a8a8b5f6e9
use-regex annotation should be applied to only one Location
2020-07-06 19:29:39 -04:00
ec4fb05cad
Fix proxy ssl e2e test
2020-07-06 18:41:42 -04:00
c0629e92c2
Add proxy-ssl-server-name to enable passing SNI
2020-07-03 14:14:32 +08:00
baa2b2cd33
Merge pull request #5709 from agile6v/master
...
fix: remove duplicated X-Forwarded-Proto header.
2020-07-02 17:50:47 -07:00
e8aaa15ce8
Remove duplicated X-Forwarded-Proto header.
2020-06-25 11:11:00 +08:00
803a76cf8a
Merge pull request #5749 from Bo0km4n/feat-configurable-max-batch-size
...
[Fix/metrics] Be configurable max batch size of metrics
2020-06-22 22:07:40 -07:00
f232a264ab
Add default-type as a configurable for default_type
2020-06-21 11:10:51 +08:00
7ab0916c92
Resolve conflicts
2020-06-20 17:13:31 +09:00
53a6b0fd3b
Configurable metrics max batch size
2020-06-20 15:58:14 +09:00
7767230e6a
fix undefined variable $auth_cookie error when location is denied
...
(add) isLocationAllowed check before setting the cookie
2020-06-08 13:59:52 -04:00
fc1c043437
Add http-access-log-path and stream-access-log-path options in configMap
2020-06-05 01:27:26 +08:00
ee02d897d5
Merge pull request #5534 from agile6v/master
...
Add annotation ssl-prefer-server-ciphers.
2020-05-29 08:35:16 -07:00
d03266d505
Add MaxMind GeoIP2 Anonymous IP support
2020-05-21 06:50:57 +03:00
bced1ed8b8
Ability to separately disable access log in http and stream contexts
...
Two new configuration options:
`disable-http-access-log`
`disable-stream-access-log`
Should resolve issue with enormous amount of `TCP 200` useless entries in logs
Signed-off-by: Andrey Voronkov <voronkovaa@gmail.com>
2020-05-13 21:23:37 +03:00
41d82005ec
Add annotation ssl-prefer-server-ciphers.
2020-05-11 16:31:08 +08:00
d18fa90cfd
Add e2e test for OCSP and new configmap setting
2020-04-17 12:53:47 -04:00
1dab12fb81
Lua OCSP stapling
2020-04-16 21:29:16 -04:00
c0db19b0ec
Enable configuration of plugins using configmap
2020-04-13 11:38:42 -04:00
eefb32c667
fix: remove unnecessary if statement when redirect annotation is defined
2020-04-08 19:02:15 +03:00
6037883c4a
Forward X-Request-ID to auth service ( #5301 )
2020-03-29 19:58:36 -03:00
07b70f68bd
Redirect for app-root should preserve current scheme ( #5266 )
2020-03-19 15:49:18 -03:00
78576a9bbc
Add Maxmind Editions support
2020-03-19 19:36:10 +07:00
1d1b857cb7
Add a forwarded protocol map for included x-forwarded-proto.
...
This change adds a new map for including the passed x-forwarded-proto
header in case is provided as an extra header.
Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
2020-03-10 18:26:28 -03:00
2de30bf451
Add proxy-ssl-name to location level
2020-02-25 13:52:34 +01:00
141ea59b7f
Allows overriding the server name used to verify the certificate of the proxied HTTPS server
2020-02-25 13:32:14 +01:00
351307280e
Clean template
2020-02-21 16:14:49 -03:00
5c64c52a60
Ensured that opentracing on auth request is only enabled for people that have opentracing
2020-02-20 14:12:54 +00:00
08471b527b
Fixes https://github.com/kubernetes/ingress-nginx/issues/5120
2020-02-20 14:03:09 +00:00
d48d5a61ae
Add gzip-min-length as a configurable
2020-02-14 13:29:51 +07:00
71e35c9100
Make sure set-cookie is retained from external auth endpoint ( #5067 )
2020-02-14 01:41:11 -03:00
b3146354d4
Refactor mirror feature
2020-02-05 10:39:55 -03:00
b9e944a8a6
Move mod-security logic from template to go code ( #5009 )
2020-02-04 14:04:11 -03:00
5d05e19cc3
Fix enable opentracing per location ( #4983 )
2020-01-29 12:20:05 -03:00
2f8cbeb8fa
Merge pull request #4956 from djboris9/proxy-protocol-port
...
