diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md
index da6e2a1418..846ac2d12a 100644
--- a/charts/nginx-ingress/README.md
+++ b/charts/nginx-ingress/README.md
@@ -452,6 +452,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 |
|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} |
|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
+|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 |
+|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 |
|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false |
|`rbac.create` | Configures RBAC. | true |
|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml
index d6012c3a3b..fafc597da3 100644
--- a/charts/nginx-ingress/templates/controller-daemonset.yaml
+++ b/charts/nginx-ingress/templates/controller-daemonset.yaml
@@ -237,6 +237,8 @@ spec:
- -enable-cert-manager={{ .Values.controller.enableCertManager }}
- -enable-oidc={{ .Values.controller.enableOIDC }}
- -enable-external-dns={{ .Values.controller.enableExternalDNS }}
+ - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}}
+ - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}}
{{- if .Values.controller.globalConfiguration.create }}
- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }}
{{- end }}
diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml
index f23f515ef3..0658cba140 100644
--- a/charts/nginx-ingress/templates/controller-deployment.yaml
+++ b/charts/nginx-ingress/templates/controller-deployment.yaml
@@ -244,6 +244,8 @@ spec:
- -enable-cert-manager={{ .Values.controller.enableCertManager }}
- -enable-oidc={{ .Values.controller.enableOIDC }}
- -enable-external-dns={{ .Values.controller.enableExternalDNS }}
+ - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}}
+ - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}}
{{- if .Values.controller.globalConfiguration.create }}
- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }}
{{- end }}
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
index 39f65da624..b6a1bc98f9 100644
--- a/charts/nginx-ingress/values.schema.json
+++ b/charts/nginx-ingress/values.schema.json
@@ -1262,6 +1262,22 @@
false
]
},
+ "defaultHTTPListenerPort": {
+ "type": "integer",
+ "default": 80,
+ "title": "The defaultHTTPListenerPort",
+ "examples": [
+ 80
+ ]
+ },
+ "defaultHTTPSListenerPort": {
+ "type": "integer",
+ "default": 443,
+ "title": "The defaultHTTPSListenerPort",
+ "examples": [
+ 443
+ ]
+ },
"readOnlyRootFilesystem": {
"type": "boolean",
"default": false,
@@ -1411,6 +1427,8 @@
},
"enableLatencyMetrics": false,
"disableIPV6": false,
+ "defaultHTTPListenerPort": 80,
+ "defaultHTTPSListenerPort": 443,
"readOnlyRootFilesystem": false
}
]
@@ -1776,6 +1794,8 @@
},
"enableLatencyMetrics": false,
"disableIPV6": false,
+ "defaultHTTPListenerPort": 80,
+ "defaultHTTPSListenerPort": 443,
"readOnlyRootFilesystem": false
},
"rbac": {
diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
index 9dd9a9a021..b3e8ed1682 100644
--- a/charts/nginx-ingress/values.yaml
+++ b/charts/nginx-ingress/values.yaml
@@ -443,6 +443,12 @@ controller:
## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack.
disableIPV6: false
+ ## Sets the port for the HTTP `default_server` listener.
+ defaultHTTPListenerPort: 80
+
+ ## Sets the port for the HTTPS `default_server` listener.
+ defaultHTTPSListenerPort: 443
+
## Configure root filesystem as read-only and add volumes for temporary data.
readOnlyRootFilesystem: false
diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go
index 19799d362f..83515d58a0 100644
--- a/cmd/nginx-ingress/flags.go
+++ b/cmd/nginx-ingress/flags.go
@@ -194,6 +194,10 @@ var (
disableIPV6 = flag.Bool("disable-ipv6", false,
`Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack`)
+ defaultHTTPListenerPort = flag.Int("default-http-listener-port", 80, "Sets a custom port for the HTTP NGINX `default_server`. [1024 - 65535]")
+
+ defaultHTTPSListenerPort = flag.Int("default-https-listener-port", 443, "Sets a custom port for the HTTPS `default_server`. [1024 - 65535]")
+
startupCheckFn func() error
)
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
index 93caaa3a31..32a826331d 100644
--- a/cmd/nginx-ingress/main.go
+++ b/cmd/nginx-ingress/main.go
@@ -90,6 +90,8 @@ func main() {
staticCfgParams := &configs.StaticConfigParams{
DisableIPV6: *disableIPV6,
+ DefaultHTTPListenerPort: *defaultHTTPListenerPort,
+ DefaultHTTPSListenerPort: *defaultHTTPSListenerPort,
HealthStatus: *healthStatus,
HealthStatusURI: *healthStatusURI,
NginxStatus: *nginxStatus,
diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md
index 56172fb3a3..ac5378dc1d 100644
--- a/docs/content/configuration/global-configuration/command-line-arguments.md
+++ b/docs/content/configuration/global-configuration/command-line-arguments.md
@@ -508,3 +508,19 @@ Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack.
