From d94a59fbcf33a521f4701a2add2b601d456f5f6b Mon Sep 17 00:00:00 2001 From: oseoin Date: Wed, 19 Jun 2024 13:48:47 +0100 Subject: [PATCH] Snapshot testing for templates (#5735) --- .pre-commit-config.yaml | 6 +- Makefile | 4 + go.mod | 8 + go.sum | 18 + .../version1/__snapshots__/template_test.snap | 5209 ++++++++++++++ internal/configs/version1/template_test.go | 63 + .../__snapshots__/templates_test.snap | 6127 +++++++++++++++++ internal/configs/version2/templates_test.go | 46 +- 8 files changed, 11477 insertions(+), 4 deletions(-) create mode 100644 internal/configs/version1/__snapshots__/template_test.snap create mode 100644 internal/configs/version2/__snapshots__/templates_test.snap diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9c320f6a54..829e8a3dfd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,7 +6,7 @@ repos: rev: v4.6.0 hooks: - id: trailing-whitespace - exclude: '(\.md$)' + exclude: '(\.md|\.snap)$' - id: end-of-file-fixer - id: check-yaml args: [--allow-multiple-documents] @@ -70,12 +70,12 @@ repos: name: "Check Helm Chart JSON Schema" files: charts/nginx-ingress/values.yaml types: [yaml] - args: ['--schemafile', 'charts/nginx-ingress/values.schema.json'] + args: ["--schemafile", "charts/nginx-ingress/values.schema.json"] - repo: https://github.com/DavidAnson/markdownlint-cli2 rev: v0.13.0 hooks: - - id: markdownlint-cli2 + - id: markdownlint-cli2 ci: skip: [golang-diff, golangci-lint, check-jsonschema, markdownlint-cli2] diff --git a/Makefile b/Makefile index 486634438d..c9f53f5650 100644 --- a/Makefile +++ b/Makefile @@ -65,6 +65,10 @@ staticcheck: ## Run staticcheck linter test: ## Run GoLang tests go test -tags=aws -shuffle=on -race ./... +.PHONY: test-update-snaps +test-update-snaps: + UPDATE_SNAPS=true go test -tags=aws -shuffle=on -race ./... + cover: ## Generate coverage report @./hack/test-cover.sh diff --git a/go.mod b/go.mod index 9127c1878a..d86596d3c3 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.21.10 github.com/cert-manager/cert-manager v1.15.0 github.com/dlclark/regexp2 v1.11.0 + github.com/gkampitakis/go-snaps v0.5.4 github.com/go-chi/chi/v5 v5.0.12 github.com/golang-jwt/jwt/v4 v4.5.0 github.com/golang/glog v1.2.0 @@ -58,6 +59,8 @@ require ( github.com/evanphx/json-patch v5.9.0+incompatible // indirect github.com/fatih/color v1.16.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/gkampitakis/ciinfo v0.3.0 // indirect + github.com/gkampitakis/go-diff v1.3.2 // indirect github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect github.com/go-kit/log v0.2.1 // indirect @@ -84,6 +87,7 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/kr/text v0.2.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect + github.com/maruel/natural v1.1.1 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -96,6 +100,10 @@ require ( github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/tidwall/gjson v1.17.0 // indirect + github.com/tidwall/match v1.1.1 // indirect + github.com/tidwall/pretty v1.2.1 // indirect + github.com/tidwall/sjson v1.2.5 // indirect github.com/zeebo/errs v1.3.0 // indirect go.etcd.io/etcd/api/v3 v3.5.13 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.13 // indirect diff --git a/go.sum b/go.sum index bbda00266d..5f3a1b0a0d 100644 --- a/go.sum +++ b/go.sum @@ -66,6 +66,12 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/gkampitakis/ciinfo v0.3.0 h1:gWZlOC2+RYYttL0hBqcoQhM7h1qNkVqvRCV1fOvpAv8= +github.com/gkampitakis/ciinfo v0.3.0/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= +github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= +github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= +github.com/gkampitakis/go-snaps v0.5.4 h1:GX+dkKmVsRenz7SoTbdIEL4KQARZctkMiZ8ZKprRwT8= +github.com/gkampitakis/go-snaps v0.5.4/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bGPAg8jkI0Nk8Y= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM= github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= @@ -167,6 +173,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= +github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= @@ -235,6 +243,16 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM= +github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= +github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= diff --git a/internal/configs/version1/__snapshots__/template_test.snap b/internal/configs/version1/__snapshots__/template_test.snap new file mode 100644 index 0000000000..6eb1b9216a --- /dev/null +++ b/internal/configs/version1/__snapshots__/template_test.snap @@ -0,0 +1,5209 @@ + +[TestExecuteMainTemplateForNGINX - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteMainTemplateForNGINXPlus - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteMainTemplateForNGINXPlusR31 - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForIngressForNGINX - 1] +# configuration for default/cafe-ingress +upstream test {zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0;keepalive 16; +} + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens off; + + server_name test.