From 2f6f9a29ba086222214736ed476de70e80308e71 Mon Sep 17 00:00:00 2001 From: Francisco de Brito Fontes Date: Sun, 29 Apr 2018 03:17:29 -0300 Subject: [PATCH] Improve documentation format --- docs/deploy/index.md | 2 +- docs/development.md | 3 +- docs/examples/PREREQUISITES.md | 4 +- docs/examples/docker-registry/README.md | 11 +- docs/examples/external-auth/README.md | 5 +- docs/examples/static-ip/README.md | 6 +- docs/extra.css | 2 +- docs/troubleshooting.md | 3 +- docs/user-guide/custom-errors.md | 3 +- docs/user-guide/miscellaneous.md | 3 +- docs/user-guide/multiple-ingress.md | 4 +- .../nginx-configuration/annotations.md | 62 +++--- .../nginx-configuration/configmap.md | 193 +++++++++--------- .../third-party-addons/modsecurity.md | 6 +- .../third-party-addons/opentracing.md | 2 +- 15 files changed, 163 insertions(+), 146 deletions(-) diff --git a/docs/deploy/index.md b/docs/deploy/index.md index b4e6432bfe..aa137c7de7 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -167,7 +167,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/mast This example creates an ELB with just two listeners, one in port 80 and another in port 443 -![Listeners](../docs/images/elb-l7-listener.png) +![Listeners](../images/elb-l7-listener.png) If the ingress controller uses RBAC run: diff --git a/docs/development.md b/docs/development.md index c5f2299453..2879d4be21 100644 --- a/docs/development.md +++ b/docs/development.md @@ -7,7 +7,8 @@ It includes how to build, test, and release ingress controllers. ### Initial developer environment build -**Prequisites**: Minikube must be installed; See [releases](https://github.com/kubernetes/minikube/releases) for installation instructions. +>**Prequisites**: Minikube must be installed. +See [releases](https://github.com/kubernetes/minikube/releases) for installation instructions. If you are using **MacOS** and deploying to **minikube**, the following command will build the local nginx controller container image and deploy the ingress controller onto a minikube cluster with RBAC enabled in the namespace `ingress-nginx`: diff --git a/docs/examples/PREREQUISITES.md b/docs/examples/PREREQUISITES.md index 94581901b5..7e083aa9c4 100644 --- a/docs/examples/PREREQUISITES.md +++ b/docs/examples/PREREQUISITES.md @@ -24,7 +24,7 @@ secret "tls-secret" created You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our own CA, and also generate a client certificate. -These instructions are based on CoreOS OpenSSL [instructions](https://coreos.com/kubernetes/docs/latest/openssl.html) +These instructions are based on CoreOS OpenSSL. [See live doc.](https://coreos.com/kubernetes/docs/latest/openssl.html) ### Generating a CA @@ -119,7 +119,7 @@ the TLS Auth directive: $ kubectl create secret generic caingress --namespace=default --from-file=ca.crt= ``` -Note: You can also generate the CA Authentication Secret along with the TLS Secret by using: +__Note:__ You can also generate the CA Authentication Secret along with the TLS Secret by using: ```console $ kubectl create secret generic caingress --namespace=default --from-file=ca.crt= --from-file=tls.crt= --from-file=tls.key= ``` diff --git a/docs/examples/docker-registry/README.md b/docs/examples/docker-registry/README.md index 517b18298a..d3bdf38ea2 100644 --- a/docs/examples/docker-registry/README.md +++ b/docs/examples/docker-registry/README.md @@ -10,9 +10,10 @@ First we deploy the docker registry in the cluster: kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/deployment.yaml ``` -**Important:** DO NOT RUN THIS IN PRODUCTION. -This deployment uses `emptyDir` in the `volumeMount` which means the contents of the registry will be deleted when the pod dies. +!!! Important + **DO NOT RUN THIS IN PRODUCTION** + This deployment uses `emptyDir` in the `volumeMount` which means the contents of the registry will be deleted when the pod dies. The next required step is creation of the ingress rules. To do this we have two options: with and without TLS @@ -24,8 +25,10 @@ Download and edit the yaml deployment replacing `registry.` with a wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-without-tls.yaml ``` -**Important:** running a docker registry without TLS requires we configure our local docker daemon with the insecure registry flag. -Please check [deploy a plain http registry](https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry) +!!! Important + Running a docker registry without TLS requires we configure our local docker daemon with the insecure registry flag. + + Please check [deploy a plain http registry](https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry) ### With TLS diff --git a/docs/examples/external-auth/README.md b/docs/examples/external-auth/README.md index 5d94e2d186..570b63a506 100644 --- a/docs/examples/external-auth/README.md +++ b/docs/examples/external-auth/README.md @@ -5,7 +5,8 @@ The `auth-url` and `auth-signin` annotations allow you to use an external authentication provider to protect your Ingress resources. -(Note, this annotation requires `nginx-ingress-controller v0.9.0` or greater.) +!!! Important + this annotation requires `nginx-ingress-controller v0.9.0` or greater.) ### Key Detail @@ -41,7 +42,7 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml ``` -2. Create a custom Github OAuth application https://github.com/settings/applications/new +2. Create a [custom Github OAuth application](https://github.com/settings/applications/new) ![Register OAuth2 Application](images/register-oauth-app.png) diff --git a/docs/examples/static-ip/README.md b/docs/examples/static-ip/README.md index 66343274e2..68210fe870 100644 --- a/docs/examples/static-ip/README.md +++ b/docs/examples/static-ip/README.md @@ -79,9 +79,9 @@ NAME HOSTS ADDRESS PORTS AGE nginx-ingress * 104.154.109.191 80, 443 13m ``` -Note that unlike the GCE Ingress, the same loadbalancer IP is shared amongst all -Ingresses, because all requests are proxied through the same set of nginx -controllers. +> Note that unlike the GCE Ingress, the same loadbalancer IP is shared amongst all +> Ingresses, because