Default `false`.
+
+### -default-http-listener-port
+
+Sets the port for the HTTP `default_server` listener.
+
+Default `80`.
+
+
+
+### -default-https-listener-port
+
+Sets the port for the HTTPS `default_server` listener.
+
+Default `443`.
+
+
diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go
index ba4be02d86..9e8b4a9479 100644
--- a/internal/configs/config_params.go
+++ b/internal/configs/config_params.go
@@ -114,6 +114,8 @@ type ConfigParams struct {
// StaticConfigParams holds immutable NGINX configuration parameters that affect the main NGINX config.
type StaticConfigParams struct {
DisableIPV6 bool
+ DefaultHTTPListenerPort int
+ DefaultHTTPSListenerPort int
HealthStatus bool
HealthStatusURI string
NginxStatus bool
diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go
index 675fc7e443..006f70c74c 100644
--- a/internal/configs/configmaps.go
+++ b/internal/configs/configmaps.go
@@ -514,6 +514,8 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
DefaultServerAccessLogOff: config.DefaultServerAccessLogOff,
DefaultServerReturn: config.DefaultServerReturn,
DisableIPV6: staticCfgParams.DisableIPV6,
+ DefaultHTTPListenerPort: staticCfgParams.DefaultHTTPListenerPort,
+ DefaultHTTPSListenerPort: staticCfgParams.DefaultHTTPSListenerPort,
ErrorLogLevel: config.MainErrorLogLevel,
HealthStatus: staticCfgParams.HealthStatus,
HealthStatusURI: staticCfgParams.HealthStatusURI,
diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go
index 4afb16796b..eda5ffebbd 100644
--- a/internal/configs/version1/config.go
+++ b/internal/configs/version1/config.go
@@ -165,6 +165,8 @@ type MainConfig struct {
DefaultServerAccessLogOff bool
DefaultServerReturn string
DisableIPV6 bool
+ DefaultHTTPListenerPort int
+ DefaultHTTPSListenerPort int
ErrorLogLevel string
HealthStatus bool
HealthStatusURI string
diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl
index 851ecb4125..cc8cf394dd 100644
--- a/internal/configs/version1/nginx-plus.tmpl
+++ b/internal/configs/version1/nginx-plus.tmpl
@@ -153,16 +153,16 @@ http {
set $resource_namespace "";
set $service "";
- listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
- {{if not .DisableIPV6}}listen [::]:80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+ listen {{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
+ {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{if .TLSPassthrough}}
listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol;
set_real_ip_from unix:;
real_ip_header proxy_protocol;
{{else}}
- listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
- {{if not .DisableIPV6}}listen [::]:443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+ listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+ {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{end}}
{{if .SSLRejectHandshake}}
diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl
index 5f50e6bfed..c1d4ec590c 100644
--- a/internal/configs/version1/nginx.tmpl
+++ b/internal/configs/version1/nginx.tmpl
@@ -106,16 +106,16 @@ http {
set $resource_namespace "";
set $service "";
- listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
- {{if not .DisableIPV6}}listen [::]:80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+ listen {{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
+ {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{if .TLSPassthrough}}
listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol;
set_real_ip_from unix:;
real_ip_header proxy_protocol;
{{else}}
- listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
- {{if not .DisableIPV6}}listen [::]:443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+ listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+ {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{end}}
{{if .SSLRejectHandshake}}
diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go
index 3f77862145..4ef7b96737 100644
--- a/internal/configs/version1/template_test.go
+++ b/internal/configs/version1/template_test.go
@@ -343,7 +343,7 @@ func TestExecuteTemplate_ForMainForNGINXWithoutCustomTLSPassthroughPort(t *testi
tmpl := newNGINXMainTmpl(t)
buf := &bytes.Buffer{}
- err := tmpl.Execute(buf, mainCfg)
+ err := tmpl.Execute(buf, mainCfgDefaultTLSPassthroughPort)
t.Log(buf.String())
if err != nil {
t.Fatalf("Failed to write template %v", err)
@@ -369,7 +369,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomTLSPassthroughPort(t *t
tmpl := newNGINXPlusMainTmpl(t)
buf := &bytes.Buffer{}
- err := tmpl.Execute(buf, mainCfg)
+ err := tmpl.Execute(buf, mainCfgDefaultTLSPassthroughPort)
t.Log(buf.String())
if err != nil {
t.Fatalf("Failed to write template %v", err)
@@ -441,6 +441,230 @@ func TestExecuteTemplate_ForMainForNGINXPlusTLSPassthroughPortDisabled(t *testin
}
}
+func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPAndHTTPSListenerPorts)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 8083 default_server;",
+ "listen [::]:8083 default_server;",
+ "listen 8443 ssl default_server;",
+ "listen [::]:8443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
+func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXPlusMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPAndHTTPSListenerPorts)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 8083 default_server;",
+ "listen [::]:8083 default_server;",
+ "listen 8443 ssl default_server;",
+ "listen [::]:8443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
+func TestExecuteTemplate_ForMainForNGINXWithoutCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfg)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 80 default_server;",
+ "listen [::]:80 default_server;",
+ "listen 443 ssl default_server;",
+ "listen [::]:443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
+func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXPlusMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfg)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 80 default_server;",
+ "listen [::]:80 default_server;",
+ "listen 443 ssl default_server;",
+ "listen [::]:443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
+func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPListenerPort(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPListenerPort)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 8083 default_server;",
+ "listen [::]:8083 default_server;",
+ "listen 443 ssl default_server;",
+ "listen [::]:443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
+func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPSListenerPort(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPSListenerPort)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 80 default_server;",
+ "listen [::]:80 default_server;",
+ "listen 8443 ssl default_server;",
+ "listen [::]:8443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
+func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPListenerPort(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXPlusMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPListenerPort)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 8083 default_server;",
+ "listen [::]:8083 default_server;",
+ "listen 443 ssl default_server;",
+ "listen [::]:443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
+func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPSListenerPort(t *testing.T) {
+ t.Parallel()
+
+ tmpl := newNGINXPlusMainTmpl(t)
+ buf := &bytes.Buffer{}
+
+ err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPSListenerPort)
+ t.Log(buf.String())
+
+ if err != nil {
+ t.Fatalf("Failed to write template %v", err)
+ }
+
+ wantDirectives := []string{
+ "listen 80 default_server;",
