pull request #6639 from spacewander/use_last_for_ewma
...
Don't pick tried endpoint & count the latest in ewma balancer
2020-12-23 18:50:27 -08:00
06b200fa4b
Update for review
2020-12-24 09:07:12 +08:00
7732aec3c4
Merge pull request #6600 from nic-6443/backend-sync-503-fix
...
Bugfix: some requests fail with 503 when nginx reload
2020-12-23 09:02:26 -08:00
8085304cb9
Separate the ExternalName backend from other backends in the process of synchronizing the backend, because the synchronization of the ExternalName backend requires dns resolution, so we should ensure that it does not affect the synchronization of the Non-ExternalName backend. After separation, in the init worker stage, we should immediately synchronize the Non-ExternalName backend, otherwise there will be some requests that fail with 503 because the balancer cannot be obtained in the rewrite stage.
2020-12-22 17:24:41 +08:00
e118ebc08a
Don't pick tried endpoint & count the latest in ewma balancer
...
fixes https://github.com/kubernetes/ingress-nginx/issues/6632
2020-12-18 19:21:51 +08:00
a8728f3d2c
Spelling
2020-12-15 16:10:48 -05:00
9c0a39636d
Refactor ingress nginx variables
2020-12-12 08:52:47 -03:00
cc94a51cba
make sure canary attributes are reset on ewma backend sync
2020-12-11 09:38:58 -05:00
baf2afc5de
Merge pull request #6546 from nic-6443/ewma-cananry-fix
...
bugfix: update trafficShapingPolicy not working in ewma load-balance
2020-12-11 03:29:23 -08:00
1e9650a0f9
fix flaky lua tests
2020-12-10 22:41:41 -05:00
1c6a1a0e23
feat: add support for country databases
2020-12-07 21:43:38 +03:00
2f6f09a106
Merge pull request #6541 from Jangyooseok/Jangyooseok
...
fixed misspell
2020-12-04 15:35:25 -08:00
1ad89c8bb2
fixed misspell
...
Update rootfs/etc/nginx/lua/plugins/README.md
2020-12-04 10:13:00 +09:00
06f53bcf05
feat: allow user to specify the maxmium number of retries in stream block.
2020-12-02 14:54:14 +08:00
8ca5450e22
bugfix: always update trafficShapingPolicy when using ewma as load-balance even if endpoints not change, otherwise update trafficShapingPolicy will not working
2020-12-01 12:10:15 +08:00
612a604fa4
Fix ErrorLogLevel in stream contexts
2020-11-27 14:29:43 +09:00
e3a3ea8826
Merge pull request #6294 from ianbuss/auth-error-redirect-param
...
Allow customisation of redirect URL parameter in external auth redirects
2020-11-23 01:27:37 -08:00
fd8af11392
Fix opentracing propagation on auth-url
...
Currently, the opentracing propagation instructions are set only if opentracing is configured globally.
This fix set the propagation instructions if opentracing is disabled globally, but enabled per ingress
2020-11-20 01:32:20 +01:00
3f153add00
Refactor handling of path Prefix and Exact
2020-11-10 07:21:34 -03:00
2e7967cc99
Add comment indicating server-snippet section
2020-11-04 18:59:39 +09:00
a6b6f03b53
Add support for k8s ingress pathtype Prefix
2020-11-02 09:56:49 -05:00
d74ea25df8
Add validation for wildcard server names
2020-10-26 10:51:14 -03:00
524c3a50ea
Merge pull request #6037 from aledbf/redirect
...
Do not append a trailing slash on redirects
2020-10-08 11:51:06 -07:00
41cf628bdf
Add a configurable URL redirect parameter for error URLs
2020-10-08 12:53:46 +01:00
8d45bb39a4
Merge pull request #5348 from Antiarchitect/stream-log-annotations
...
