Skip to content

Commit 292375e

Browse files
committed
Incorporate more feedback
1 parent 9e94863 commit 292375e

File tree

1 file changed

+28
-27
lines changed

1 file changed

+28
-27
lines changed

controllers/nginx/configuration.md

Lines changed: 28 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
* [Rate limiting](#rate-limiting)
1010
* [Secure backends](#secure-backends)
1111
* [Whitelist source range](#whitelist-source-range)
12-
* [Allowed parameters in configuration config map](#allowed-parameters-in-configuration-config-map)
12+
* [Allowed parameters in configuration ConfigMap](#allowed-parameters-in-configuration-configmap)
1313
* [Default configuration options](#default-configuration-options)
1414
* [Websockets](#websockets)
1515
* [Optimizing TLS Time To First Byte (TTTFB)](#optimizing-tls-time-to-first-byte-tttfb)
@@ -20,14 +20,14 @@
2020

2121
There are 3 ways to customize NGINX:
2222

23-
1. [config map](#allowed-parameters-in-configuration-config-map): create a stand alone config map, use this if you want a different global configuration
23+
1. [ConfigMap](#allowed-parameters-in-configuration-configmap): create a stand alone ConfigMap, use this if you want a different global configuration
2424
2. [annotations](#annotations): use this if you want a specific configuration for the site defined in the Ingress rule
25-
3. custom template: when more specific settings are required, like [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache), custom [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format), adjust [listen](http://nginx.org/en/docs/http/ngx_http_core_module.html#listen) options as `rcvbuf` or when is not possible to change an through the config map
25+
3. custom template: when more specific settings are required, like [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache), custom [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format), adjust [listen](http://nginx.org/en/docs/http/ngx_http_core_module.html#listen) options as `rcvbuf` or when is not possible to change an through the ConfigMap.
2626

2727

2828
#### Custom NGINX configuration
2929

30-
It is possible to customize the defaults in NGINX using a config map.
30+
It is possible to customize the defaults in NGINX using a ConfigMap.
3131

3232
Please check the [custom configuration](examples/custom-configuration/README.md) example.
3333

@@ -77,7 +77,7 @@ In addition to the built-in functions provided by the Go package the following f
7777

7878
### Custom NGINX upstream checks
7979

80-
NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX config map or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container.
80+
NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX ConfigMap or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container.
8181

8282
**With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.**
8383

@@ -101,20 +101,20 @@ Is possible to add authentication adding additional annotations in the Ingress r
101101
The annotations are:
102102

103103
```
104-
ingress.kubernetes.io/auth-type:[basic|digest]
104+
ingress.kubernetes.io/auth-type: [basic|digest]
105105
```
106106

107107
Indicates the [HTTP Authentication Type: Basic or Digest Access Authentication](https://tools.ietf.org/html/rfc2617).
108108

109109
```
110-
ingress.kubernetes.io/auth-secret:secretName
110+
ingress.kubernetes.io/auth-secret: secretName
111111
```
112112

113-
The name of the secret that contains the usernames and passwords with access to the `path`'s defined in the Ingress Rule.
113+
The name of the secret that contains the usernames and passwords with access to the `path`s defined in the Ingress Rule.
114114
The secret must be created in the same namespace as the Ingress rule.
115115

116116
```
117-
ingress.kubernetes.io/auth-realm:"realm string"
117+
ingress.kubernetes.io/auth-realm: "realm string"
118118
```
119119

120120
Please check the [auth](examples/auth/README.md) example.
@@ -126,7 +126,7 @@ To use an existing service that provides authentication the Ingress rule can be
126126
Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default).
127127

128128
```
129-
ingress.kubernetes.io/auth-url:"URL to the authentication service"
129+
ingress.kubernetes.io/auth-url: "URL to the authentication service"
130130
```
131131

132132
Please check the [external-auth](examples/external-auth/README.md) example.
@@ -146,29 +146,30 @@ Please check the [rewrite](examples/rewrite/README.md) example.
146146

147147
The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` define a limit on the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus).
148148

149-
`ingress.kubernetes.io/limit-connections`: number of concurrent allowed connections from a single IP address.
149+
`ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address.
150150