+ "listen [::]:80 default_server;",
+ "listen 8443 ssl default_server;",
+ "listen [::]:8443 ssl default_server;",
+ }
+
+ mainConf := buf.String()
+ for _, want := range wantDirectives {
+ if !strings.Contains(mainConf, want) {
+ t.Errorf("want %q in generated config", want)
+ }
+ }
+}
+
func newNGINXPlusIngressTmpl(t *testing.T) *template.Template {
t.Helper()
tmpl, err := template.New("nginx-plus.ingress.tmpl").Funcs(helperFunctions).ParseFiles("nginx-plus.ingress.tmpl")
@@ -753,6 +977,31 @@ var (
}
mainCfg = MainConfig{
+ DefaultHTTPListenerPort: 80,
+ DefaultHTTPSListenerPort: 443,
+ ServerNamesHashMaxSize: "512",
+ ServerTokens: "off",
+ WorkerProcesses: "auto",
+ WorkerCPUAffinity: "auto",
+ WorkerShutdownTimeout: "1m",
+ WorkerConnections: "1024",
+ WorkerRlimitNofile: "65536",
+ LogFormat: []string{"$remote_addr", "$remote_user"},
+ LogFormatEscaping: "default",
+ StreamSnippets: []string{"# comment"},
+ StreamLogFormat: []string{"$remote_addr", "$remote_user"},
+ StreamLogFormatEscaping: "none",
+ ResolverAddresses: []string{"example.com", "127.0.0.1"},
+ ResolverIPV6: false,
+ ResolverValid: "10s",
+ ResolverTimeout: "15s",
+ KeepaliveTimeout: "65s",
+ KeepaliveRequests: 100,
+ VariablesHashBucketSize: 256,
+ VariablesHashMaxSize: 1024,
+ }
+
+ mainCfgCustomTLSPassthroughPort = MainConfig{
ServerNamesHashMaxSize: "512",
ServerTokens: "off",
WorkerProcesses: "auto",
@@ -774,10 +1023,10 @@ var (
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
TLSPassthrough: true,
- TLSPassthroughPort: 443,
+ TLSPassthroughPort: 8443,
}
- mainCfgCustomTLSPassthroughPort = MainConfig{
+ mainCfgWithoutTLSPassthrough = MainConfig{
ServerNamesHashMaxSize: "512",
ServerTokens: "off",
WorkerProcesses: "auto",
@@ -798,11 +1047,11 @@ var (
KeepaliveRequests: 100,
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
- TLSPassthrough: true,
+ TLSPassthrough: false,
TLSPassthroughPort: 8443,
}
- mainCfgWithoutTLSPassthrough = MainConfig{
+ mainCfgDefaultTLSPassthroughPort = MainConfig{
ServerNamesHashMaxSize: "512",
ServerTokens: "off",
WorkerProcesses: "auto",
@@ -823,8 +1072,83 @@ var (
KeepaliveRequests: 100,
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
- TLSPassthrough: false,
- TLSPassthroughPort: 8443,
+ TLSPassthrough: true,
+ TLSPassthroughPort: 443,
+ }
+
+ mainCfgCustomDefaultHTTPAndHTTPSListenerPorts = MainConfig{
+ DefaultHTTPListenerPort: 8083,
+ DefaultHTTPSListenerPort: 8443,
+ ServerNamesHashMaxSize: "512",
+ ServerTokens: "off",
+ WorkerProcesses: "auto",
+ WorkerCPUAffinity: "auto",
+ WorkerShutdownTimeout: "1m",
+ WorkerConnections: "1024",
+ WorkerRlimitNofile: "65536",
+ LogFormat: []string{"$remote_addr", "$remote_user"},
+ LogFormatEscaping: "default",
+ StreamSnippets: []string{"# comment"},
+ StreamLogFormat: []string{"$remote_addr", "$remote_user"},
+ StreamLogFormatEscaping: "none",
+ ResolverAddresses: []string{"example.com", "127.0.0.1"},
+ ResolverIPV6: false,
+ ResolverValid: "10s",
+ ResolverTimeout: "15s",
+ KeepaliveTimeout: "65s",
+ KeepaliveRequests: 100,
+ VariablesHashBucketSize: 256,
+ VariablesHashMaxSize: 1024,
+ }
+
+ mainCfgCustomDefaultHTTPListenerPort = MainConfig{
+ DefaultHTTPListenerPort: 8083,
+ DefaultHTTPSListenerPort: 443,
+ ServerNamesHashMaxSize: "512",
+ ServerTokens: "off",
+ WorkerProcesses: "auto",
+ WorkerCPUAffinity: "auto",
+ WorkerShutdownTimeout: "1m",
+ WorkerConnections: "1024",
+ WorkerRlimitNofile: "65536",
+ LogFormat: []string{"$remote_addr", "$remote_user"},
+ LogFormatEscaping: "default",
+ StreamSnippets: []string{"# comment"},
+ StreamLogFormat: []string{"$remote_addr", "$remote_user"},
+ StreamLogFormatEscaping: "none",
+ ResolverAddresses: []string{"example.com", "127.0.0.1"},
+ ResolverIPV6: false,
+ ResolverValid: "10s",
+ ResolverTimeout: "15s",
