diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
index 5c6c1db03..6b4b4a818 100644
--- a/kong/templates/nginx_kong.lua
+++ b/kong/templates/nginx_kong.lua
@@ -5,52 +5,46 @@ server_tokens off;
> if anonymous_reports then
$
> end
-
error_log $ $;
-> if nginx_optimizations then
->-- send_timeout 60s;
->-- keepalive_timeout 75s;
->-- client_body_timeout 60s;
->-- client_header_timeout 60s;
->-- tcp_nopush on;
->-- proxy_buffer_size 128k;
->-- proxy_buffers 4 256k;
->-- proxy_busy_buffers_size 256k;
->-- reset_timedout_connection on;
-> end
-
-client_max_body_size $;
-proxy_ssl_server_name on;
-underscores_in_headers on;
-
lua_package_path '$;;';
lua_package_cpath '$;;';
lua_socket_pool_size $;
+lua_socket_log_errors off;
lua_max_running_timers 4096;
lua_max_pending_timers 16384;
+lua_ssl_verify_depth $;
+> if lua_ssl_trusted_certificate then
+lua_ssl_trusted_certificate '$';
+> end
+
lua_shared_dict kong 5m;
+lua_shared_dict kong_locks 8m;
+lua_shared_dict kong_healthchecks 5m;
+lua_shared_dict kong_process_events 5m;
+lua_shared_dict kong_cluster_events 5m;
+lua_shared_dict kong_rate_limiting_counters 12m;
+lua_shared_dict kong_core_db_cache $;
+lua_shared_dict kong_core_db_cache_miss 12m;
lua_shared_dict kong_db_cache $;
-> if database == "off" then
-lua_shared_dict kong_db_cache_2 $;
-> end
lua_shared_dict kong_db_cache_miss 12m;
> if database == "off" then
+lua_shared_dict kong_core_db_cache_2 $;
+lua_shared_dict kong_core_db_cache_miss_2 12m;
+lua_shared_dict kong_db_cache_2 $;
lua_shared_dict kong_db_cache_miss_2 12m;
> end
-lua_shared_dict kong_locks 8m;
-lua_shared_dict kong_process_events 5m;
-lua_shared_dict kong_cluster_events 5m;
-lua_shared_dict kong_healthchecks 5m;
-lua_shared_dict kong_rate_limiting_counters 12m;
> if database == "cassandra" then
lua_shared_dict kong_cassandra 5m;
> end
-lua_socket_log_errors off;
-> if lua_ssl_trusted_certificate then
-lua_ssl_trusted_certificate '$';
+> if role == "control_plane" then
+lua_shared_dict kong_clustering 5m;
+> end
+
+underscores_in_headers on;
+> if ssl_ciphers then
+ssl_ciphers $;
> end
-lua_ssl_verify_depth $;
> for _, el in ipairs(nginx_http_directives) do
@@ -66,61 +60,47 @@ init_worker_by_lua_block {
Kong.init_worker()
}
-
-> if
+> if (role == "traditional" or role == "data_plane") and
upstream kong_upstream {
server 0.0.0.1;
balancer_by_lua_block {
Kong.balancer()
}
-
-> for _, el in ipairs(nginx_http_upstream_directives) do
+
+> for _, el in ipairs(nginx_upstream_directives) do
$(el.name) $(el.value);
> end
}
server {
server_name kong;
-> for i = 1,
- listen $(proxy_listeners[i].listener);
+> for _, entry in ipairs(proxy_listeners) do
+ listen $(entry.listener);
> end
+
error_page 400 404 408 411 412 413 414 417 494 /kong_error_handler;
error_page 500 502 503 504 /kong_error_handler;
access_log $;
error_log $ $;
- client_body_buffer_size $;
-
> if proxy_ssl_enabled then
ssl_certificate $;
ssl_certificate_key $;
+ ssl_session_cache shared:SSL:10m;
ssl_certificate_by_lua_block {
Kong.ssl_certificate()
}
-
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
- ssl_ciphers $;
-> end
-
-> if client_ssl then
- proxy_ssl_certificate $;
- proxy_ssl_certificate_key $;
-> end
-
- real_ip_header $;
- real_ip_recursive $;
-> for i = 1,
- set_real_ip_from $(trusted_ips[i]);
> end
> for _, el in ipairs(nginx_proxy_directives) do
$(el.name) $(el.value);
> end
+> for i = 1,
+ set_real_ip_from $(trusted_ips[i]);
+> end
rewrite_by_lua_block {
Kong.rewrite()
@@ -171,43 +151,93 @@ server {
proxy_pass_header Server;
proxy_pass_header Date;
proxy_ssl_name $upstream_host;
+ proxy_ssl_server_name on;
+> if client_ssl then
+ proxy_ssl_certificate $;
+ proxy_ssl_certificate_key $;
+> end
proxy_pass $upstream_scheme://kong_upstream$upstream_uri;
}
location @grpc {
internal;
+ default_type '';
set $kong_proxy_mode 'grpc';
