-
-
Notifications
You must be signed in to change notification settings - Fork 25
/
nginx-proxy-configmap.yaml
198 lines (169 loc) · 8.66 KB
/
nginx-proxy-configmap.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "artifact-caching-proxy.fullname" . }}-proxy-configmap
labels: {{ include "artifact-caching-proxy.labels" . | nindent 4 }}
data:
cache.conf: |
proxy_cache_path {{ .Values.cache.path }} levels=1 keys_zone=nginx_cache:{{ .Values.cache.keysZoneSize }} max_size={{ .Values.persistence.size }}g inactive={{ .Values.cache.inactive }} use_temp_path={{ .Values.cache.useTempPath }};
common-proxy.conf: |
# Ensure that no authentication header are sent to the upstreams
proxy_set_header Authorization {{ .Values.proxy.authorizationHeader | quote }};
# Pass headers to allow HTTP/30x responses from upstream to be followed
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Pass the current Server's identification to upstream
# Ref. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
proxy_pass_header Server;
# Remove any cookie in the requests to upstream
proxy_cookie_path ~*^/.* /;
# Compress request/respons with upstream
# Requires '--with-http_gunzip_module' in 'nginx -V'
gunzip on;
proxy_set_header Accept-Encoding "gzip";
gzip_proxied any;
proxy-cache.conf: |
# Enable caching
proxy_cache nginx_cache;
# Specify HTTP code of responses to cache
proxy_cache_valid {{ .Values.proxy.proxyCacheValidCode }} {{ .Values.proxy.proxyCacheValidCodeDuration }};
vhost-proxy.conf: |
include /etc/nginx/conf.d/cache.conf;
server {
listen {{ .Values.service.port }} default;
server_name _; # Catch all hostnames, including invalids
# Specify a DNS resolver to ensure upstream DNS are dynamically resolved
# Ref. https://github.com/DmitryFillo/nginx-proxy-pitfalls
# and disable IPv6 resolution to ensure only IPv4 hosts are used for upstreams
resolver {{ .Values.proxy.dnsResolver }} valid=60s ipv6=off;
# Specify the upstream URLs as a variables to ensure dynamic name resolution
set $jenkins_repo {{ .Values.proxy.proxyPass }};
set $central_repo repo1.maven.org;
set $initial_proxy_location {{ .Values.proxy.initialProxyLocationPath }};
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
{{- if .Values.proxy.proxyBypass.enabled -}}
# include bypass option from local ip only
# e.g. curl -H 'Cache-Purge: true' -I http://127.0.0.1:8080/...
# https://bluegrid.io/edu/how-to-purge-the-nginx-cache/
set $bypass 0;
if ($remote_addr ~ "^(127.0.0.1)$") {
set $bypass $http_cache_purge;
}
{{- end }}
# In-memory requests tuning for buffering content
chunked_transfer_encoding on;
client_max_body_size 0;
# Headers added to responses to the client
add_header X-Cache-Status $upstream_cache_status;
# Allow chaining upstreams fallbacks (using proxy_intercept_errors + error_page) up to 10 redirects per request
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#recursive_error_pages and http://nginx.org/en/docs/http/ngx_http_core_module.html#internal
recursive_error_pages on;
# Non-cached requests
## Default location which tries the following chain: "jenkins public" -> "jenkins incrementals" -> "maven central"
location ~* (maven-metadata.xml) {
include /etc/nginx/conf.d/common-proxy.conf;
proxy_pass https://$jenkins_repo$initial_proxy_location$request_uri;
proxy_intercept_errors on;
# If the file is not found, then fallback the search in the "non-cached jenkins incrementals" upstream server
error_page 404 = @fallback_noncached_jenkins_incrementals;
}
location @fallback_noncached_jenkins_incrementals {
include /etc/nginx/conf.d/common-proxy.conf;
proxy_pass https://$jenkins_repo/incrementals$request_uri;
proxy_intercept_errors on;
# If the file is not found, then fallback the search in the "non-cached maven central" upstream server
error_page 404 = @fallback_noncached_maven_central;
}
location @fallback_noncached_maven_central {
include /etc/nginx/conf.d/common-proxy.conf;
proxy_pass https://$central_repo/maven2$request_uri;
# Stop chaining requests
proxy_intercept_errors off;
}
# Cached requests
## Default location which tries the following chain: "jenkins public" -> "jenkins incrementals" -> "maven central"
location / {
{{- if .Values.proxy.proxyBypass.enabled -}}
add_header Cache $upstream_cache_status;
proxy_cache_bypass $bypass;
{{- end }}
proxy_pass https://$jenkins_repo$initial_proxy_location$request_uri;
proxy_cache_key $uri;
include /etc/nginx/conf.d/common-proxy.conf;
include /etc/nginx/conf.d/proxy-cache.conf;
proxy_intercept_errors on;
# If the file is not found, then fallback the search in the "jenkins incrementals" upstream server
error_page 404 = @fallback_jenkins_incrementals;
# If upstream respond with "HTTP 30x Redirect" then Nginx must re-emit a proxy request to the new location (see location @handle_redirects)
error_page 307 302 301 = @handle_redirects;
}
## Fallback location to "jenkins incrementals" repository
location @fallback_jenkins_incrementals {
{{- if .Values.proxy.proxyBypass.enabled -}}
add_header Cache $upstream_cache_status;
proxy_cache_bypass $bypass;
{{- end }}
proxy_pass https://$jenkins_repo/incrementals$request_uri;
proxy_cache_key $uri;
include /etc/nginx/conf.d/common-proxy.conf;
include /etc/nginx/conf.d/proxy-cache.conf;
proxy_intercept_errors on;
# If the file is not found, then fallback the search in the "maven central" upstream server
error_page 404 = @fallback_maven_central;
# If upstream respond with "HTTP 30x Redirect" then Nginx must re-emit a proxy request to the new location (see location @handle_redirects)
error_page 307 302 301 = @handle_redirects;
}
## Fallback location to maven central
location @fallback_maven_central {
{{- if .Values.proxy.proxyBypass.enabled -}}
add_header Cache $upstream_cache_status;
proxy_cache_bypass $bypass;
{{- end }}
proxy_pass https://$central_repo/maven2$request_uri;
proxy_cache_key $uri;
include /etc/nginx/conf.d/common-proxy.conf;
include /etc/nginx/conf.d/proxy-cache.conf;
# If upstream respond with "HTTP 30x Redirect"
# then this section will be used to follow the redirect
# by using the "virtual location" @handle_redirects below
proxy_intercept_errors on;
error_page 307 302 301 = @handle_redirects;
}
location @handle_redirects {
# We need to capture these values now otherwise they disapear
# as soon as we invoke the proxy_* directives
set $original_uri $uri;
set $orig_loc $upstream_http_location;
# Send the request to the URL passed in the `Location` header of the reponse
proxy_pass $orig_loc;
# Cache the result with the cache key of the original request URI
# so that future requests won't need to follow the redirect too
proxy_cache_key $original_uri;
include /etc/nginx/conf.d/common-proxy.conf;
}
# Endpoint used to check healthiness of the service before running Maven commands in Jenkins pipelines
location {{ .Values.ingress.healthPath }} {
auth_basic off;
# Avoid verbose access log
access_log off;
allow all;
return 200 'OK';
}
}
vhost-status.conf: |
# Vhost used by datadog to collect custom Nginx metrics
server {
listen {{ .Values.service.statusPort }};
location /nginx_status {
stub_status on;
# Avoid verbose access log
access_log off;
}
location / {
return 404;
}
}