From 727eb2ce81b0fe771be226646ec7e96a8c849a1f Mon Sep 17 00:00:00 2001 From: Peter Sutherland Date: Sun, 15 Jan 2017 22:12:13 +0000 Subject: [PATCH 1/4] Many mostly small tweaks to the documentation --- controllers/nginx/configuration.md | 157 +++++++++++++++-------------- 1 file changed, 79 insertions(+), 78 deletions(-) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index 9d4bd03ea9..b452eca3a9 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -9,7 +9,7 @@ * [Rate limiting](#rate-limiting) * [Secure backends](#secure-backends) * [Whitelist source range](#whitelist-source-range) -* [Allowed parameters in configuration config map](#allowed-parameters-in-configuration-configmap) +* [Allowed parameters in configuration config map](#allowed-parameters-in-configuration-config-map) * [Default configuration options](#default-configuration-options) * [Websockets](#websockets) * [Optimizing TLS Time To First Byte (TTTFB)](#optimizing-tls-time-to-first-byte-tttfb) @@ -18,18 +18,18 @@ ### Customizing nginx -there are 3 ways to customize nginx +There are 3 ways to customize nginx: -1. config map: create a stand alone config map, use this if you want a different global configuration -2. annotations: [annotate the ingress](#annotations), use this if you want a specific configuration for the site defined in the Ingress rule +1. [config map](#allowed-parameters-in-configuration-config-map): create a stand alone config map, use this if you want a different global configuration +2. [annotations](#annotations): use this if you want a specific configuration for the site defined in the Ingress rule 3. custom template: when more specific settings are required, like [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache), custom [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format), adjust [listen](http://nginx.org/en/docs/http/ngx_http_core_module.html#listen) options as `rcvbuf` or when is not possible to change an through the config map #### Custom NGINX configuration -It's possible to customize the defaults in NGINX using a config map. +It is possible to customize the defaults in NGINX using a config map. -Please check the [custom configuration](examples/custom-configuration/README.md) example +Please check the [custom configuration](examples/custom-configuration/README.md) example. #### Annotations @@ -56,12 +56,13 @@ The following annotations are supported: #### Custom NGINX template The NGINX template is located in the file `/etc/nginx/template/nginx.tmpl`. Mounting a volume is possible to use a custom version. -Use the [custom-template](examples/custom-template/README.md) example as a guide +Use the [custom-template](examples/custom-template/README.md) example as a guide. -**Please note the template is tied to the go code. Be sure to no change names in the variable `$cfg`** +**Please note the template is tied to the Go code. Do not change names in the variable `$cfg`.** + +To know more about the template syntax please check the [Go template package](https://golang.org/pkg/text/template/). +In addition to the built-in functions provided by the Go package the following functions are also available: -To know more about the template please check the [Go template package](https://golang.org/pkg/text/template/) -Additionally to the built-in functions provided by the go package this were added: - empty: returns true if the specified parameter (string) is empty - contains: [strings.Contains](https://golang.org/pkg/strings/#Contains) - hasPrefix: [strings.HasPrefix](https://golang.org/pkg/strings/#Contains) @@ -76,22 +77,20 @@ Additionally to the built-in functions provided by the go package this were adde ### Custom NGINX upstream checks -NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enables the configuration of each server in the upstream. The ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` or `upstream-fail-timeout` in the NGINX config map or in a particular Ingress rule. It defaults to 0. This means NGINX will respect the `readinessProbe`, if is defined. If there is no probe, NGINX will not mark a server inside an upstream down. - -**With the default values NGINX will not health check your backends, and whenever the endpoints controller notices a readiness probe failure that pod's ip will be removed from the list of endpoints, causing nginx to also remove it from the upstreams.** +NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX config map or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container. -To use custom values in an Ingress rule define this annotations: +**With the default values NGINX will not health check your backends, and whenever the endpoints controller notices a readiness probe failure that pod's IP will be removed from the list of endpoints, causing nginx to also remove it from the upstreams.