all requests are proxied through the same set of nginx +> controllers. ## Promote ephemeral to static IP diff --git a/docs/extra.css b/docs/extra.css index f532283de5..32e38b1316 100644 --- a/docs/extra.css +++ b/docs/extra.css @@ -1,3 +1,3 @@ -td{ +td:nth-child(1){ white-space: nowrap; } \ No newline at end of file diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index e51163efe1..4001ac3442 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -170,8 +170,7 @@ The API server will mount a volume containing this file, but only if the API ser the ServiceAccount admission controller. If you experience this error, verify that your API server is using the ServiceAccount admission controller. If you are configuring the API server by hand, you can set this with the `--admission-control` parameter. -Please note that you should use other admission controllers as well. Before configuring this option, you should -read about admission controllers. +> Note that you should use other admission controllers as well. Before configuring this option, you should read about admission controllers. More information: diff --git a/docs/user-guide/custom-errors.md b/docs/user-guide/custom-errors.md index c331207623..c9be1c678c 100644 --- a/docs/user-guide/custom-errors.md +++ b/docs/user-guide/custom-errors.md @@ -6,7 +6,8 @@ Each request to the default backend includes two headers: - `X-Code` indicates the HTTP code to be returned to the client. - `X-Format` the value of the `Accept` header. -**Important:** The custom backend must return the correct HTTP status code to be returned. NGINX does not change the response from the custom default backend. +!!! Important + The custom backend must return the correct HTTP status code to be returned. NGINX does not change the response from the custom default backend. Using these two headers it's possible to use a custom backend service like [this one](https://github.com/kubernetes/ingress-nginx/tree/master/images/custom-error-pages) that inspects each request and returns a custom error page with the format expected by the client. Please check the example [custom-errors](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-errors). diff --git a/docs/user-guide/miscellaneous.md b/docs/user-guide/miscellaneous.md index 0820822166..d8b06ce78c 100644 --- a/docs/user-guide/miscellaneous.md +++ b/docs/user-guide/miscellaneous.md @@ -42,7 +42,8 @@ The default value of this settings is `60 seconds`. A more adequate value to support websockets is a value higher than one hour (`3600`). -**Important:** If the NGINX ingress controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP. +!!! Important + If the NGINX ingress controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP. ## Optimizing TLS Time To First Byte (TTTFB) diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md index 375bc82b16..6f7dc7e712 100644 --- a/docs/user-guide/multiple-ingress.md +++ b/docs/user-guide/multiple-ingress.md @@ -2,7 +2,9 @@ ## Running multiple ingress controllers -If you're running multiple ingress controllers, or running on a cloud provider that natively handles ingress, you need to specify the annotation `kubernetes.io/ingress.class: "nginx"` in all ingresses that you would like this controller to claim. This mechanism also provides users the ability to run _multiple_ NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic). When utilizing this functionality the option `--ingress-class` should be changed to a value unique for the cluster within the definition of the replication controller. Here is a partial example: +If you're running multiple ingress controllers, or running on a cloud provider that natively handles ingress, you need to specify the annotation `kubernetes.io/ingress.class: "nginx"` in all ingresses that you would like this controller to claim. + +This mechanism also provides users the ability to run _multiple_ NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic). When utilizing this functionality the option `--ingress-class` should be changed to a value unique for the cluster within the definition of the replication controller. Here is a partial example: ``` spec: diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 17d038e072..f99dac0193 100644 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -120,7 +120,9 @@ Please check the [auth](../../examples/auth/basic/README.md) example. NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX ConfigMap or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container. -**With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.** + +!!! tip + With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.** To use custom values in an Ingress rule define these annotations: @@ -130,7 +132,8 @@ To use custom values in an Ingress rule define these annotations: In NGINX, backend server pools are called "[upstreams](http://nginx.org/en/docs/http/ngx_http_upstream_module.html)". Each upstream contains the endpoints for a service. An upstream is created for each service that has Ingress rules defined. -**Important:** All Ingress rules using the same service will use the same upstream. Only one of the Ingress rules should define annotations to configure the upstream servers. +!!! Important + All Ingress rules using the same service will use the same upstream. Only one of the Ingress rules should define annotations to configure the upstream servers. Please check the [custom upstream check](../../examples/customization/custom-upstream-check/README.md) example. @@ -144,8 +147,8 @@ To enable consistent hashing for a backend: ### Custom NGINX load balancing -This is similar to https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#load-balance but configures load balancing algorithm per ingress. -Note that `nginx.ingress.kubernetes.io/upstream-hash-by` takes preference over this. If this and `nginx.ingress.kubernetes.io/upstream-hash-by` are not set then we fallback to using globally configured load balancing algorithm. +This is similar to (https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#load-balance) but