You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*[Optimizing TLS Time To First Byte (TTTFB)](#optimizing-tls-time-to-first-byte-tttfb)
@@ -20,14 +20,14 @@
20
20
21
21
There are 3 ways to customize NGINX:
22
22
23
-
1.[config map](#allowed-parameters-in-configuration-config-map): create a stand alone config map, use this if you want a different global configuration
23
+
1.[ConfigMap](#allowed-parameters-in-configuration-configmap): create a stand alone ConfigMap, use this if you want a different global configuration
24
24
2.[annotations](#annotations): use this if you want a specific configuration for the site defined in the Ingress rule
25
-
3. custom template: when more specific settings are required, like [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache), custom [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format), adjust [listen](http://nginx.org/en/docs/http/ngx_http_core_module.html#listen) options as `rcvbuf` or when is not possible to change an through the config map
25
+
3. custom template: when more specific settings are required, like [open_file_cache](http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache), custom [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format), adjust [listen](http://nginx.org/en/docs/http/ngx_http_core_module.html#listen) options as `rcvbuf` or when is not possible to change an through the ConfigMap.
26
26
27
27
28
28
#### Custom NGINX configuration
29
29
30
-
It is possible to customize the defaults in NGINX using a config map.
30
+
It is possible to customize the defaults in NGINX using a ConfigMap.
31
31
32
32
Please check the [custom configuration](examples/custom-configuration/README.md) example.
33
33
@@ -77,7 +77,7 @@ In addition to the built-in functions provided by the Go package the following f
77
77
78
78
### Custom NGINX upstream checks
79
79
80
-
NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX config map or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container.
80
+
NGINX exposes some flags in the [upstream configuration](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that enable the configuration of each server in the upstream. The Ingress controller allows custom `max_fails` and `fail_timeout` parameters in a global context using `upstream-max-fails` and `upstream-fail-timeout` in the NGINX ConfigMap or in a particular Ingress rule. `upstream-max-fails` defaults to 0. This means NGINX will respect the container's `readinessProbe` if it is defined. If there is no probe and no values for `upstream-max-fails` NGINX will continue to send traffic to the container.
81
81
82
82
**With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.**
83
83
@@ -101,20 +101,20 @@ Is possible to add authentication adding additional annotations in the Ingress r
101
101
The annotations are:
102
102
103
103
```
104
-
ingress.kubernetes.io/auth-type:[basic|digest]
104
+
ingress.kubernetes.io/auth-type:[basic|digest]
105
105
```
106
106
107
107
Indicates the [HTTP Authentication Type: Basic or Digest Access Authentication](https://tools.ietf.org/html/rfc2617).
108
108
109
109
```
110
-
ingress.kubernetes.io/auth-secret:secretName
110
+
ingress.kubernetes.io/auth-secret:secretName
111
111
```
112
112
113
-
The name of the secret that contains the usernames and passwords with access to the `path`'s defined in the Ingress Rule.
113
+
The name of the secret that contains the usernames and passwords with access to the `path`s defined in the Ingress Rule.
114
114
The secret must be created in the same namespace as the Ingress rule.
115
115
116
116
```
117
-
ingress.kubernetes.io/auth-realm:"realm string"
117
+
ingress.kubernetes.io/auth-realm:"realm string"
118
118
```
119
119
120
120
Please check the [auth](examples/auth/README.md) example.
@@ -126,7 +126,7 @@ To use an existing service that provides authentication the Ingress rule can be
126
126
Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default).
127
127
128
128
```
129
-
ingress.kubernetes.io/auth-url:"URL to the authentication service"
129
+
ingress.kubernetes.io/auth-url:"URL to the authentication service"
130
130
```
131
131
132
132
Please check the [external-auth](examples/external-auth/README.md) example.
@@ -146,29 +146,30 @@ Please check the [rewrite](examples/rewrite/README.md) example.
146
146
147
147
The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` define a limit on the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus).
148
148
149
-
`ingress.kubernetes.io/limit-connections`: number of concurrent allowed connections from a single IP address.
149
+
`ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address.