Ability to separately disable access log in http and stream contexts
2020-09-28 11:02:53 -07:00
493dd6726d
Replace request_uri
2020-09-27 20:26:39 -03:00
2948e3e109
better cors
2020-09-27 21:44:24 +03:00
b7b85175f6
Add annotation to configure CORS Access-Control-Expose-Headers
2020-09-23 17:41:52 +02:00
87e79da16a
Move ocsp_response_cache:delete after certificate_data:set
2020-09-19 23:16:00 +08:00
16f970d8bb
Use was_not_called without check args match
2020-09-19 00:15:42 +08:00
724646bd73
Delete OCSP Response cache when certificate renewed
2020-09-18 14:30:18 +08:00
8e83d4e84a
delete redundant NGINX config about X-Forwarded-Proto
2020-09-15 13:22:26 -04:00
e659efbfdb
Use dynamic load of modules
2020-09-10 11:39:35 -03:00
33cab380ba
Merge pull request #5757 from agile6v/stream
...
feat: support to define trusted addresses for proxy protocol in stream block
2020-09-01 17:29:07 -07:00
609e1b5775
feat: support to define trusted addresses for proxy protocol in stream block
2020-08-28 14:37:16 +08:00
bf11584dbd
Add build_id dockerfile label
2020-08-27 10:05:07 -04:00
43ca5f5ef1
Add new Dockerfile label org.opencontainers.image.revision
2020-08-19 22:39:10 -04:00
e9059eef01
fixed some typos
...
Signed-off-by: Frank Gadban <frankgad@outlook.de>
2020-07-21 22:02:23 +02:00
e825af86e1
Merge pull request #5887 from dschwar/force-use-forwarded-for
...
Add force-enable-realip-module
2020-07-17 07:17:02 -07:00
d52141c2b9
Add enable-real-ip
2020-07-15 15:25:29 -04:00
dc3876666b
Revert "use-regex annotation should be applied to only one Location"
...
This reverts commit a8a8b5f6e9
2020-07-15 11:20:47 -04:00
a8a8b5f6e9
use-regex annotation should be applied to only one Location
2020-07-06 19:29:39 -04:00
ec4fb05cad
Fix proxy ssl e2e test
2020-07-06 18:41:42 -04:00
c0629e92c2
Add proxy-ssl-server-name to enable passing SNI
2020-07-03 14:14:32 +08:00
baa2b2cd33
Merge pull request #5709 from agile6v/master
...
fix: remove duplicated X-Forwarded-Proto header.
2020-07-02 17:50:47 -07:00
3402d07ff0
doc: update docs and fixed typos ( #5821 )
2020-07-01 10:02:52 -04:00
bcc3cfaa65
Dynamic LB sync non-external backends only when necessary
2020-06-29 18:11:51 -04:00
e8aaa15ce8
Remove duplicated X-Forwarded-Proto header.
2020-06-25 11:11:00 +08:00
803a76cf8a
Merge pull request #5749 from Bo0km4n/feat-configurable-max-batch-size
...
[Fix/metrics] Be configurable max batch size of metrics
2020-06-22 22:07:40 -07:00
f232a264ab
Add default-type as a configurable for default_type
2020-06-21 11:10:51 +08:00
7ab0916c92
Resolve conflicts
2020-06-20 17:13:31 +09:00
53a6b0fd3b
Configurable metrics max batch size
2020-06-20 15:58:14 +09:00
5b0f7d7d6e
Improve performance.
2020-06-10 17:36:56 +08:00
1d4c7ec65c
Fix lua lint error
2020-06-09 17:19:16 -04:00
f27b404421
Serve correct TLS certificate for requests with uppercase host
2020-06-09 16:47:03 -04:00
0549d9b132
Merge pull request #5672 from agile6v/master
...
feat: enable lj-releng tool to lint lua code.
2020-06-09 11:15:19 -07:00
bafbd4cccf
Enable lj-releng tool to lint lua code.
2020-06-09 18:01:35 +08:00
7767230e6a
fix undefined variable $auth_cookie error when location is denied
...
(add) isLocationAllowed check before setting the cookie
2020-06-08 13:59:52 -04:00
fc1c043437
Add http-access-log-path and stream-access-log-path options in configMap
2020-06-05 01:27:26 +08:00
ea8e711d2c
Refactor build of docker images
2020-06-02 12:16:39 -04:00
d061375afa
Merge pull request #5571 from agile6v/dev
...
feat: support the combination of Nginx variables for annotation upstream-hash-by.
2020-06-01 15:10:14 -07:00
c035a144f8
Support the combination of nginx variables and text value for annotation upstream-hash-by.
2020-06-01 06:37:41 +08:00
ee02d897d5
Merge pull request #5534 from agile6v/master
...