configures load balancing algorithm per ingress. +>Note that `nginx.ingress.kubernetes.io/upstream-hash-by` takes preference over this. If this and `nginx.ingress.kubernetes.io/upstream-hash-by` are not set then we fallback to using globally configured load balancing algorithm. ### Custom NGINX upstream vhost @@ -190,15 +193,12 @@ By default this is disabled. Please check the [client-certs](../../examples/auth/client-certs/README.md) example. -**Important:** - -TLS with Client Authentication is NOT possible in Cloudflare as is not allowed it and might result in unexpected behavior. - -Cloudflare only allows Authenticated Origin Pulls and is required to use their own certificate: -https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/ - -Only Authenticated Origin Pulls are allowed and can be configured by following their tutorial: -https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls +!!! Important + TLS with Client Authentication is NOT possible in Cloudflare as is not allowed it and might result in unexpected behavior. + + Cloudflare only allows Authenticated Origin Pulls and is required to use their own certificate: [https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/](https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/) + + Only Authenticated Origin Pulls are allowed and can be configured by following their tutorial: [https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls](https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls) ### Configuration snippet @@ -242,18 +242,17 @@ Example: `nginx.ingress.kubernetes.io/cors-allow-credentials: "true"` Example: `nginx.ingress.kubernetes.io/cors-max-age: 600` -For more information please check https://enable-cors.org/server_nginx.html +For more information please see [https://enable-cors.org](https://enable-cors.org/server_nginx.html) ### Server Alias To add Server Aliases to an Ingress rule add the annotation `nginx.ingress.kubernetes.io/server-alias: ""`. This will create a server with the same configuration, but a different server_name as the provided host. -*Note:* A server-alias name cannot conflict with the hostname of an existing server. If it does the server-alias -annotation will be ignored. If a server-alias is created and later a new server with the same hostname is created -the new server configuration will take place over the alias configuration. +!!! Note + A server-alias name cannot conflict with the hostname of an existing server. If it does the server-alias annotation will be ignored. If a server-alias is created and later a new server with the same hostname is created the new server configuration will take place over the alias configuration. -For more information please see http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name +For more information please see [http://nginx.org](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name) ### Server snippet @@ -276,7 +275,8 @@ if ( $agentflag = 1 ) { } ``` -**Important:** This annotation can be used only once per host +!!! Important + This annotation can be used only once per host ### Client Body Buffer Size @@ -285,7 +285,7 @@ the whole body or only its part is written to a temporary file. By default, buff This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms. This annotation is applied to each location provided in the ingress rule. -*Note:* The annotation value must be given in a valid format otherwise the +__Note:__ The annotation value must be given in a valid format otherwise the For example to set the client-body-buffer-size the following can be done: * `nginx.ingress.kubernetes.io/client-body-buffer-size: "1000"` # 1000 bytes @@ -294,7 +294,7 @@ For example to set the client-body-buffer-size the following can be done: * `nginx.ingress.kubernetes.io/client-body-buffer-size: 1m` # 1 megabyte * `nginx.ingress.kubernetes.io/client-body-buffer-size: 1M` # 1 megabyte -For more information please see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size +For more information please see [http://nginx.org](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) ### External Authentication @@ -345,17 +345,17 @@ This annotation allows to return a permanent redirect instead of sending data to The annotation `nginx.ingress.kubernetes.io/ssl-passthrough` allows to configure TLS termination in the pod and not in NGINX. -**Important:** +!!! Important + - Using the annotation `nginx.ingress.kubernetes.io/ssl-passthrough` invalidates all the other available annotations. This is because SSL Passthrough works in L4 (TCP). -- Using the annotation `nginx.ingress.kubernetes.io/ssl-passthrough` invalidates all the other available annotations. This is because SSL Passthrough works in L4 (TCP). -- The use of this annotation requires Proxy Protocol to be enabled in the load-balancer. For example enabling Proxy Protocol for AWS ELB is described [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html). If you're using ingress-controller without load balancer then the flag `--enable-ssl-passthrough` is required (by default it is disabled). + - The use of this annotation requires Proxy Protocol to be enabled in the load-balancer. For example enabling Proxy Protocol for AWS ELB is described [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html). If you're using ingress-controller without load balancer then the flag `--enable-ssl-passthrough` is required (by default it is disabled). ### Secure backends By default NGINX uses `http` to reach the services. Adding the annotation `nginx.ingress.kubernetes.io/secure-backends: "true"` in the Ingress rule changes the protocol to `https`. If you want to validate the upstream against a specific certificate, you can create a secret with it and reference the secret with the annotation `nginx.ingress.kubernetes.io/secure-verify-ca-secret`. -Please note that if an invalid or non-existent secret is given, the NGINX ingress controller will ignore the `secure-backends` annotation. +> Note that if an invalid or non-existent secret is given, the NGINX