** -`ingress.kubernetes.io/upstream-max-fails`: number of unsuccessful attempts to communicate with the server that should happen in the duration set by the fail_timeout parameter to consider the server unavailable +To use custom values in an Ingress rule define these annotations: -`ingress.kubernetes.io/upstream-fail-timeout`: time in seconds during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable. Also the period of time the server will be considered unavailable. +`ingress.kubernetes.io/upstream-max-fails`: number of unsuccessful attempts to communicate with the server that should occur in the duration set by the `upstream-fail-timeout` parameter to consider the server unavailable. -**Important:** -The upstreams are shared. i.e. Ingress rule using the same service will use the same upstream. -This means only one of the rules should define annotations to configure the upstream servers +`ingress.kubernetes.io/upstream-fail-timeout`: time in seconds during which the specified number of unsuccessful attempts to communicate with the server should occur to consider the server unavailable. This is also the period of time the server will be considered unavailable. +**Important:** +The upstreams are shared. All Ingress rules using the same service will use the same upstream. This means only one of the rules should define annotations to configure the upstream servers. -Please check the [custom upstream check](examples/custom-upstream-check/README.md) example +Please check the [custom upstream check](examples/custom-upstream-check/README.md) example. ### Authentication @@ -110,26 +109,26 @@ Indicates the [HTTP Authentication Type: Basic or Digest Access Authentication]( ingress.kubernetes.io/auth-secret:secretName ``` -Name of the secret that contains the usernames and passwords with access to the `path/s` defined in the Ingress Rule. -The secret must be created in the same namespace than the Ingress rule +The name of the secret that contains the usernames and passwords with access to the `path`'s defined in the Ingress Rule. +The secret must be created in the same namespace than the Ingress rule. ``` ingress.kubernetes.io/auth-realm:"realm string" ``` -Please check the [auth](examples/auth/README.md) example +Please check the [auth](examples/auth/README.md) example. ### External Authentication To use an existing service that provides authentication the Ingress rule can be annotated with `ingress.kubernetes.io/auth-url` to indicate the URL where the HTTP request should be sent. -Additionally is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default). +Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default). ``` ingress.kubernetes.io/auth-url:"URL to the authentication service" ``` -Please check the [external-auth](examples/external-auth/README.md) example +Please check the [external-auth](examples/external-auth/README.md) example. ### Rewrite @@ -137,22 +136,20 @@ Please check the [external-auth](examples/external-auth/README.md) example In some scenarios the exposed URL in the backend service differs from the specified path in the Ingress rule. Without a rewrite any request will return 404. Set the annotation `ingress.kubernetes.io/rewrite-target` to the path expected by the service. -If the application contains relative links is possible to add an additional annotation `ingress.kubernetes.io/add-base-url` that will append a `base` tag in the header of the returned HTML from the backend. - +If the application contains relative links it is possible to add an additional annotation `ingress.kubernetes.io/add-base-url` that will prepend a [`base` tag](https://developer.mozilla.org/en/docs/Web/HTML/Element/base) in the header of the returned HTML from the backend. -Please check the [rewrite](examples/rewrite/README.md) example +Please check the [rewrite](examples/rewrite/README.md) example. ### Rate limiting -The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` allows the creation of a limit in the connections that can be opened by a single client IP address. This can be use to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus) +The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` allows the creation of a limit in the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus). -`ingress.kubernetes.io/limit-connections`: number of concurrent allowed connections from a single IP address +`ingress.kubernetes.io/limit-connections`: number of concurrent allowed connections from a single IP address. -`ingress.kubernetes.io/limit-rps`: number of allowed connections per second from a single IP address +`ingress.kubernetes.io/limit-rps`: number of allowed connections per second from a single IP address. - -Is possible to specify both annotation in the same Ingress rule. If you specify both annotations in a single Ingress rule, limit-rps takes precedence +If you specify both annotations in a single Ingress rule, limit-rps takes precedence. ### Secure upstreams @@ -162,37 +159,38 @@ By default NGINX uses `http` to reach the services. Adding the annotation `ingre ### Whitelist source range -You can specify the allowed client ip source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation, eg; `10.0.0.0/24,172.10.0.1` -For a global restriction (any URL) is possible to use `whitelist-source-range` in the NGINX config map - -*Note:* adding an annotation overrides any global restriction +You can specify the allowed client ip source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation, eg `10.0.0.0/24,172.10.0.1`. +For a global restriction (any URL) is possible to use `whitelist-source-range` in the NGINX config map. -Please check the [whitelist](examples/whitelist/README.md) example +*Note:* adding an annotation overrides any global restriction. +Please check the [whitelist](examples/whitelist/README.md) example. ### **Allowed parameters in configuration config map:** -**body-size:** Sets the maximum allowed size of the client request body. See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) +**body-size:** Sets the maximum allowed size of the client request body. See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size). + +**custom-http-errors:** Enables which HTTP codes should be passed for processing with the [error_page