Add annotation ssl-prefer-server-ciphers.
2020-05-29 08:35:16 -07:00
d03266d505
Add MaxMind GeoIP2 Anonymous IP support
2020-05-21 06:50:57 +03:00
bced1ed8b8
Ability to separately disable access log in http and stream contexts
...
Two new configuration options:
`disable-http-access-log`
`disable-stream-access-log`
Should resolve issue with enormous amount of `TCP 200` useless entries in logs
Signed-off-by: Andrey Voronkov <voronkovaa@gmail.com>
2020-05-13 21:23:37 +03:00
41d82005ec
Add annotation ssl-prefer-server-ciphers.
2020-05-11 16:31:08 +08:00
3b217cf766
make sure first backend sync happens in timer phase
2020-04-30 19:44:24 -04:00
c8eb914d8a
Remove noisy dns log
2020-04-28 18:34:51 -04:00
0f2496fc95
Ensure alpine packages are up to date
2020-04-27 16:48:22 -04:00
b569d2357a
staple only when OCSP response status is "good"
2020-04-19 13:53:47 -04:00
d18fa90cfd
Add e2e test for OCSP and new configmap setting
2020-04-17 12:53:47 -04:00
1dab12fb81
Lua OCSP stapling
2020-04-16 21:29:16 -04:00
b60e25f1db
ingress-nginx lua plugins documentation
2020-04-14 09:47:58 -04:00
c0db19b0ec
Enable configuration of plugins using configmap
2020-04-13 11:38:42 -04:00
eefb32c667
fix: remove unnecessary if statement when redirect annotation is defined
2020-04-08 19:02:15 +03:00
8527f774f7
Change condition order that produces endless loop
2020-04-03 10:53:40 -03:00
6037883c4a
Forward X-Request-ID to auth service ( #5301 )
2020-03-29 19:58:36 -03:00
5cf7018b6d
Merge pull request #5277 from ElvinEfendi/small-refactoring
...
refactoring: use more specific var name
2020-03-23 06:02:51 -07:00
6ea6d47044
Empty directory
2020-03-22 17:16:30 -03:00
1894579455
Remove unnecessary logs
2020-03-22 17:09:39 -03:00
eb112ea06c
refactoring: use more specific var name
2020-03-21 21:23:24 -04:00
07b70f68bd
Redirect for app-root should preserve current scheme ( #5266 )
2020-03-19 15:49:18 -03:00
78576a9bbc
Add Maxmind Editions support
2020-03-19 19:36:10 +07:00
d5d1e9bfbd
Merge pull request #4958 from niedbalski/fix-forwarded-proto
...
Add a forwarded protocol map for included x-forwarded-proto.
2020-03-11 02:35:36 -07:00
1d1b857cb7
Add a forwarded protocol map for included x-forwarded-proto.
...
This change adds a new map for including the passed x-forwarded-proto
header in case is provided as an extra header.
Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
2020-03-10 18:26:28 -03:00
f2e5d6f8a5
Migrate the backends handler logic to function
2020-02-27 09:31:04 +08:00
2de30bf451
Add proxy-ssl-name to location level
2020-02-25 13:52:34 +01:00
141ea59b7f
Allows overriding the server name used to verify the certificate of the proxied HTTPS server
2020-02-25 13:32:14 +01:00
35264d6e8f
Merge pull request #5114 from whalecold/match
...
Feat: add header-pattern annotation.
2020-02-24 17:07:36 -08:00
351307280e
Clean template
2020-02-21 16:14:49 -03:00
0b33650bb8
Feat: canary supports using specific match strategy to match header value.
2020-02-21 10:02:20 +08:00
5c64c52a60
Ensured that opentracing on auth request is only enabled for people that have opentracing
2020-02-20 14:12:54 +00:00
08471b527b
Fixes https://github.com/kubernetes/ingress-nginx/issues/5120
2020-02-20 14:03:09 +00:00
ad78425852
also expose pem cert uid in certificate.call function
2020-02-19 13:41:50 -05:00
4bb9106be2
refactor ssl handling in preperation of OCSP stapling
2020-02-19 13:14:35 -05:00
b2beeeab25
Add case for when user agent is nil
...