ingress controller will ignore the `secure-backends` annotation. ### Service Upstream @@ -381,8 +381,8 @@ When using SSL offloading outside of cluster (e.g. AWS ELB) it may be useful to In some scenarios is required to redirect from `www.domain.com` to `domain.com` or viceversa. To enable this feature use the annotation `nginx.ingress.kubernetes.io/from-to-www-redirect: "true"` -**Important:** -If at some point a new Ingress is created with a host equal to one of the options (like `domain.com`) the annotation will be omitted. +!!! Important + If at some point a new Ingress is created with a host equal to one of the options (like `domain.com`) the annotation will be omitted. ### Whitelist source range @@ -390,14 +390,14 @@ You can specify the allowed client IP source ranges through the `nginx.ingress.k To configure this setting globally for all Ingress rules, the `whitelist-source-range` value may be set in the NGINX ConfigMap. -*Note:* Adding an annotation to an Ingress rule overrides any global restriction. +__Note:__ Adding an annotation to an Ingress rule overrides any global restriction. ### Cookie affinity If you use the ``cookie`` type you can also specify the name of the cookie that will be used to route the requests with the annotation `nginx.ingress.kubernetes.io/session-cookie-name`. The default is to create a cookie named 'INGRESSCOOKIE'. In case of NGINX the annotation `nginx.ingress.kubernetes.io/session-cookie-hash` defines which algorithm will be used to 'hash' the used upstream. Default value is `md5` and possible values are `md5`, `sha1` and `index`. -The `index` option is not hashed, an in-memory index is used instead, it's quicker and the overhead is shorter Warning: the matching against upstream servers list is inconsistent. So, at reload, if upstreams servers has changed, index values are not guaranteed to correspond to the same server as before! USE IT WITH CAUTION and only if you need to! +The `index` option is not hashed, an in-memory index is used instead, it's quicker and the overhead is shorter Warning: the matching against upstream servers list is inconsistent. So, at reload, if upstreams servers has changed, index values are not guaranteed to correspond to the same server as before! **USE IT WITH CAUTION** and only if you need to! In NGINX this feature is implemented by the third party module [nginx-sticky-module-ng](https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng). The workflow used to define which upstream server will be used is explained [here](https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/raw/08a395c66e425540982c00482f55034e1fee67b6/docs/sticky.pdf) @@ -489,7 +489,7 @@ In order to run it in debugging mode you can set `nginx.ingress.kubernetes.io/lu The other possible values for `nginx.ingress.kubernetes.io/lua-resty-waf` are `inactive` and `simulate`. In `inactive` mode WAF won't do anything, whereas in `simulate` mode it will log a warning message if there's a matching WAF rule for given request. This is useful to debug a rule and eliminate possible false positives before fully deploying it. -`lua-resty-waf` comes with predefined set of rules(https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules) that covers ModSecurity CRS. +`lua-resty-waf` comes with predefined set of rules [https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules](https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules) that covers ModSecurity CRS. You can use `nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets` to ignore subset of those rulesets. For an example: ```yaml @@ -506,4 +506,4 @@ configure a WAF rule to deny requests with query string value that contains word nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules: '[=[ { "access": [ { "actions": { "disrupt" : "DENY" }, "id": 10001, "msg": "my custom rule", "operator": "STR_CONTAINS", "pattern": "foo", "vars": [ { "parse": [ "values", 1 ], "type": "REQUEST_ARGS" } ] } ], "body_filter": [], "header_filter":[] } ]=]' ``` -For details on how to write WAF rules, please refer to https://github.com/p0pr0ck5/lua-resty-waf. +For details on how to write WAF rules, please refer to [https://github.com/p0pr0ck5/lua-resty-waf](https://github.com/p0pr0ck5/lua-resty-waf). diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index db9d10094f..e441f5effe 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -14,13 +14,12 @@ data: ssl-protocols: SSLv2 ``` -**IMPORTANT:** +!!! Important + The key and values in a ConfigMap can only be strings. + This means that we want a value with boolean values we need to quote the values, like "true" or "false". + Same for numbers, like "100". -The key and values in a ConfigMap can only be strings. -This means that we want a value with boolean values we need to quote the values, like "true" or "false". -Same for numbers, like "100". - -"Slice" types (defined below as `[]string` or `[]int` can be provided as a comma-delimited string. + "Slice" types (defined below as `[]string` or `[]int` can be provided as a comma-delimited string. ## Configuration options @@ -148,120 +147,123 @@ Sets custom headers from named configmap before sending traffic to the client. S ## allow-backend-server-header -Enables the return of the header Server from the backend instead of the generic nginx string. By default this is disabled. +Enables the return of the header Server from the backend instead of the generic nginx string. _**default:**_ is disabled ## hide-headers Sets additional header that will not be passed from the upstream server to the client response. -Default: empty +_**default:**_ empty _References:_ -- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header +[http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) ## access-log-path Access log path. Goes to `/var/log/nginx/access.log` by default. -**Note:** the file `/var/log/nginx/access.log` is a symlink to `/dev/stdout` +__Note:__ the file `/var/log/nginx/access.log` is a symlink to `/dev/stdout` ## error-log-path Error log path. Goes to `/var/log/nginx/error.log` by