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + location /tea { + set $service ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXMasterWithProxySetHeadersAnnotationWithCustomValue - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC "valueABC"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC "valueABC"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlus - 1] +# configuration for default/cafe-ingress +upstream test { + zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0 slow_start=5s;keepalive 16; +} + + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location /tea { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2Off - 1] +# configuration for default/cafe-ingress +upstream test { + zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0 slow_start=5s;keepalive 16; +} + + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location /tea { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2On - 1] +# configuration for default/cafe-ingress +upstream test { + zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0 slow_start=5s;keepalive 16; +} + + + + +server { + listen 443 ssl;listen [::]:443 ssl; + http2 on; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location /tea { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + + location @grpcerror400 { default_type application/grpc; return 400 "\n"; } + location @grpcerror401 { default_type application/grpc; return 401 "\n"; } + location @grpcerror403 { default_type application/grpc; return 403 "\n"; } + location @grpcerror404 { default_type application/grpc; return 404 "\n"; } + location @grpcerror405 { default_type application/grpc; return 405 "\n"; } + location @grpcerror408 { default_type application/grpc; return 408 "\n"; } + location @grpcerror414 { default_type application/grpc; return 414 "\n"; } + location @grpcerror426 { default_type application/grpc; return 426 "\n"; } + location @grpcerror500 { default_type application/grpc; return 500 "\n"; } + location @grpcerror501 { default_type application/grpc; return 501 "\n"; } + location @grpcerror502 { default_type application/grpc; return 502 "\n"; } + location @grpcerror503 { default_type application/grpc; return 503 "\n"; } + location @grpcerror504 { default_type application/grpc; return 504 "\n"; } +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationCaseInsensitiveModifier - 1] +# configuration for default/cafe-ingress +upstream test { + zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0 slow_start=5s;keepalive 16; +} + + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location ~* "^/tea/[A-Z0-9]{3}" { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationCaseSensitiveModifier - 1] +# configuration for default/cafe-ingress +upstream test { + zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0 slow_start=5s;keepalive 16; +} + + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location ~ "^/tea/[A-Z0-9]{3}" { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationEmpty - 1] +# configuration for default/cafe-ingress +upstream test { + zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0 slow_start=5s;keepalive 16; +} + + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location /tea { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationExactMatchModifier - 1] +# configuration for default/cafe-ingress +upstream test { + zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0 slow_start=5s;keepalive 16; +} + + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location = "/tea" { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimit - 1] +# configuration for default/myingress + + +limit_req_zone ${binary_remote_addr} zone=default/myingress:10m rate=200r/s; + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "myingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location /tea { + set $service ""; + status_zone ""; + proxy_http_version 1.1; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/myingress burst=100 delay=50; + limit_req_dry_run on; + limit_req_log_level info; + limit_req_status 429; + + } + + location /coffee { + set $service ""; + status_zone ""; + proxy_http_version 1.1; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/myingress burst=100 delay=50; + limit_req_dry_run on; + limit_req_log_level info; + limit_req_status 429; + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimitMinions - 1] +# configuration for default/myingress + + +limit_req_zone ${binary_remote_addr} zone=default/tea-minion:10m rate=200r/s; + +limit_req_zone ${binary_remote_addr} zone=default/coffee-minion:20m rate=400r/s; + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens "off"; + + server_name test.example.com; + + status_zone test.example.com; + set $resource_type "ingress"; + set $resource_name "myingress"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + auth_jwt_key_file /etc/nginx/secrets/key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + error_page 401 @login_url-default-cafe-ingress; + + location @hc-test { + proxy_set_header Test-Header "test-header-value"; + proxy_connect_timeout 0s; + proxy_read_timeout 0s; + proxy_send_timeout 0s; + proxy_pass ://test; + health_check uri= interval=1s fails=1 passes=1; + } + + location @login_url-default-cafe-ingress { + internal; + return 302 https://test.example.com/login; + } + + location /tea { + set $service ""; + status_zone ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/tea-minion burst=100 delay=10; + limit_req_dry_run on; + limit_req_log_level info; + limit_req_status 429; + + } + + location /coffee { + set $service ""; + status_zone ""; + # location for minion default/coffee-minion + set $resource_name "coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + auth_jwt_key_file /etc/nginx/secrets/location-key.jwk; + auth_jwt "closed site" token=$cookie_auth_token; + + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/coffee-minion burst=200 nodelay; + + limit_req_log_level error; + limit_req_status 503; + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXWithHTTP2Off - 1] +# configuration for default/cafe-ingress +upstream test {zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0;keepalive 16; +} + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens off; + + server_name test.