151-
`ingress.kubernetes.io/limit-rps`: number of allowed connections per second from a single IP address.
151+
`ingress.kubernetes.io/limit-rps`: number of connections that may be accepted from a given IP each second.
152152

153-
If you specify both annotations in a single Ingress rule, limit-rps takes precedence.
153+
If you specify both annotations in a single Ingress rule, `limit-rps` takes precedence.
154154

155155

156156
### Secure upstreams
157157

158-
By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the ingress rule changes the protocol to `https`.
158+
By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the Ingress rule changes the protocol to `https`.
159159

160160

161161
### Whitelist source range
162162

163-
You can specify the allowed client ip source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation, eg `10.0.0.0/24,172.10.0.1`.
164-
For a global restriction (any URL) is possible to use `whitelist-source-range` in the NGINX config map.
163+
You can specify the allowed client IP source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation. The value is a comma separated list of [CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing), e.g. `10.0.0.0/24,172.10.0.1`.
165164

166-
*Note:* Adding an annotation overrides any global restriction.
165+
To configure this setting globally for all Ingress rules, the `whitelist-source-range` value may be set in the NGINX ConfigMap.
166+
167+
*Note:* Adding an annotation to an Ingress rule overrides any global restriction.
167168

168169
Please check the [whitelist](examples/whitelist/README.md) example.
169170

170171

171-
### **Allowed parameters in configuration config map:**
172+
### **Allowed parameters in configuration ConfigMap:**
172173

173174
**body-size:** Sets the maximum allowed size of the client request body. See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).
174175

@@ -268,7 +269,7 @@ TLSv1 is enabled to allow old clients like:
268269
- [IE 8-10 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8-10&platform=Win%207&key=113)
269270
- [Java 7u25](https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=7u25&key=26)
270271

271-
If you dont need to support this clients please remove TLSv1.
272+
If you don't need to support these clients please remove `TLSv1` to improve security.
272273

273274
Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`.
274275

@@ -289,28 +290,28 @@ Default is "true".
289290
**ssl-session-timeout:** Sets the time during which a client may [reuse the session](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout) parameters stored in a cache.
290291

291292

292-
**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the fail_timeout parameter to consider the server unavailable.
293+
**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the `fail_timeout` parameter to consider the server unavailable.
293294

294295

295296
**upstream-fail-timeout:** Sets the time during which the specified number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) should happen to consider the server unavailable.
296297

297298

298-
**use-gzip:** Enables or disables the use of the nginx module that compresses responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html)
299+
**use-gzip:** Enables or disables compression of HTTP responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html)
299300
The default mime type list to compress is: `application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`.
300301

301302

302-
**use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections.
303+
**use-http2:** Enables or disables [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections.
303304

304305

305-
**use-proxy-protocol:** Enables or disables the use of the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB).
306+
**use-proxy-protocol:** Enables or disables the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAProxy and Amazon Elastic Load Balancer (ELB).
306307

307308

308-
**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores.
309+
**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). The default of "auto" means number of available CPU cores.
309310

310311

311312
### Default configuration options
312313

313-
The next table shows the options, the default value and a description
314+
The following table shows the options, the default value and a description.
314315

315316
|name |default|
316317
|---------------------------|------|
@@ -347,7 +348,7 @@ The next table shows the options, the default value and a description
347348

348349
### Websockets
349350

350-
Support for websockets is provided by NGINX OOTB. No special configuration required.
351+
Support for websockets is provided by NGINX out of the box. No special configuration required.
351352

352353
The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`. The default value of this settings is `30 seconds`.
353354
A more adequate value to support websockets is a value higher than one hour (`3600`).
@@ -361,4 +362,4 @@ NGINX provides the configuration option [ssl_buffer_size](http://nginx.org/en/do
361362
### Retries in non-idempotent methods
362363

363364
Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error.
364-
The previous behavior can be restored using `retry-non-idempotent=true` in the configuration config map.
365+
The previous behavior can be restored using `retry-non-idempotent=true` in the configuration ConfigMap.

0 commit comments

Comments
 (0)