default. -**Note:** the file `/var/log/nginx/error.log` is a symlink to `/dev/stderr` +__Note:__ the file `/var/log/nginx/error.log` is a symlink to `/dev/stderr` _References:_ -- http://nginx.org/en/docs/ngx_core_module.html#error_log +[http://nginx.org/en/docs/ngx_core_module.html#error_log](http://nginx.org/en/docs/ngx_core_module.html#error_log) ## enable-dynamic-tls-records -Enables dynamically sized TLS records to improve time-to-first-byte. By default this is enabled. See [CloudFlare's blog](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency) for more information. +Enables dynamically sized TLS records to improve time-to-first-byte. _**default:**_ is enabled + +_References:_ +[https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency) ## enable-modsecurity -Enables the modsecurity module for NGINX. By default this is disabled. +Enables the modsecurity module for NGINX. _**default:**_ is disabled ## enable-owasp-modsecurity-crs -Enables the OWASP ModSecurity Core Rule Set (CRS). By default this is disabled. +Enables the OWASP ModSecurity Core Rule Set (CRS). _**default:**_ is disabled ## client-header-buffer-size Allows to configure a custom buffer size for reading client request header. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size +[http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size) ## client-header-timeout Defines a timeout for reading client request header, in seconds. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout +[http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) ## client-body-buffer-size Sets buffer size for reading client request body. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size +[http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) ## client-body-timeout Defines a timeout for reading client request body, in seconds. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout +[http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) ## disable-access-log -Disables the Access Log from the entire Ingress Controller. This is '"false"' by default. +Disables the Access Log from the entire Ingress Controller. _**default:**_ '"false"' _References:_ -- http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log +[http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log](http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) ## disable-ipv6 -Disable listening on IPV6. By default this is disabled. +Disable listening on IPV6. _**default:**_ is disabled ## disable-ipv6-dns -Disable IPV6 for nginx DNS resolver. By default this is disabled. +Disable IPV6 for nginx DNS resolver. _**default:**_ is disabled ## enable-underscores-in-headers -Enables underscores in header names. By default this is disabled. +Enables underscores in header names. _**default:**_ is disabled ## ignore-invalid-headers Set if header fields with invalid names should be ignored. -By default this is enabled. +_**default:**_ is enabled ## enable-vts-status Allows the replacement of the default status page with a third party module named [nginx-module-vts](https://github.com/vozlt/nginx-module-vts). -By default this is disabled. +_**default:**_ is disabled ## vts-status-zone-size -Vts config on http level sets parameters for a shared memory zone that will keep states for various keys. The cache is shared between all worker processes. Default value is 10m +Vts config on http level sets parameters for a shared memory zone that will keep states for various keys. The cache is shared between all worker processes. _**default:**_ 10m _References:_ -- https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_zone +[https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_zone](https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_zone) ## vts-default-filter-key -Vts config on http level enables the keys by user defined variable. The key is a key string to calculate traffic. The name is a group string to calculate traffic. The key and name can contain variables such as $host, $server_name. The name's group belongs to filterZones if specified. The key's group belongs to serverZones if not specified second argument name. Default value is $geoip_country_code country::* +Vts config on http level enables the keys by user defined variable. The key is a key string to calculate traffic. The name is a group string to calculate traffic. The key and name can contain variables such as $host, $server_name. The name's group belongs to filterZones if specified. The key's group belongs to serverZones if not specified second argument name. _**default:**_ $geoip_country_code country::* _References:_ -- https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key +[https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key](https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key) ## vts-sum-key -For metrics keyed (or when using Prometheus, labeled) by server zone, this value is used to indicate metrics for all server zones combined. Default value is * +For metrics keyed (or when using Prometheus, labeled) by server zone, this value is used to indicate metrics for all server zones combined. _**default:**_ * _References:_ -- https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_display_sum_key +[https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_display_sum_key](https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_display_sum_key) ## retry-non-idempotent @@ -272,21 +274,21 @@ Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in Configures the logging level of errors. Log levels above are listed in the order of increasing severity. _References:_ -- http://nginx.org/en/docs/ngx_core_module.html#error_log +[http://nginx.org/en/docs/ngx_core_module.html#error_log](http://nginx.org/en/docs/ngx_core_module.html#error_log) ## http2-max-field-size Limits the maximum size of an HPACK-compressed request header field. _References:_ -- https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size +[https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size](https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size) ## http2-max-header-size