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + location /tea { + set $service ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXWithHTTP2On - 1] +# configuration for default/cafe-ingress +upstream test {zone test 256k; + server 127.0.0.1:8181 max_fails=0 fail_timeout=1s max_conns=0;keepalive 16; +} + + + +server { + listen 443 ssl;listen [::]:443 ssl; + http2 on; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens off; + + server_name test.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress"; + set $resource_namespace "default"; + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + location /tea { + set $service ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + } + + location @grpcerror400 { default_type application/grpc; return 400 "\n"; } + location @grpcerror401 { default_type application/grpc; return 401 "\n"; } + location @grpcerror403 { default_type application/grpc; return 403 "\n"; } + location @grpcerror404 { default_type application/grpc; return 404 "\n"; } + location @grpcerror405 { default_type application/grpc; return 405 "\n"; } + location @grpcerror408 { default_type application/grpc; return 408 "\n"; } + location @grpcerror414 { default_type application/grpc; return 414 "\n"; } + location @grpcerror426 { default_type application/grpc; return 426 "\n"; } + location @grpcerror500 { default_type application/grpc; return 500 "\n"; } + location @grpcerror501 { default_type application/grpc; return 501 "\n"; } + location @grpcerror502 { default_type application/grpc; return 502 "\n"; } + location @grpcerror503 { default_type application/grpc; return 503 "\n"; } + location @grpcerror504 { default_type application/grpc; return 504 "\n"; } +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXWithProxySetHeadersAnnotationWithDefaultValue - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXWithRequestRateLimit - 1] +# configuration for default/myingress +limit_req_zone ${binary_remote_addr} zone=default/myingress:10m rate=200r/s; + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens off; + + server_name test.example.com; + + set $resource_type "ingress"; + set $resource_name "myingress"; + set $resource_namespace "default"; + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + location /tea { + set $service ""; + proxy_http_version 1.1; + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/myingress burst=100 delay=50; + limit_req_dry_run on; + limit_req_log_level info; + limit_req_status 429; + + } + + location /coffee { + set $service ""; + proxy_http_version 1.1; + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/myingress burst=100 delay=50; + limit_req_dry_run on; + limit_req_log_level info; + limit_req_status 429; + + } + +} + +--- + +[TestExecuteTemplate_ForIngressForNGINXWithRequestRateLimitMinions - 1] +# configuration for default/myingress +limit_req_zone ${binary_remote_addr} zone=default/tea-minion:10m rate=200r/s; + +limit_req_zone ${binary_remote_addr} zone=default/coffee-minion:20m rate=400r/s; + + + +server { + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate secret.pem; + ssl_certificate_key secret.pem; + + server_tokens off; + + server_name test.example.com; + + set $resource_type "ingress"; + set $resource_name "myingress"; + set $resource_namespace "default"; + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + location /tea { + set $service ""; + # location for minion default/tea-minion + set $resource_name "tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/tea-minion burst=100 delay=10; + limit_req_dry_run on; + limit_req_log_level info; + limit_req_status 429; + + } + + location /coffee { + set $service ""; + # location for minion default/coffee-minion + set $resource_name "coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout 10s; + proxy_read_timeout 10s; + proxy_send_timeout 10s; + client_max_body_size 2m; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://test; + + + limit_req zone=default/coffee-minion burst=200 nodelay; + + limit_req_log_level error; + limit_req_status 503; + + } + +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusTLSPassthroughPortDisabled - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 0 default_server;listen [::]:0 default_server; + listen 0 ssl default_server; + listen [::]:0 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPAndHTTPSListenerPorts - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 8083 default_server;listen [::]:8083 default_server; + listen 8443 ssl default_server; + listen [::]:8443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPListenerPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 8083 default_server;listen [::]:8083 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPSListenerPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 