This repository has been archived by the owner on Apr 8, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx-auto.conf.template
153 lines (133 loc) · 4.02 KB
/
nginx-auto.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Auto-generated by start_esp
# Copyright 2017 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
daemon off;
user nginx nginx;
pid ${pid_file};
# Worker/connection processing limits
worker_processes 1;
worker_rlimit_nofile 10240;
events { worker_connections 10240; }
# Logging to stderr enables better integration with Docker and GKE/Kubernetes.
error_log stderr warn;
http {
include /etc/nginx/mime.types;
server_tokens off;
client_max_body_size 32m;
client_body_buffer_size 128k;
# HTTP subrequests
endpoints_resolver ${resolver};
endpoints_certificates /etc/nginx/trusted-ca-certificates.crt;
% for i, location in enumerate(ingress.locations):
% if location.proto != 'grpc':
upstream app_server${i} {
% for backend in location.backends:
server ${backend};
% endfor
keepalive 128;
}
% endif
% endfor
log_format timed_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
server {
server_name ${ingress.host};
% for port in ingress.ports:
% if port.proto == 'http':
listen ${port.port} backlog=16384;
% elif port.proto == 'http2':
listen ${port.port} http2 backlog=16384;
% elif port.proto == 'ssl':
listen ${port.port} ssl http2 backlog=16384;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
% endif
% endfor
access_log ${access_log} timed_combined;
if ($http_user_agent ~ GoogleHC) {
return 200;
}
% if healthz:
location = /${healthz} {
return 200;
access_log off;
}
% endif
% for i, location in enumerate(ingress.locations):
location ${location.path} {
# Begin Endpoints v2 Support
endpoints {
on;
server_config /etc/nginx/server_config.pb.txt;
api ${location.service_config};
% if service_account:
google_authentication_secret ${service_account};
% else:
metadata_server ${metadata};
% endif
}
# End Endpoints v2 Support
% if location.proto == 'grpc':
# WARNING: only first backend is used
grpc_pass ${location.backends[0]} override;
% else:
% if location.proto == 'http':
proxy_pass http://app_server${i};
% elif location.proto == 'https':
proxy_pass https://app_server${i};
% if tls_mutual_auth:
proxy_ssl_certificate /etc/nginx/ssl/backend.crt;
proxy_ssl_certificate_key /etc/nginx/ssl/backend.key;
% endif
% endif
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Google-Real-IP $remote_addr;
# Enable the upstream persistent connection
proxy_http_version 1.1;
proxy_set_header Connection "";
# 86400 seconds (24 hours) is the maximum a server is allowed.
proxy_send_timeout 86400s;
proxy_read_timeout 86400s;
% endif
% endfor
}
include /var/lib/nginx/extra/*.conf;
}
server {
# expose /nginx_status and /endpoints_status but on a different port to
# avoid external visibility / conflicts with the app.
listen ${status};
location /nginx_status {
stub_status on;
access_log off;
}
location /endpoints_status {
endpoints_status;
access_log off;
}
location /healthz {
return 200;
access_log off;
}
location / {
root /dev/null;
}
}
}