directive](http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page). +Setting at least one code also enables [proxy_intercept_errors](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) which are required to process error_page. -**custom-http-errors:** Enables which HTTP codes should be passed for processing with the [error_page directive](http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page) -Setting at least one code this also enables [proxy_intercept_errors](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) (required to process error_page) -For instance setting `custom-http-errors: 404,415` +Example usage: `custom-http-errors: 404,415` -**enable-sticky-sessions:** Enables sticky sessions using cookies. This is provided by [nginx-sticky-module-ng](https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng) module +**enable-sticky-sessions:** Enables sticky sessions using cookies. This is provided by [nginx-sticky-module-ng](https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng) module. -**enable-vts-status:** Allows the replacement of the default status page with a third party module named [nginx-module-vts](https://github.com/vozlt/nginx-module-vts) +**enable-vts-status:** Allows the replacement of the default status page with a third party module named [nginx-module-vts](https://github.com/vozlt/nginx-module-vts). -**error-log-level:** Configures the logging level of errors. Log levels above are listed in the order of increasing severity +**error-log-level:** Configures the logging level of errors. Log levels above are listed in the order of increasing severity. http://nginx.org/en/docs/ngx_core_module.html#error_log -**retry-non-idempotent:** Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error in the upstream server. -The previous behavior can be restored using the value "true" +**retry-non-idempotent:** Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error in the upstream server. + +The previous behavior can be restored using the value "true". **hsts:** Enables or disables the header HSTS in servers running SSL. @@ -201,24 +199,24 @@ https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_secu https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server -**hsts-include-subdomains:** Enables or disables the use of HSTS in all the subdomains of the servername +**hsts-include-subdomains:** Enables or disables the use of HSTS in all the subdomains of the servername. **hsts-max-age:** Sets the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. **keep-alive:** Sets the time during which a keep-alive client connection will stay open on the server side. -The zero value disables keep-alive client connections +The zero value disables keep-alive client connections. http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout -**max-worker-connections:** Sets the maximum number of simultaneous connections that can be opened by each [worker process](http://nginx.org/en/docs/ngx_core_module.html#worker_connections) +**max-worker-connections:** Sets the maximum number of simultaneous connections that can be opened by each [worker process](http://nginx.org/en/docs/ngx_core_module.html#worker_connections). **proxy-connect-timeout:** Sets the timeout for [establishing a connection with a proxied server](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout). It should be noted that this timeout cannot usually exceed 75 seconds. -**proxy-read-timeout:** Sets the timeout in seconds for [reading a response from the proxied server](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout). The timeout is set only between two successive read operations, not for the transmission of the whole response +**proxy-read-timeout:** Sets the timeout in seconds for [reading a response from the proxied server](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout). The timeout is set only between two successive read operations, not for the transmission of the whole response. **proxy-send-timeout:** Sets the timeout in seconds for [transmitting a request to the proxied server](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout). The timeout is set only between two successive write operations, not for the transmission of the whole request. @@ -231,38 +229,40 @@ http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout http://nginx.org/en/docs/hash.html -**server-name-hash-bucket-size:** Sets the size of the bucker for the server names hash tables +**server-name-hash-bucket-size:** Sets the size of the bucket for the server names hash tables. http://nginx.org/en/docs/hash.html http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size + **ssl-buffer-size:** Sets the size of the [SSL buffer](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) used for sending data. -4k helps NGINX to improve TLS Time To First Byte (TTTFB) +The default of 4k helps NGINX to improve TLS Time To First Byte (TTTFB). https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ -**ssl-ciphers:** Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. The ciphers are specified in the format understood by the OpenSSL library -The default cipher list is: `ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA` +**ssl-ciphers:** Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. The ciphers are specified in the format understood by the OpenSSL library. + +The default cipher list is: + `ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA`. -The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. -The recommendation above prioritizes algorithms