Limits the maximum size of the entire request header list after HPACK decompression. _References:_ -- https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size +[https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size](https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size) ## hsts @@ -294,8 +296,9 @@ Enables or disables the header HSTS in servers running SSL. HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. It provides protection against protocol downgrade attacks and cookie theft. _References:_ -- https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security -- https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server + +- [https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security) +- [https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server](https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server) ## hsts-include-subdomains @@ -314,21 +317,21 @@ Enables or disables the preload attribute in the HSTS feature (when it is enable Sets the time during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout +[http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) ## keep-alive-requests Sets the maximum number of requests that can be served through one keep-alive connection. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests +[http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests) ## large-client-header-buffers -Sets the maximum number and size of buffers used for reading large client request header. Default: 4 8k. +Sets the maximum number and size of buffers used for reading large client request header. _**default:**_ 4 8k _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers +[http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) ## log-format-escape-json @@ -349,7 +352,7 @@ log-format-upstream: '{ "time": "$time_iso8601", "remote_addr": "$proxy_protocol "$http_user_agent" }' ``` -Please check [log-format](log-format.md) for definition of each field. +Please check the [log-format](log-format.md) for definition of each field. ## log-format-stream @@ -376,35 +379,38 @@ Sets custom headers from named configmap before sending traffic to backends. The Sets the maximum size of the [server names hash tables](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) used in server names,map directive’s values, MIME types, names of request header strings, etc. _References:_ -- http://nginx.org/en/docs/hash.html +[http://nginx.org/en/docs/hash.html](http://nginx.org/en/docs/hash.html) ## server-name-hash-bucket-size Sets the size of the bucket for the server names hash tables. _References:_ -- http://nginx.org/en/docs/hash.html -- http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size + +- [http://nginx.org/en/docs/hash.html](http://nginx.org/en/docs/hash.html) +- [http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size) ## proxy-headers-hash-max-size Sets the maximum size of the proxy headers hash tables. _References:_ -- http://nginx.org/en/docs/hash.html -- https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_max_size + +- [http://nginx.org/en/docs/hash.html](http://nginx.org/en/docs/hash.html) +- [https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_max_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_max_size) ## proxy-headers-hash-bucket-size Sets the size of the bucket for the proxy headers hash tables. _References:_ -- http://nginx.org/en/docs/hash.html -- https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size + +- [http://nginx.org/en/docs/hash.html](http://nginx.org/en/docs/hash.html) +- [https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size) ## server-tokens -Send NGINX Server header in responses and display NGINX version in error pages. By default this is enabled. +Send NGINX Server header in responses and display NGINX version in error pages. _**default:**_ is enabled ## ssl-ciphers @@ -422,16 +428,17 @@ Please check the [Mozilla SSL Configuration Generator](https://mozilla.github.io Specifies a curve for ECDHE ciphers. _References:_ -- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve +[http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve) ## ssl-dh-param Sets the name of the secret that contains Diffie-Hellman key to help with "Perfect Forward Secrecy". _References:_ -- https://wiki.openssl.org/index.php/Diffie-Hellman_parameters -- https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam -- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + +- [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters](https://wiki.openssl.org/index.php/Diffie-Hellman_parameters) +- [https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam](https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam) +- [http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) ## ssl-protocols @@ -466,7 +473,7 @@ Sets the time during which a client may [reuse the session](http://nginx.org/en/ Sets the size of the [SSL buffer](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) used for sending data. The default of 4k helps NGINX to improve TLS Time To First Byte (TTTFB). _References:_ -- https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ +[https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) ## use-proxy-protocol @@ -480,23 +487,23 @@ The default mime type list to compress is: `application/atom+xml application/jav ## use-geoip Enables or disables ["geoip" module](http://nginx.org/en/docs/http/ngx_http_geoip_module.html) that creates variables with values depending on the client IP address, using the precompiled MaxMind databases. -The default value is true. +_**default:**_ true ## enable-brotli Enables or disables compression of HTTP responses using the ["brotli" module](https://github.com/google/ngx_brotli). -The default mime type list to compress is: `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. This is *disabled* by default. +The default mime type list to compress is: `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. _**default:**_ is disabled -*Note:* Brotli