Fix proxy protocol support for X-Forwarded-Port
2020-01-26 12:27:02 -08:00
7ff49b25d6
Move opentracing configuration for location to go ( #4965 )
2020-01-25 21:39:20 -03:00
665f924e9e
Add proxy protocol support for X-Forwarded-Port
...
Fixes https://github.com/kubernetes/ingress-nginx/issues/4951
2020-01-24 13:50:35 +01:00
fbdd924a45
Update nginx image
2020-01-04 13:23:16 -03:00
a0523c3c8a
Use a named location for authSignURL ( #4859 )
2019-12-24 22:50:25 -03:00
54918c0ff2
fix duplicate hsts bug
2019-12-12 13:49:13 -05:00
75e8d37d71
Fix issue in logic of modsec template
...
according to go templates: `(and ((not false) false))` == `true`
the only way to remove the owasp rules from every location is to disable modsec on that location, or to enable owasp globally, both not-so-great choices.
This commit fixes the logic issue by fixing the and-clause in the if-statement. As a result this reduces global resource usages when modsecurity is configured globally, but not on every location.
2019-11-28 14:56:41 +01:00
a85d5ed93a
Merge pull request #4779 from aledbf/update-image
...
Remove lua-resty-waf feature
2019-11-27 11:45:05 -08:00
b286c2a336
Merge pull request #4732 from willthames/enable-opentracing-annotation
...
Allow enabling/disabling opentracing for ingresses
2019-11-26 17:31:21 -08:00
0ae463a5f3
Provide annotation to control opentracing
...
By default you might want opentracing off, but on for a particular
ingress.
Similarly, you might want opentracing globally on, but disabled for
a specific endpoint. To achieve this, `opentracing_propagate_context`
cannot be set when combined with `opentracing off`
A new annotation, `enable-opentracing` allows more fine grained control
of opentracing for specific ingresses.
2019-11-27 11:07:26 +10:00
61d902db14
Remove Lua resty waf feature
2019-11-26 10:37:43 -03:00
62518b60b4
Merge pull request #4689 from janosi/upstream_ssl
...
Server-only authentication of backends and per-location SSL config
2019-11-18 19:49:43 -08:00
d9cfad1894
add configuration for http2_max_concurrent_streams
2019-10-31 15:13:38 +03:00
cc84bd4ab6
Server level proxy_ssl parameters are applied again, following the comments received.
...
Also writing tls.crt and tls.key to disk is according to the original code.
2019-10-26 20:20:18 +02:00
37fe9c9876
Enabling per-location proxy-ssl parameters, so locations of the same server but with own unique Ingress definitions can have different SSL configs
2019-10-17 10:15:53 +02:00
69880ac9ad
Merge pull request #4650 from DaveAurionix/master
...
Expose GeoIP2 Organization as variable $geoip2_org
2019-10-12 15:34:36 -07:00
0476715022
Need to quote expansion of $cfg.LogFormatStream in log_stream access log
...
format in nginx.tmpl otherwise individual variables are just glued together
without separating spaces so that you would get these in access logs:
[10/Oct/2019:05:03:30 +0000]TCP200000.003
[10/Oct/2019:05:03:30 +0000]TCP200000.000
[10/Oct/2019:05:05:04 +0000]TCP200000.000
which supposed to be someting like these:
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.003
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.000
[10/Oct/2019:05:05:04 +0000] TCP 200 0 0 0.000
2019-10-10 17:27:15 +10:00
8e926b21d1
Expose GeoIP2 Organization as variable $geoip2_org
2019-10-09 09:47:48 +01:00
72c4ffa8b5
add modsecurity-snippet key
2019-09-28 09:54:07 +02:00
c5a8357f1d
handle hsts header injection in lua
2019-09-24 21:17:22 -04:00
c93d384fb1
delete redundant config
2019-09-24 18:51:35 -04:00
8c64b12a96
refactor force ssl redirect logic
2019-09-24 14:57:52 -04:00
786a3b6862
Add support for configmap of headers to be sent to external auth service
2019-09-24 10:53:23 -04:00
4b4176c830
Fix log format after #4557
2019-09-18 12:52:09 -03:00
9af574a234
Remove the_real_ip variable
2019-09-12 20:01:33 -03:00
ce3e3d51c3
WIP Remove nginx unix sockets ( #4531 )
...