that provide perfect [forward secrecy](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) +The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. +The recommendation above prioritizes algorithms that provide perfect [forward secrecy](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy). -Please check the [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/) +Please check the [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/). **ssl-protocols:** Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) to use. -The default is: `TLSv1 TLSv1.1 TLSv1.2` +The default is: `TLSv1 TLSv1.1 TLSv1.2`. TLSv1 is enabled to allow old clients like: - [IE 8-10 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8-10&platform=Win%207&key=113) - [Java 7u25](https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=7u25&key=26) -If you dont need to support this clients please remove TLSv1 +If you dont need to support this clients please remove TLSv1. +Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`. -Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh` - -**ssl-dh-param:** sets the Base64 string that contains Diffie-Hellman key to help with "Perfect Forward Secrecy" +**ssl-dh-param:** sets the Base64 string that contains Diffie-Hellman key to help with "Perfect Forward Secrecy." https://www.openssl.org/docs/manmaster/apps/dhparam.html https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam @@ -274,36 +274,37 @@ http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam **ssl-session-cache-size:** Sets the size of the [SSL shared session cache](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache) between all worker processes. -**ssl-session-tickets:** Enables or disables session resumption through [TLS session tickets](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets) +**ssl-session-tickets:** Enables or disables session resumption through [TLS session tickets](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets). **ssl-session-timeout:** Sets the time during which a client may [reuse the session](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout) parameters stored in a cache. **ssl-redirect:** Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate (defined in an Ingress rule) -Default is true +Default is "true". -**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the fail_timeout parameter to consider the server unavailable +**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the fail_timeout parameter to consider the server unavailable. -**upstream-fail-timeout:** Sets the time during which the specified number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) should happen to consider the server unavailable +**upstream-fail-timeout:** Sets the time during which the specified number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) should happen to consider the server unavailable. **use-proxy-protocol:** Enables or disables the use of the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). **use-gzip:** Enables or disables the use of the nginx module that compresses responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html) -The default mime type list to compress is: `application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component` +The default mime type list to compress is: `application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. + -**use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections +**use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections. -**gzip-types:** Sets the MIME types in addition to "text/html" to compress. The special value "*"" matches any MIME type. -Responses with the "text/html" type are always compressed if `use-gzip` is enabled +**gzip-types:** Sets the MIME types in addition to "text/html" to compress. The special value "\*" matches any MIME type. +Responses with the "text/html" type are always compressed if `use-gzip` is enabled. -**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores +**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores. ### Default configuration options @@ -340,22 +341,22 @@ The next table shows the options, the default value and a description |use-gzip|"true"| |use-http2|"true"| |vts-status-zone-size|10m| -|worker-processes|| +|worker-processes|number of CPUs| ### Websockets Support for websockets is provided by NGINX OOTB. No special configuration required. -The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`. The default value of this settings is `30 seconds`. -A more adequate value to support websockets is a value higher than one hour (`3600`) +The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`. The default value of this settings is `30 seconds`. +A more adequate value to support websockets is a value higher than one hour (`3600`). #### Optimizing TLS Time To First Byte (TTTFB) -NGINX provides the configuration option [ssl_buffer_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) to allow the optimization of the TLS record size. This improves the [Time To First Byte](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) (TTTFB). The default value in the Ingress controller is `4k` (nginx default is `16k`); +NGINX provides the configuration option [ssl_buffer_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) to allow the optimization of the TLS record size. This improves the [Time To First Byte](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) (TTTFB). The default value in the Ingress controller is `4k` (nginx default is `16k`). -#### Retries in no idempotent