does not works in Safari < 11 https://caniuse.com/#feat=brotli +> __Note:__ Brotli does not works in Safari < 11. For more information see [https://caniuse.com/#feat=brotli](https://caniuse.com/#feat=brotli) ## brotli-level -Sets the Brotli Compression Level that will be used. *Defaults to* 4. +Sets the Brotli Compression Level that will be used. _**default:**_ 4 ## brotli-types Sets the MIME Types that will be compressed on-the-fly by brotli. -*Defaults to* `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. +_**default:**_ `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component` ## use-http2 @@ -522,7 +529,7 @@ By default worker processes are not bound to any specific CPUs. The value can be ## worker-shutdown-timeout -Sets a timeout for Nginx to [wait for worker to gracefully shutdown](http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout). The default is "10s". +Sets a timeout for Nginx to [wait for worker to gracefully shutdown](http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout). _**default:**_ "10s" ## load-balance @@ -537,29 +544,29 @@ The value can either be: The default is least_conn. _References:_ -- http://nginx.org/en/docs/http/load_balancing.html. +[http://nginx.org/en/docs/http/load_balancing.html](http://nginx.org/en/docs/http/load_balancing.html) ## variables-hash-bucket-size Sets the bucket size for the variables hash table. _References:_ -- http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size +[http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size) ## variables-hash-max-size Sets the maximum size of the variables hash table. _References:_ -- http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size +[http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size) ## upstream-keepalive-connections Activates the cache for connections to upstream servers. The connections parameter sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. When this -number is exceeded, the least recently used connections are closed. Default: 32 +number is exceeded, the least recently used connections are closed. _**default:**_ 32 _References:_ -- http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive +[http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) ## limit-conn-zone-variable @@ -570,26 +577,28 @@ Sets parameters for a shared memory zone that will keep states for various keys Sets the timeout between two successive read or write operations on client or proxied server connections. If no data is transmitted within this time, the connection is closed. _References:_ -- http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout +[http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout](http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout) ## proxy-stream-responses Sets the number of datagrams expected from the proxied server in response to the client request if the UDP protocol is used. _References:_ -- http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses +[http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses](http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses) ## bind-address-ipv4 Sets the addresses on which the server will accept requests instead of *. It should be noted that these addresses must exist in the runtime environment or the controller will crash loop. + ## bind-address-ipv6 Sets the addresses on which the server will accept requests instead of *. It should be noted that these addresses must exist in the runtime environment or the controller will crash loop. + ## forwarded-for-header -Sets the header field for identifying the originating IP address of a client. Default is X-Forwarded-For +Sets the header field for identifying the originating IP address of a client. _**default:**_ X-Forwarded-For ## compute-full-forwarded-for @@ -601,10 +610,10 @@ Adds an X-Original-Uri header with the original request URI to the backend reque ## enable-opentracing -Enables the nginx Opentracing extension. By default this is disabled. +Enables the nginx Opentracing extension. _**default:**_ is disabled _References:_ -- https://github.com/opentracing-contrib/nginx-opentracing +[https://github.com/opentracing-contrib/nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing) ## zipkin-collector-host @@ -612,11 +621,11 @@ Specifies the host to use when uploading traces. It must be a valid URL. ## zipkin-collector-port -Specifies the port to use when uploading traces. Default: 9411 +Specifies the port to use when uploading traces. _**default:**_ 9411 ## zipkin-service-name -Specifies the service name to use for any traces created. Default: nginx +Specifies the service name to use for any traces created. _**default:**_ nginx ## jaeger-collector-host @@ -624,35 +633,35 @@ Specifies the host to use when uploading traces. It must be a valid URL. ## jaeger-collector-port -Specifies the port to use when uploading traces. Default: 6831 +Specifies the port to use when uploading traces. _**default:**_ 6831 ## jaeger-service-name -Specifies the service name to use for any traces created. Default: nginx +Specifies the service name to use for any traces created. _**default:**_ nginx ## jaeger-sampler-type -Specifies the sampler to be used when sampling traces. The available samplers are: const, probabilistic, ratelimiting, remote. Default const. +Specifies the sampler to be used when sampling traces. The available samplers are: const, probabilistic, ratelimiting, remote. _**default:**_ const ## jaeger-sampler-param Specifies the argument to be passed to the sampler constructor. Must be a number. -For const this should be 0 to never sample and 1 to always sample. Default: 1 +For const this should be 0 to never sample and 1 to always sample. _**default:**_ 1 ## http-snippet Adds custom configuration to the http section of the nginx configuration. -Default: "" +_**default:**_ "" ## server-snippet Adds custom configuration to all the servers in the nginx configuration. -Default: "" +_**default:**_ "" ## location-snippet Adds custom configuration to all the locations in the nginx