I0429 16:39:08.066389 7 template.go:1021] empty byte size, hence it will not be set I0429 16:39:08.066764 7 template.go:1021] empty byte size, hence it will not be set I0429 16:39:08.067172 7 template.go:1021] empty byte size, hence it will not be set I0429 16:39:08.092776 7 admission.go:149] processed ingress via admission controller {testedIngressLength:1 testedIngressTime:0.027s renderingIngressLength:1 renderingIngressTime:0s admissionTime:21.6kBs testedConfigurationSize:0.027} I0429 16:39:08.092810 7 main.go:100] "successfully validated configuration, accepting" ingress="httpbin/httpbin" I0429 16:39:08.107425 7 main.go:175] "Updating ssl expiration metrics" I0429 16:39:08.108043 7 main.go:180] Updating ssl certificate info metrics I0429 16:39:08.108124 7 controller.go:166] "Configuration changes detected, backend reload required" I0429 16:39:08.107496 7 event.go:285] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"httpbin", Name:"httpbin", UID:"e1892dc7-2b69-4737-aea8-23d98ffb14b9", APIVersion:"networking.k8s.io/v1", ResourceVersion:"718728", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync I0429 16:39:08.110506 7 template.go:1021] empty byte size, hence it will not be set I0429 16:39:08.110944 7 template.go:1021] empty byte size, hence it will not be set I0429 16:39:08.111463 7 template.go:1021] empty byte size, hence it will not be set I0429 16:39:08.138035 7 nginx.go:700] "NGINX configuration change" diff=< --- /etc/nginx/nginx.conf 2022-04-27 22:11:30.685832598 +0000 +++ /tmp/new-nginx-cfg2590909096 2022-04-29 16:39:08.132261006 +0000 @@ -1,5 +1,5 @@ -# Configuration checksum: 1996227744695839762 +# Configuration checksum: 3495280225045095798 # setup custom paths that do not require root access pid /tmp/nginx/nginx.pid; @@ -293,13 +293,13 @@ certificate.call() } - location / { + location /get/ { set $namespace "httpbin"; set $ingress_name "httpbin"; set $service_name "httpbin"; set $service_port "14001"; - set $location_path "/"; + set $location_path "/get"; set $global_rate_limit_exceeding n; rewrite_by_lua_block { @@ -345,6 +345,244 @@ set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; + set $pass_server_port $server_port; + + set $best_http_host $http_host; + set $pass_port $pass_server_port; + + set $proxy_alternative_upstream_name ""; + + client_max_body_size 1m; + + proxy_set_header Host $best_http_host; + + # Pass the extracted client certificate to the backend + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Request-ID $req_id; + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_set_header X-Forwarded-Host $best_http_host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + proxy_set_header X-Forwarded-Scheme $pass_access_scheme; + + proxy_set_header X-Scheme $pass_access_scheme; + + # Pass the original X-Forwarded-For + proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers to proxied server + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_buffering off; + proxy_buffer_size 4k; + proxy_buffers 4 4k; + + proxy_max_temp_file_size 1024m; + + proxy_request_buffering on; + proxy_http_version 1.1; + + proxy_cookie_domain off; + proxy_cookie_path off; + + # In case of errors try the next upstream server before returning an error + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 0; + proxy_next_upstream_tries 3; + + proxy_pass http://upstream_balancer; + + proxy_redirect off; + + } + + location = /get { + + set $namespace "httpbin"; + set $ingress_name "httpbin"; + set $service_name "httpbin"; + set $service_port "14001"; + set $location_path "/get"; + set $global_rate_limit_exceeding n; + + rewrite_by_lua_block { + lua_ingress.rewrite({ + force_ssl_redirect = false, + ssl_redirect = true, + force_no_ssl_redirect = false, + preserve_trailing_slash = false, + use_port_in_redirects = false, + global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, + }) + balancer.rewrite() + plugins.run() + } + + # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any + # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` + # other authentication method such as basic auth or external auth useless - all requests will be allowed. + #access_by_lua_block { + #} + + header_filter_by_lua_block { + lua_ingress.header() + plugins.run() + } + + body_filter_by_lua_block { + plugins.run() + } + + log_by_lua_block { + balancer.log() + + monitor.call() + + plugins.run() + } + + port_in_redirect off; + + set $balancer_ewma_score -1; + set $proxy_upstream_name "httpbin-httpbin-14001"; + set $proxy_host $proxy_upstream_name; + set $pass_access_scheme $scheme; + + set $pass_server_port $server_port; + + set $best_http_host $http_host; + set $pass_port $pass_server_port; + + set $proxy_alternative_upstream_name ""; + + client_max_body_size 1m; + + proxy_set_header Host $best_http_host; + + # Pass the extracted client certificate to the backend + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Request-ID $req_id; + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_set_header X-Forwarded-Host $best_http_host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + proxy_set_header X-Forwarded-Scheme $pass_access_scheme; + + proxy_set_header X-Scheme $pass_access_scheme; + + # Pass the original X-Forwarded-For + proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers to proxied server + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_buffering off; + proxy_buffer_size 4k; + proxy_buffers 4 4k; + + proxy_max_temp_file_size 1024m; + + proxy_request_buffering on; + proxy_http_version 1.1; + + proxy_cookie_domain off; + proxy_cookie_path off; + + # In case of errors try the next upstream server before returning an error + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 0; + proxy_next_upstream_tries 3; + + proxy_pass http://upstream_balancer; + + proxy_redirect off; + + } + + location / { + + set $namespace ""; + set $ingress_name ""; + set $service_name ""; + set $service_port ""; + set $location_path ""; + set $global_rate_limit_exceeding n; + + rewrite_by_lua_block { + lua_ingress.rewrite({ + force_ssl_redirect = false, + ssl_redirect = false, + force_no_ssl_redirect = false, + preserve_trailing_slash = false, + use_port_in_redirects = false, + global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, + }) + balancer.rewrite() + plugins.run() + } + + # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any + # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` + # other authentication method such as basic auth or external auth useless - all requests will be allowed. + #access_by_lua_block { + #} + + header_filter_by_lua_block { + lua_ingress.header() + plugins.run() + } + + body_filter_by_lua_block { + plugins.run() + } + + log_by_lua_block { + balancer.log() + + monitor.call() + + plugins.run() + } + + access_log off; + + port_in_redirect off; + + set $balancer_ewma_score -1; + set $proxy_upstream_name "upstream-default-backend"; + set $proxy_host $proxy_upstream_name; + set $pass_access_scheme $scheme; + set $pass_server_port $server_port; set $best_http_host $http_host; > I0429 16:39:08.165580 7 controller.go:183] "Backend successfully reloaded" I0429 16:39:08.166847 7 event.go:285] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-nginx", Name:"ingress-nginx-controller-867c9b9ddb-5frmj", UID:"1db3133b-e51c-464b-b168-288881ba33b2", APIVersion:"v1", ResourceVersion:"67994", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration I0429 16:39:08.169198 7 controller.go:209] Dynamic reconfiguration succeeded. I0429 16:39:08.187565 7 socket.go:373] "removing metrics" ingresses=[]