150
150
151
-
`ingress.kubernetes.io/limit-rps`: number of allowed connections per second from a single IP address.
151
+
`ingress.kubernetes.io/limit-rps`: number of connections that may be accepted from a given IP each second.
152
152
153
-
If you specify both annotations in a single Ingress rule, limit-rps takes precedence.
153
+
If you specify both annotations in a single Ingress rule, `limit-rps` takes precedence.
154
154
155
155
156
156
### Secure upstreams
157
157
158
-
By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the ingress rule changes the protocol to `https`.
158
+
By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the Ingress rule changes the protocol to `https`.
159
159
160
160
161
161
### Whitelist source range
162
162
163
-
You can specify the allowed client ip source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation, eg `10.0.0.0/24,172.10.0.1`.
164
-
For a global restriction (any URL) is possible to use `whitelist-source-range` in the NGINX config map.
163
+
You can specify the allowed client IP source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation. The value is a comma separated list of [CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing), e.g. `10.0.0.0/24,172.10.0.1`.
165
164
166
-
*Note:* Adding an annotation overrides any global restriction.
165
+
To configure this setting globally for all Ingress rules, the `whitelist-source-range` value may be set in the NGINX ConfigMap.
166
+
167
+
*Note:* Adding an annotation to an Ingress rule overrides any global restriction.
167
168
168
169
Please check the [whitelist](examples/whitelist/README.md) example.
169
170
170
171
171
-
### **Allowed parameters in configuration config map:**
172
+
### **Allowed parameters in configuration ConfigMap:**
172
173
173
174
**body-size:** Sets the maximum allowed size of the client request body. See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).
174
175
@@ -268,7 +269,7 @@ TLSv1 is enabled to allow old clients like:
If you dont need to support this clients please remove TLSv1.
272
+
If you don't need to support these clients please remove `TLSv1` to improve security.
272
273
273
274
Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`.
274
275
@@ -289,28 +290,28 @@ Default is "true".
289
290
**ssl-session-timeout:** Sets the time during which a client may [reuse the session](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout) parameters stored in a cache.
290
291
291
292
292
-
**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the fail_timeout parameter to consider the server unavailable.
293
+
**upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the `fail_timeout` parameter to consider the server unavailable.
293
294
294
295
295
296
**upstream-fail-timeout:** Sets the time during which the specified number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) should happen to consider the server unavailable.
296
297
297
298
298
-
**use-gzip:** Enables or disables the use of the nginx module that compresses responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html)
299
+
**use-gzip:** Enables or disables compression of HTTP responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html)
299
300
The default mime type list to compress is: `application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`.
300
301
301
302
302
-
**use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections.
303
+
**use-http2:** Enables or disables [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections.
303
304
304
305
305
-
**use-proxy-protocol:** Enables or disables the use of the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB).
306
+
**use-proxy-protocol:** Enables or disables the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAProxy and Amazon Elastic Load Balancer (ELB).
306
307
307
308
308
-
**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores.
309
+
**worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). The default of "auto" means number of available CPU cores.
309
310
310
311
311
312
### Default configuration options
312
313
313
-
The next table shows the options, the default value and a description
314
+
The following table shows the options, the default value and a description.
314
315
315
316
|name |default|
316
317
|---------------------------|------|
@@ -347,7 +348,7 @@ The next table shows the options, the default value and a description
347
348
348
349
### Websockets
349
350
350
-
Support for websockets is provided by NGINX OOTB. No special configuration required.
351
+
Support for websockets is provided by NGINX out of the box. No special configuration required.
351
352
352
353
The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`. The default value of this settings is `30 seconds`.
353
354
A more adequate value to support websockets is a value higher than one hour (`3600`).
@@ -361,4 +362,4 @@ NGINX provides the configuration option [ssl_buffer_size](http://nginx.org/en/do
361
362
### Retries in non-idempotent methods
362
363
363
364
Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error.
364
-
The previous behavior can be restored using `retry-non-idempotent=true` in the configuration config map.
365
+
The previous behavior can be restored using `retry-non-idempotent=true` in the configuration ConfigMap.
0 commit comments