* Remove nginx unix sockets
* Use an emptyDir volume for /tmp in PSP e2e tests
2019-09-08 18:14:54 -03:00
9c51676f17
Add support to CRL ( #3164 )
...
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Add support to CRL
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
2019-09-03 16:47:28 -04:00
c2935ca35c
Refactor health checks and wait until NGINX process ends
2019-09-01 15:31:27 -04:00
c7d2444cf4
Fix nginx variable service_port (nginx) ( #4500 )
2019-08-31 11:24:01 -04:00
06f03a2af6
point users to kubectl ingress-nginx plugin
2019-08-27 07:42:42 -04:00
8def5ef7ca
Add support for multiple alias and remove duplication of SSL certificates ( #4472 )
2019-08-26 10:58:44 -04:00
f0e71cf688
Merge pull request #4463 from zerda/fix-add-headers
...
Always set headers with add-headers option
2019-08-25 09:16:21 -07:00
a44b5cf3f3
Always set headers with add-headers option
...
It should work regardless of the response code or add_header directive in location.
2019-08-18 14:28:43 +08:00
4624b5bc77
Change PemSHA to CASHA
2019-08-16 06:31:15 +02:00
65b9e2c574
Merge branch 'master' of https://github.com/kubernetes/ingress-nginx into proxyssl
2019-08-16 06:21:53 +02:00
d8bd8c5619
Add nginx proxy_max_temp_file_size configuration option
2019-08-15 13:47:42 -04:00
0b375989f3
Merge pull request #4412 from Shopify/ssl-early-data
...
Add nginx ssl_early_data option support
2019-08-15 10:08:35 -07:00
6a293c7e11
set /configuration client body size dynamically
2019-08-14 22:10:56 -04:00
0d690fba1a
Merge pull request #4356 from aledbf/only-dynamic-mode
...
Only support SSL dynamic mode
2019-08-14 17:08:35 -07:00
adef152db8
Merge pull request #4379 from diazjf/mirror
...
Allow Requests to be Mirrored to different backends
2019-08-13 17:52:24 -07:00
d46b4148fa
Lua /etc/resolv.conf parser and some refactoring
2019-08-13 18:34:54 -04:00
80bd481abb
Only support SSL dynamic mode
2019-08-13 17:33:34 -04:00
2ed75b3362
Move listen logic to go
2019-08-13 14:52:25 -04:00
4d97240d88
Add timezone value into $geoip2_time_zone variable
2019-08-11 14:26:48 +02:00
f459515d0d
Add quote function in template
...
Co-authored-by: Charle Demers <charle.demers@gmail.com>
2019-08-09 15:47:29 -04:00
8c472190d1
Merge pull request #4086 from jeroen92/issue-4038
...
Resolve #4038 , move X-Forwarded-Port variable to the location context
2019-08-09 08:07:25 -07:00
4a9b02bc03
Remove dynamic TLS records
2019-08-08 15:52:56 -04:00
a2e667c082
lua shared dict from cm
...
lua shared dict teml test and update func sign
lua shared dict cm test
lua shared dict integration test
lua shared dict add cm parsing
lua shared dict change test header
2019-08-08 12:44:11 +03:00
7219130da4
Add nginx ssl_early_data option support
2019-08-07 16:04:09 -04:00
8dd912114e
Move X-Forwarded-Port variable to the location context
...