configuration. -Default: "" +_**default:**_ "" ## custom-http-errors @@ -701,10 +710,10 @@ Limit the number of [possible tries](http://nginx.org/en/docs/http/ngx_http_prox ## proxy-redirect-from -Sets the original text that should be changed in the "Location" and "Refresh" header fields of a proxied server response. Default: off. +Sets the original text that should be changed in the "Location" and "Refresh" header fields of a proxied server response. _**default:**_ off _References:_ -- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect +[http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect) ## proxy-request-buffering @@ -713,7 +722,7 @@ Enables or disables [buffering of a client request body](http://nginx.org/en/doc ## ssl-redirect Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate (defined in an Ingress rule). -Default is "true". +_**default:**_ "true" ## whitelist-source-range @@ -722,31 +731,31 @@ See [ngx_http_access_module](http://nginx.org/en/docs/http/ngx_http_access_modul ## skip-access-log-urls -Sets a list of URLs that should not appear in the NGINX access log. This is useful with urls like `/health` or `health-check` that make "complex" reading the logs. By default this list is empty +Sets a list of URLs that should not appear in the NGINX access log. This is useful with urls like `/health` or `health-check` that make "complex" reading the logs. _**default:**_ is empty ## limit-rate Limits the rate of response transmission to a client. The rate is specified in bytes per second. The zero value disables rate limiting. The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate +[http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate](http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate) ## limit-rate-after Sets the initial amount after which the further transmission of a response to a client will be rate limited. _References:_ -- http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after +[http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after](http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after) ## http-redirect-code Sets the HTTP status code to be used in redirects. Supported codes are [301](https://developer.mozilla.org/es/docs/Web/HTTP/Status/301),[302](https://developer.mozilla.org/es/docs/Web/HTTP/Status/302),[307](https://developer.mozilla.org/es/docs/Web/HTTP/Status/307) and [308](https://developer.mozilla.org/es/docs/Web/HTTP/Status/308) -Default code is 308. +_**default:**_ 308 -Why the default code is 308? +> __Why the default code is 308?__ -[RFC 7238](https://tools.ietf.org/html/rfc7238) was created to define the 308 (Permanent Redirect) status code that is similar to 301 (Moved Permanently) but it keeps the payload in the redirect. This is important if the we send a redirect in methods like POST. +> [RFC 7238](https://tools.ietf.org/html/rfc7238) was created to define the 308 (Permanent Redirect) status code that is similar to 301 (Moved Permanently) but it keeps the payload in the redirect. This is important if the we send a redirect in methods like POST. ## proxy-buffering @@ -754,14 +763,14 @@ Enables or disables [buffering of responses from the proxied server](http://ngin ## limit-req-status-code -Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503 +Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status). _**default:**_ 503 ## no-tls-redirect-locations A comma-separated list of locations on which http requests will never get redirected to their https counterpart. -Default: "/.well-known/acme-challenge" +_**default:**_ "/.well-known/acme-challenge" ## no-auth-locations A comma-separated list of locations that should not get authenticated. -Default: "/.well-known/acme-challenge" +_**default:**_ "/.well-known/acme-challenge" diff --git a/docs/user-guide/third-party-addons/modsecurity.md b/docs/user-guide/third-party-addons/modsecurity.md index 967f4279b5..e8774f89ba 100644 --- a/docs/user-guide/third-party-addons/modsecurity.md +++ b/docs/user-guide/third-party-addons/modsecurity.md @@ -1,16 +1,16 @@ # ModSecurity Web Application Firewall -ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - https://www.modsecurity.org +ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - [https://www.modsecurity.org](https://www.modsecurity.org) The [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) connector is the connection point between NGINX and libmodsecurity (ModSecurity v3). The default ModSecurity configuration file is located in `/etc/nginx/modsecurity/modsecurity.conf`. This is the only file located in this directory and contains the default recommended configuration. Using a volume we can replace this file with the desired configuration. To enable the ModSecurity feature we need to specify `enable-modsecurity: "true"` in the configuration configmap. -**NOTE:** the default configuration use detection only, because that minimises the chances of post-installation disruption. +>__Note:__ the default configuration use detection only, because that minimises the chances of post-installation disruption. The file `/var/log/modsec_audit.log` contains the log of ModSecurity. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. -The directory `/etc/nginx/owasp-modsecurity-crs` contains the https://github.com/SpiderLabs/owasp-modsecurity-crs repository. +The directory `/etc/nginx/owasp-modsecurity-crs` contains the [https://github.com/SpiderLabs/owasp-modsecurity-crs repository](https://github.com/SpiderLabs/owasp-modsecurity-crs repository). Using `enable-owasp-modsecurity-crs: "true"` we enable the use of the rules. diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md index c625062452..8f6046d512 100644 --- a/docs/user-guide/third-party-addons/opentracing.md +++ b/docs/user-guide/third-party-addons/opentracing.md @@ -39,4 +39,4 @@ $ curl -v http://$(minikube ip) In the zipkin interface we can see the details: -![zipkin screenshot](../images/zipkin-demo.png "zipkin collector screenshot") +![zipkin screenshot](../../images/zipkin-demo.png "zipkin collector screenshot")