+ KeepaliveTimeout: "65s",
+ KeepaliveRequests: 100,
+ VariablesHashBucketSize: 256,
+ VariablesHashMaxSize: 1024,
+ }
+
+ mainCfgCustomDefaultHTTPSListenerPort = MainConfig{
+ DefaultHTTPListenerPort: 80,
+ DefaultHTTPSListenerPort: 8443,
+ ServerNamesHashMaxSize: "512",
+ ServerTokens: "off",
+ WorkerProcesses: "auto",
+ WorkerCPUAffinity: "auto",
+ WorkerShutdownTimeout: "1m",
+ WorkerConnections: "1024",
+ WorkerRlimitNofile: "65536",
+ LogFormat: []string{"$remote_addr", "$remote_user"},
+ LogFormatEscaping: "default",
+ StreamSnippets: []string{"# comment"},
+ StreamLogFormat: []string{"$remote_addr", "$remote_user"},
+ StreamLogFormatEscaping: "none",
+ ResolverAddresses: []string{"example.com", "127.0.0.1"},
+ ResolverIPV6: false,
+ ResolverValid: "10s",
+ ResolverTimeout: "15s",
+ KeepaliveTimeout: "65s",
+ KeepaliveRequests: 100,
+ VariablesHashBucketSize: 256,
+ VariablesHashMaxSize: 1024,
}
// Vars for Mergable Ingress Master - Minion tests
diff --git a/tests/suite/test_default_server.py b/tests/suite/test_default_server.py
index 5539079aa0..31e5da5814 100644
--- a/tests/suite/test_default_server.py
+++ b/tests/suite/test_default_server.py
@@ -1,6 +1,8 @@
from ssl import SSLError
import pytest
+import requests
+from requests.exceptions import ConnectionError
from settings import BASEDIR, DEPLOYMENTS, TEST_DATA
from suite.utils.resources_utils import (
create_secret_from_yaml,
@@ -42,6 +44,12 @@ def default_server_setup(ingress_controller_endpoint, ingress_controller):
ensure_connection(f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/")
+@pytest.fixture(scope="class")
+def default_server_setup_custom_port(ingress_controller_endpoint, ingress_controller):
+ ensure_connection(f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_http}/")
+ ensure_connection(f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_https}/")
+
+
@pytest.fixture(scope="class")
def secret_setup(request, kube_apis):
def fin():
@@ -95,3 +103,45 @@ def test_with_default_tls_secret(self, kube_apis, ingress_controller_endpoint, s
def test_without_default_tls_secret(self, ingress_controller_endpoint, default_server_setup):
print("Ensure connection to HTTPS cannot be established")
assert_unrecognized_name_error(ingress_controller_endpoint)
+
+ @pytest.mark.parametrize(
+ "ingress_controller",
+ [
+ pytest.param(
+ {"extra_args": [f"-default-http-listener-port=8085", f"-default-https-listener-port=8445"]},
+ ),
+ ],
+ indirect=True,
+ )
+ def test_disable_default_listeners_true(self, ingress_controller_endpoint, ingress_controller):
+ print("Ensure ports 80 and 443 return result in an ERR_CONNECTION_REFUSED")
+ request_url_80 = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/"
+ with pytest.raises(ConnectionError, match="Connection refused") as e:
+ requests.get(request_url_80, headers={})
+
+ request_url_443 = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/"
+ with pytest.raises(ConnectionError, match="Connection refused") as e:
+ requests.get(request_url_443, headers={}, verify=False)
+
+ @pytest.mark.parametrize(
+ "ingress_controller",
+ [
+ pytest.param(
+ {"extra_args": [f"-default-http-listener-port=8085", f"-default-https-listener-port=8445"]},
+ ),
+ ],
+ indirect=True,
+ )
+ def test_custom_default_listeners(
+ self, kube_apis, ingress_controller_endpoint, ingress_controller, default_server_setup_custom_port
+ ):
+ print("Ensure custom ports for default listeners return 404")
+ request_url_http = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_http}/"
+ resp = requests.get(request_url_http, headers={})
+ assert resp.status_code == 404
+
+ request_url_https = (
+ f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_https}/"
+ )
+ resp = requests.get(request_url_https, headers={}, verify=False)
+ assert resp.status_code == 404