methods +#### Retries in non idempotent methods Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error. -The previous behavior can be restored using `retry-non-idempotent=true` in the configuration config map +The previous behavior can be restored using `retry-non-idempotent=true` in the configuration config map. From b81a49cdfdc335a5f2d77534b95c622efa103ac5 Mon Sep 17 00:00:00 2001 From: Peter Sutherland Date: Sun, 15 Jan 2017 22:42:49 +0000 Subject: [PATCH 2/4] Sort config map params alphabetically --- controllers/nginx/configuration.md | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index b452eca3a9..f134c2930e 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -188,9 +188,8 @@ Example usage: `custom-http-errors: 404,415` http://nginx.org/en/docs/ngx_core_module.html#error_log -**retry-non-idempotent:** Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error in the upstream server. - -The previous behavior can be restored using the value "true". +**gzip-types:** Sets the MIME types in addition to "text/html" to compress. The special value "\*" matches any MIME type. +Responses with the "text/html" type are always compressed if `use-gzip` is enabled. **hsts:** Enables or disables the header HSTS in servers running SSL. @@ -213,6 +212,9 @@ http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout **max-worker-connections:** Sets the maximum number of simultaneous connections that can be opened by each [worker process](http://nginx.org/en/docs/ngx_core_module.html#worker_connections). +**proxy-buffer-size:** Sets the size of the buffer used for [reading the first part of the response](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) received from the proxied server. This part usually contains a small response header.` + + **proxy-connect-timeout:** Sets the timeout for [establishing a connection with a proxied server](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout). It should be noted that this timeout cannot usually exceed 75 seconds. @@ -222,11 +224,9 @@ http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout **proxy-send-timeout:** Sets the timeout in seconds for [transmitting a request to the proxied server](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout). The timeout is set only between two successive write operations, not for the transmission of the whole request. -**proxy-buffer-size:** Sets the size of the buffer used for [reading the first part of the response](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) received from the proxied server. This part usually contains a small response header.` - +**retry-non-idempotent:** Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error in the upstream server. -**server-name-hash-max-size:** Sets the maximum size of the [server names hash tables](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) used in server names, map directive’s values, MIME types, names of request header strings, etc. -http://nginx.org/en/docs/hash.html +The previous behavior can be restored using the value "true". **server-name-hash-bucket-size:** Sets the size of the bucket for the server names hash tables. @@ -234,6 +234,10 @@ http://nginx.org/en/docs/hash.html http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size +**server-name-hash-max-size:** Sets the maximum size of the [server names hash tables](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) used in server names, map directive’s values, MIME types, names of request header strings, etc. +http://nginx.org/en/docs/hash.html + + **ssl-buffer-size:** Sets the size of the [SSL buffer](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) used for sending data. The default of 4k helps NGINX to improve TLS Time To First Byte (TTTFB). https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ @@ -250,6 +254,12 @@ The recommendation above prioritizes algorithms that provide perfect [forward se Please check the [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/). +**ssl-dh-param:** sets the Base64 string that contains Diffie-Hellman key to help with "Perfect Forward Secrecy." +https://www.openssl.org/docs/manmaster/apps/dhparam.html +https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam +http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + + **ssl-protocols:** Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) to use. The default is: `TLSv1 TLSv1.1 TLSv1.2`. @@ -262,10 +272,8 @@ If you dont need to support this clients please remove TLSv1. Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`. -**ssl-dh-param:** sets the Base64 string that contains Diffie-Hellman key to help with "Perfect Forward Secrecy." -https://www.openssl.org/docs/manmaster/apps/dhparam.html -https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam -http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam +**ssl-redirect:** Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate (defined in an Ingress rule) +Default is "true". **ssl-session-cache:** Enables or disables the use of shared [SSL cache](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache) among worker processes. @@ -280,19 +288,12 @@ http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam **ssl-session-timeout:** Sets the time during which a client may [reuse the session](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout) parameters stored in a cache. -**ssl-redirect:** Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate (defined in an Ingress rule) -Default is "true". - - **upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the