+ grpc_set_header TE $upstream_te;
grpc_set_header Host $upstream_host;
grpc_set_header X-Forwarded-For $upstream_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $upstream_x_forwarded_proto;
grpc_set_header X-Forwarded-Host $upstream_x_forwarded_host;
grpc_set_header X-Forwarded-Port $upstream_x_forwarded_port;
grpc_set_header X-Real-IP $remote_addr;
-
+ grpc_pass_header Server;
+ grpc_pass_header Date;
grpc_pass grpc://kong_upstream;
}
location @grpcs {
internal;
+ default_type '';
set $kong_proxy_mode 'grpc';
+ grpc_set_header TE $upstream_te;
grpc_set_header Host $upstream_host;
grpc_set_header X-Forwarded-For $upstream_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $upstream_x_forwarded_proto;
grpc_set_header X-Forwarded-Host $upstream_x_forwarded_host;
grpc_set_header X-Forwarded-Port $upstream_x_forwarded_port;
grpc_set_header X-Real-IP $remote_addr;
-
+ grpc_pass_header Server;
+ grpc_pass_header Date;
+ grpc_ssl_name $upstream_host;
+ grpc_ssl_server_name on;
+> if client_ssl then
+ grpc_ssl_certificate $;
+ grpc_ssl_certificate_key $;
+> end
grpc_pass grpcs://kong_upstream;
}
+ location = /kong_buffered_http {
+ internal;
+ default_type '';
+ set $kong_proxy_mode 'http';
+
+ rewrite_by_lua_block {;}
+ access_by_lua_block {;}
+ header_filter_by_lua_block {;}
+ body_filter_by_lua_block {;}
+ log_by_lua_block {;}
+
+ proxy_http_version 1.1;
+ proxy_set_header TE $upstream_te;
+ proxy_set_header Host $upstream_host;
+ proxy_set_header Upgrade $upstream_upgrade;
+ proxy_set_header Connection $upstream_connection;
+ proxy_set_header X-Forwarded-For $upstream_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $upstream_x_forwarded_proto;
+ proxy_set_header X-Forwarded-Host $upstream_x_forwarded_host;
+ proxy_set_header X-Forwarded-Port $upstream_x_forwarded_port;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_pass_header Server;
+ proxy_pass_header Date;
+ proxy_ssl_name $upstream_host;
+ proxy_ssl_server_name on;
+> if client_ssl then
+ proxy_ssl_certificate $;
+ proxy_ssl_certificate_key $;
+> end
+ proxy_pass $upstream_scheme://kong_upstream$upstream_uri;
+ }
+
location = /kong_error_handler {
internal;
+ default_type '';
+
uninitialized_variable_warn off;
rewrite_by_lua_block {;}
-
access_by_lua_block {;}
content_by_lua_block {
@@ -215,13 +245,13 @@ server {
}
}
}
-> end
+> end -- (role == "traditional" or role == "data_plane") and
-> if
+> if (role == "control_plane" or role == "traditional") and
server {
server_name kong_admin;
-> for i = 1,
- listen $(admin_listeners[i].listener);
+> for _, entry in ipairs(admin_listeners) do
+ listen $(entry.listener);
> end
access_log $;
@@ -233,11 +263,7 @@ server {
> if admin_ssl_enabled then
ssl_certificate $;
ssl_certificate_key $;
-
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
- ssl_ciphers $;
+ ssl_session_cache shared:AdminSSL:10m;
> end
@@ -265,20 +291,20 @@ server {
return 200 'User-agent: *\nDisallow: /';
}
}
-> end
+> end -- (role == "control_plane" or role == "traditional") and
> if
server {
server_name kong_status;
-> for i = 1,
- listen $(status_listeners[i].listener);
+> for _, entry in ipairs(status_listeners) do
+ listen $(entry.listener);
> end
access_log $;
error_log $ $;
-
-> for _, el in ipairs(nginx_http_status_directives) do
+
+> for _, el in ipairs(nginx_status_directives) do
$(el.name) $(el.value);
> end
@@ -303,4 +329,26 @@ server {
}
}
> end
+
+> if role == "control_plane" then
+server {
+ server_name kong_cluster_listener;
+> for _, entry in ipairs(cluster_listeners) do
+ listen $(entry.listener) ssl;
+> end
+
+ access_log off;
+
+ ssl_verify_client optional_no_ca;
+ ssl_certificate $;
+ ssl_certificate_key $;
+ ssl_session_cache shared:ClusterSSL:10m;
+
+ location = /v1/outlet {
+ content_by_lua_block {
+ Kong.serve_cluster_listener()
+ }
+ }
+}
+> end -- role == "control_plane"
]]