Add test for nil user agent
2020-02-16 21:07:45 -06:00
4b5c39e97b
Fox docker opencontainers version label ( #5087 )
2020-02-16 11:55:12 -03:00
12314aa1ac
Cleanup docker build ( #5084 )
2020-02-15 13:59:56 -03:00
d48d5a61ae
Add gzip-min-length as a configurable
2020-02-14 13:29:51 +07:00
71e35c9100
Make sure set-cookie is retained from external auth endpoint ( #5067 )
2020-02-14 01:41:11 -03:00
5e54f66ab2
Merge pull request #5040 from BrianKopp/samesite-followup
...
Update documentation and remove hack fixed by upstream cookie library
2020-02-10 10:25:53 -08:00
46a3e0a6fd
Fix X-Forwarded-Proto based on proxy-protocol server port
2020-02-10 18:08:34 +03:00
7c7a1b9c8b
Update samesite tests
2020-02-08 12:58:52 -07:00
34b194c770
Update documentation and remove hack fixed by upstream cookie library
2020-02-08 11:54:52 -07:00
b3146354d4
Refactor mirror feature
2020-02-05 10:39:55 -03:00
b9e944a8a6
Move mod-security logic from template to go code ( #5009 )
2020-02-04 14:04:11 -03:00
ee5595f5be
Cleanup main makefile and remove the need of sed ( #4995 )
2020-01-31 22:56:55 -03:00
1b523390bb
Add SameSite=None support and conditionally omit SameSite=None for backwards compatibility
2020-01-29 14:30:00 -07:00
5d05e19cc3
Fix enable opentracing per location ( #4983 )
2020-01-29 12:20:05 -03:00
2f8cbeb8fa
Merge pull request #4956 from djboris9/proxy-protocol-port
...
Fix proxy protocol support for X-Forwarded-Port
2020-01-26 12:27:02 -08:00
7ff49b25d6
Move opentracing configuration for location to go ( #4965 )
2020-01-25 21:39:20 -03:00
665f924e9e
Add proxy protocol support for X-Forwarded-Port
...
Fixes https://github.com/kubernetes/ingress-nginx/issues/4951
2020-01-24 13:50:35 +01:00
c8015c7734
Update nginx image, use docker buildx and remove qemu ( #4923 )
...
* Update nginx image, use docker buildx and remove qemu
* Update e2e image
2020-01-14 20:52:57 -03:00
a8c2c9c6bc
Remove todo from lua test ( #4894 )
2020-01-08 19:46:52 -03:00
5ce93d98c2
Fix lua test
2020-01-05 16:00:54 -03:00
025d4eaceb
Migrate to alpine linux
2020-01-04 13:23:16 -03:00
fbdd924a45
Update nginx image
2020-01-04 13:23:16 -03:00
6c92c80073
Fix sticky session for ingress without host
2020-01-02 16:52:49 -03:00
a0523c3c8a
Use a named location for authSignURL ( #4859 )
2019-12-24 22:50:25 -03:00
54918c0ff2
fix duplicate hsts bug
2019-12-12 13:49:13 -05:00
Yecheng Fu
Ana Claudia Riekstin
Ansil H
Christopher Larivière
Rahil Patel
Matthew Silverman
Alex R
Léopold Jacquot
agile6v
Vincent LE GOFF
Tom Hayward
Ricardo Katz
tobiasgiese
wasker
Kyle Michel
Kirill Trofimenkov
zhaogaolong
Matt Miller
Ricardo Pchevuzinske Katz
Adam Renberg Tamm
Kubernetes Prow Robot
qianyong
Ginger Cookie
afrouz
Elvin Efendi
spacewander
Josh Soref
Manuel Alejandro de Brito Fontes
Matthew Tuusberg
Jangyooseok
m22r
Julien Vey
Minji Chun
Ian Buss
shrpne
Maxime LUCE
wenzong
Frank Gadban
David Schwartz
Zhongcheng Lao
mengqi.wmq
Bo0km4n
Andreas Sommer
Jeff Hui
adiov
Andrey Voronkov
Artem Miroshnychenko
Maxim Pogozhiy
Jorge Niedbalski
Lisheng Zheng
Laszlo Janosi
schaefec
Karl Stoney
briankopp
Daniel Arifin
Ilya Nemakov
Boris Djurdjevic