fail_timeout parameter to consider the server unavailable. **upstream-fail-timeout:** Sets the time during which the specified number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) should happen to consider the server unavailable. -**use-proxy-protocol:** Enables or disables the use of the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). - - **use-gzip:** Enables or disables the use of the nginx module that compresses responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html) The default mime type list to compress is: `application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. @@ -300,8 +301,7 @@ The default mime type list to compress is: `application/atom+xml application/jav **use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections. -**gzip-types:** Sets the MIME types in addition to "text/html" to compress. The special value "\*" matches any MIME type. -Responses with the "text/html" type are always compressed if `use-gzip` is enabled. +**use-proxy-protocol:** Enables or disables the use of the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). **worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores. From 9e94863db25ab927d393f7118a3007c44217ca41 Mon Sep 17 00:00:00 2001 From: Peter Sutherland Date: Tue, 17 Jan 2017 14:47:54 +0000 Subject: [PATCH 3/4] Incorporate feedback --- controllers/nginx/configuration.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index f134c2930e..98c68981b9 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -13,12 +13,12 @@ * [Default configuration options](#default-configuration-options) * [Websockets](#websockets) * [Optimizing TLS Time To First Byte (TTTFB)](#optimizing-tls-time-to-first-byte-tttfb) -* [Retries in no idempotent methods](#retries-in-no-idempotent-methods) +* [Retries in non-idempotent methods](#retries-in-non-idempotent-methods) -### Customizing nginx +### Customizing NGINX -There are 3 ways to customize nginx: +There are 3 ways to customize NGINX: 1. [config map](#allowed-parameters-in-configuration-config-map): create a stand alone config map, use this if you want a different global configuration 2. [annotations](#annotations): use this if you want a specific configuration for the site defined in the Ingress rule @@ -60,7 +60,7 @@ Use the [custom-template](examples/custom-template/README.md) example as a guide **Please note the template is tied to the Go code. Do not change names in the variable `$cfg`.** -To know more about the template syntax please check the [Go template package](https://golang.org/pkg/text/template/). +For more information about the template syntax please check the [Go template package](https://golang.org/pkg/text/template/). In addition to the built-in functions provided by the Go package the following functions are also available: - empty: returns true if the specified parameter (string) is empty @@ -79,7 +79,7 @@ In addition to the built-in functions provided by the Go package the following f NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX config map or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container. -**With the default values NGINX will not health check your backends, and whenever the endpoints controller notices a readiness probe failure that pod's IP will be removed from the list of endpoints, causing nginx to also remove it from the upstreams.** +**With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.** To use custom values in an Ingress rule define these annotations: @@ -87,8 +87,9 @@ To use custom values in an Ingress rule define these annotations: `ingress.kubernetes.io/upstream-fail-timeout`: time in seconds during which the specified number of unsuccessful attempts to communicate with the server should occur to consider the server unavailable. This is also the period of time the server will be considered unavailable. -**Important:** -The upstreams are shared. All Ingress rules using the same service will use the same upstream. This means only one of the rules should define annotations to configure the upstream servers. +In NGINX, backend server pools are called "[upstreams](http://nginx.org/en/docs/http/ngx_http_upstream_module.html)". Each upstream contains the endpoints for a service. An upstream is created for each service that has Ingress rules defined. + +**Important:** All Ingress rules using the same service will use the same upstream. Only one of the Ingress rules should define annotations to configure the upstream servers. Please check the [custom upstream check](examples/custom-upstream-check/README.md) example. @@ -110,7 +111,7 @@ ingress.kubernetes.io/auth-secret:secretName ``` The name of the secret that contains the usernames and passwords with access to the `path`'s defined in the Ingress Rule. -The secret must be created in the same namespace than the Ingress rule. +The secret must be created in the same namespace as the Ingress rule. ``` ingress.kubernetes.io/auth-realm:"realm string" @@ -143,7 +144,7 @@ Please check the [rewrite](examples/rewrite/README.md) example. ### Rate limiting -The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` allows the creation of a limit in the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus). +The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` define a limit on the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus). `ingress.kubernetes.io/limit-connections`: number of concurrent allowed connections from a single IP address. @@ -162,7 +163,7 @@ By default NGINX uses `http` to reach the services. Adding the