Resolves issue #4038 where the X-Forwarded-Port header would be set to the value of the https listening port if all of the following settings were satisfied:
- The ingress controller was started with a non-default HTTPS port set with the `--https-port` argument
- An ingress is created having:
- the `nginx.ingress.kubernetes.io/auth-url` annotation set
- TLS enabled
This commit solves this issue by moving the setting of the `pass_server_port` variable from the server, one level down to the location context.
2019-08-06 17:00:58 +02:00
386486e969
Allow Requests to be Mirrored to different backends
...
Add a feature which allows traffic to be mirrored to
additional backends. This is useful for testing how
requests will behave on different "test" backends.
See https://nginx.org/en/docs/http/ngx_http_mirror_module.html
2019-08-01 11:53:58 -05:00
72271e9313
FastCGI backend support ( #2982 )
...
Co-authored-by: Pierrick Charron <pierrick@adoy.net>
2019-07-31 10:39:21 -04:00
def13fc06c
Add proxy_ssl_* directives
...
Add support for backends which require client certificate (eg. NiFi)
authentication. The `proxy-ssl-secret` k8s annotation references a
secret which is used to authenticate to the backend server. All other
directives fine tune the backend communication.
The following annotations are supported:
* proxy-ssl-secret
* proxy-ssl-ciphers
* proxy-ssl-protocol
* proxy-ssl-verify
* proxy-ssl-verify-depth
2019-07-18 03:21:52 +02:00
589c9a20f9
Merge pull request #4278 from moolen/feat/auth-req-cache
...
feat: auth-req caching
2019-07-17 12:06:12 -07:00
23504db770
feat: auth-req caching
...
add a way to configure the `proxy_cache_*` [1] directive for external-auth.
The user-defined cache_key may contain sensitive information
(e.g. Authorization header).
We want to store *only* a hash of that key, not the key itself on disk.
[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2019-07-17 18:39:04 +02:00
fe6c086580
Merge pull request #4288 from eshicks4/proxy-http-version-annotation
...
added proxy-http-version annotation to override the HTTP/1.1 default …
2019-07-11 11:43:07 -07:00
1e07cc6933
Disable access log in stream section for configuration socket
2019-07-10 13:42:13 -04:00
3b0c523e49
added proxy-http-version annotation to override the HTTP/1.1 default connection type to reverse proxy backends
2019-07-08 14:32:00 -04:00
7c297e001a
Merge pull request #4246 from ElvinEfendi/proxy-alternative-upstream-name
...
introduce proxy_alternative_upstream_name Nginx var
2019-07-04 19:20:35 -07:00
8b208cac93
introduce proxy_alternative_upstream_name Nginx var to differentiate canary requests
2019-07-04 19:43:20 -04:00
8807db9748
Check and complete intermediate SSL certificates
2019-07-04 19:13:21 -04:00
27df697dde
introduce ngx.var.balancer_ewma_score
2019-07-03 16:50:22 -04:00
591887089f
Add e2e test suite to detect memory leaks in lua
2019-06-27 22:05:52 -04:00
ddffa2a173
Enable arm again
2019-06-26 23:00:58 -04:00
5dfc7e211f
Merge pull request #4221 from aledbf/upgrade-nginx-image
...
Switch to openresty image
2019-06-24 09:45:57 -07:00
991f95f6bf
Migrate to openresty
2019-06-23 22:29:11 -04:00
d7b213d979
Do not set Host header when backend protocol is grpc
2019-06-18 23:44:10 -04:00
Manuel Alejandro de Brito Fontes
Zhongcheng Lao
Kubernetes Prow Robot
agile6v
mengqi.wmq
Bo0km4n
Jeff Hui
adiov
Andrey Voronkov
Elvin Efendi
Artem Miroshnychenko
Maxim Pogozhiy
Jorge Niedbalski
Laszlo Janosi
schaefec
Karl Stoney
Daniel Arifin
Boris Djurdjevic
MMeent
Will Thames
Rustam Zagirov
Sergei Turchanov
Dave Thompson
MRoci
A Gardner
Ricardo Katz
SilverFox
Gabor Lekeny
Maxime Ginters
Mathieu Naouache
Pierrick Charron
tals
Jeroen Schutrup
Fernando Diaz
Charle Demers
Moritz Johner
E. Stuart Hicks