annotation `ingre You can specify the allowed client ip source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation, eg `10.0.0.0/24,172.10.0.1`. For a global restriction (any URL) is possible to use `whitelist-source-range` in the NGINX config map. -*Note:* adding an annotation overrides any global restriction. +*Note:* Adding an annotation overrides any global restriction. Please check the [whitelist](examples/whitelist/README.md) example. @@ -352,11 +353,12 @@ The only requirement to avoid the close of connections is the increase of the va A more adequate value to support websockets is a value higher than one hour (`3600`). -#### Optimizing TLS Time To First Byte (TTTFB) +### Optimizing TLS Time To First Byte (TTTFB) + +NGINX provides the configuration option [ssl_buffer_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) to allow the optimization of the TLS record size. This improves the [Time To First Byte](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) (TTTFB). The default value in the Ingress controller is `4k` (NGINX default is `16k`). -NGINX provides the configuration option [ssl_buffer_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) to allow the optimization of the TLS record size. This improves the [Time To First Byte](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) (TTTFB). The default value in the Ingress controller is `4k` (nginx default is `16k`). -#### Retries in non idempotent methods +### Retries in non-idempotent methods Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error. The previous behavior can be restored using `retry-non-idempotent=true` in the configuration config map. From 292375e8b4e0d7d0d76d5048e95f22142a045756 Mon Sep 17 00:00:00 2001 From: Peter Sutherland Date: Wed, 18 Jan 2017 18:22:08 +0000 Subject: [PATCH 4/4] Incorporate more feedback --- controllers/nginx/configuration.md | 55 +++++++++++++++--------------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index 98c68981b9..6ef806401e 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -9,7 +9,7 @@ * [Rate limiting](#rate-limiting) * [Secure backends](#secure-backends) * [Whitelist source range](#whitelist-source-range) -* [Allowed parameters in configuration config map](#allowed-parameters-in-configuration-config-map) +* [Allowed parameters in configuration ConfigMap](#allowed-parameters-in-configuration-configmap) * [Default configuration options](#default-configuration-options) * [Websockets](#websockets) * [Optimizing TLS Time To First Byte (TTTFB)](#optimizing-tls-time-to-first-byte-tttfb) @@ -20,14 +20,14 @@ There are 3 ways to customize NGINX: -1. [config map](#allowed-parameters-in-configuration-config-map): create a stand alone config map, use this if you want a different global configuration +1. [ConfigMap](#allowed-parameters-in-configuration-configmap): create a stand alone ConfigMap, use this if you want a different global configuration 2. [annotations](#annotations): use this if you want a specific configuration for the site defined in the Ingress rule -3. custom template: when more specific settings are required, like [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache), custom [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format), adjust [listen](http://nginx.org/en/docs/http/ngx_http_core_module.html#listen) options as `rcvbuf` or when is not possible to change an through the config map +3. custom template: when more specific settings are required, like [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache), custom [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format), adjust [listen](http://nginx.org/en/docs/http/ngx_http_core_module.html#listen) options as `rcvbuf` or when is not possible to change an through the ConfigMap. #### Custom NGINX configuration -It is possible to customize the defaults in NGINX using a config map. +It is possible to customize the defaults in NGINX using a ConfigMap. Please check the [custom configuration](examples/custom-configuration/README.md) example. @@ -77,7 +77,7 @@ In addition to the built-in functions provided by the Go package the following f ### Custom NGINX upstream checks -NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX config map or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container. +NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX ConfigMap or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container. **With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.** @@ -101,20 +101,20 @@ Is possible to add authentication adding additional annotations in the Ingress r The annotations are: ``` -ingress.kubernetes.io/auth-type:[basic|digest] +ingress.kubernetes.io/auth-type: [basic|digest] ``` Indicates the [HTTP Authentication Type: Basic or Digest Access Authentication](https://tools.ietf.org/html/rfc2617). ``` -ingress.kubernetes.io/auth-secret:secretName +ingress.kubernetes.io/auth-secret: secretName ``` -The name of the secret that contains the usernames and passwords with access to the `path`'s defined in the Ingress Rule. +The name of the secret that contains the usernames and passwords with access to the `path`s defined in the Ingress Rule. The secret must be created in the same namespace as the Ingress rule. ``` -ingress.kubernetes.io/auth-realm:"realm string" +ingress.kubernetes.io/auth-realm: "realm string" ``` Please check the [auth](examples/auth/README.md) example. @@ -126,7 +126,7 @@ To use an existing service that provides authentication the Ingress rule can be Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default). ``` -ingress.kubernetes.io/auth-url:"URL to the authentication service" +ingress.kubernetes.io/auth-url: "URL to the authentication service" ``` Please check the [external-auth](examples/external-auth/README.md) example. @@ -146,29 +146,30 @@ Please check the [rewrite](examples/rewrite/README.md) example. The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` define a limit on the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus). -`ingress.kubernetes.io/limit-connections`: number of concurrent allowed connections from a single IP address. +`ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address. -`ingress.kubernetes.io/limit-rps`: number of allowed connections per second from a single IP address. +`ingress.kubernetes.io/limit-rps`: number of connections that may be accepted from a given IP each second. -If you specify both annotations in a single Ingress rule, limit-rps takes precedence. +If you specify both annotations in a single Ingress rule, `limit-rps` takes precedence. ### Secure upstreams -By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the ingress rule changes the protocol to `https`. +By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the Ingress rule changes the protocol to `https`. ### Whitelist source range -You can specify the allowed client ip source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation, eg `10.0.0.0/24,172.10.0.1`. -For a global restriction (any URL) is possible to use `whitelist-source-range` in the NGINX config map. +You can specify the allowed client IP source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation. The value is a comma separated list of [CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing), e.g. `10.0.0.0/24,172.10.0.1`. -*Note:* Adding an annotation overrides any global restriction. +To configure this setting globally for all Ingress rules, the `whitelist-source-range` value may be set in the NGINX ConfigMap. + +*Note:* Adding an annotation to an Ingress rule overrides any global restriction. Please check the [whitelist](examples/whitelist/README.md) example. -### **Allowed parameters in configuration config map:** +### **Allowed parameters in configuration ConfigMap:** **body-size:** Sets the maximum allowed size of the client request body. See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size). @@ -268,7 +269,7 @@ TLSv1 is enabled to allow old clients like: - [IE 8-10 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8-10&platform=Win%207&key=113) - [Java 7u25](https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=7u25&key=26) -If you dont need to support this clients please remove TLSv1. +If you don't need to support these clients please remove `TLSv1` to improve security. Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`. @@ -289,28 +290,28 @@ Default is "true". **ssl-session-timeout:** Sets the time during which a client may [reuse the session](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout) parameters stored in a cache. -**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the fail_timeout parameter to consider the server unavailable. +**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the `fail_timeout` parameter to consider the server unavailable. **upstream-fail-timeout:** Sets the time during which the specified number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) should happen to consider the server unavailable. -**use-gzip:** Enables or disables the use of the nginx module that compresses responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html) +**use-gzip:** Enables or disables compression of HTTP responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html) The default mime type list to compress is: `application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. -**use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections. +**use-http2:** Enables or disables [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections. -**use-proxy-protocol:** Enables or disables the use of the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). +**use-proxy-protocol:** Enables or disables the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAProxy and Amazon Elastic Load Balancer (ELB). -**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores. +**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). The default of "auto" means number of available CPU cores. ### Default configuration options -The next table shows the options, the default value and a description +The following table shows the options, the default value and a description. |name |default| |---------------------------|------| @@ -347,7 +348,7 @@ The next table shows the options, the default value and a description ### Websockets -Support for websockets is provided by NGINX OOTB. No special configuration required. +Support for websockets is provided by NGINX out of the box. No special configuration required. The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`. The default value of this settings is `30 seconds`. A more adequate value to support websockets is a value higher than one hour (`3600`). @@ -361,4 +362,4 @@ NGINX provides the configuration option [ssl_buffer_size](http://nginx.org/en/do ### Retries in non-idempotent methods Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error. -The previous behavior can be restored using `retry-non-idempotent=true` in the configuration config map. +The previous behavior can be restored using `retry-non-idempotent=true` in the configuration ConfigMap.