8443 ssl default_server; + listen [::]:8443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithCustomTLSPassthroughPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 0 default_server;listen [::]:0 default_server; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; + set_real_ip_from unix:; + real_ip_header proxy_protocol; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + map $ssl_preread_server_name $dest_internal_passthrough { + default unix:/var/lib/nginx/passthrough-https.sock; + include /etc/nginx/tls-passthrough-hosts.conf; + } + + server { + listen 8443; + listen [::]:8443; + + + + ssl_preread on; + + proxy_protocol on; + proxy_pass $dest_internal_passthrough; + } + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2Off - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2On - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomDefaultHTTPAndHTTPSListenerPorts - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomTLSPassthroughPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; + +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_fips_check_module.so; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + resolver example.com127.0.0.1 valid=10s ipv6=off;resolver_timeout 15s; + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 0 default_server;listen [::]:0 default_server; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; + set_real_ip_from unix:; + real_ip_header proxy_protocol; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + # NGINX Plus API over unix socket + server { + listen unix:/var/lib/nginx/nginx-plus-api.sock; + access_log off; + + # $config_version_mismatch is defined in /etc/nginx/config-version.conf + location /configVersionCheck { + if ($config_version_mismatch) { + return 503; + } + return 200; + } + + location /api { + api write=on; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + resolver example.com127.0.0.1 valid=10s ipv6=off; + resolver_timeout 15s; + + map_hash_max_size ; + + map $ssl_preread_server_name $dest_internal_passthrough { + default unix:/var/lib/nginx/passthrough-https.sock; + include /etc/nginx/tls-passthrough-hosts.conf; + } + + server { + listen 443; + listen [::]:443; + + + + ssl_preread on; + + proxy_protocol on; + proxy_pass $dest_internal_passthrough; + } + + + include /etc/nginx/stream-conf.d/*.conf; +} +mgmt { + usage_report interval=0s; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXTLSPassthroughDisabled - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 0 default_server;listen [::]:0 default_server; + listen 0 ssl default_server; + listen [::]:0 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPAndHTTPSListenerPorts - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 8083 default_server;listen [::]:8083 default_server; + listen 8443 ssl default_server; + listen [::]:8443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPListenerPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 8083 default_server;listen [::]:8083 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPSListenerPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 8443 ssl default_server; + listen [::]:8443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithCustomTLSPassthroughPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 0 default_server;listen [::]:0 default_server; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; + set_real_ip_from unix:; + real_ip_header proxy_protocol; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + map $ssl_preread_server_name $dest_internal_passthrough { + default unix:/var/lib/nginx/passthrough-https.sock; + include /etc/nginx/tls-passthrough-hosts.conf; + } + + server { + listen 8443; + listen [::]:8443; + + + + + ssl_preread on; + + proxy_protocol on; + proxy_pass $dest_internal_passthrough; + } + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithHTTP2Off - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithHTTP2On - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithoutCustomDefaultHTTPAndHTTPSListenerPorts - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 80 default_server;listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMainForNGINXWithoutCustomTLSPassthroughPort - 1] +worker_processes auto; +worker_rlimit_nofile 65536; +worker_cpu_affinity auto; +worker_shutdown_timeout 1m; +daemon off; + +error_log stderr ; +pid /var/lib/nginx/nginx.pid; + +load_module modules/ngx_http_js_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + map_hash_max_size ; + map_hash_bucket_size ; + + + js_import /etc/nginx/njs/apikey_auth.js; + js_set $apikey_auth_hash apikey_auth.hash; + + log_format main escape=default + '$remote_addr' + ' $remote_user' + ; + + map $upstream_trailer_grpc_status $grpc_status { + default $upstream_trailer_grpc_status; + '' $sent_http_grpc_status; + } + access_log /dev/stdout main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65s; + keepalive_requests 100; + + #gzip on; + + server_names_hash_max_size 512; + + + variables_hash_bucket_size 256; + variables_hash_max_size 1024; + + map $request_uri $request_uri_no_args { + "~^(?P[^?]*)(\?.*)?$" $path; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + map $http_upgrade $vs_connection_header { + default upgrade; + '' $default_connection_header; + } + + server { + # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes + set $default_connection_header ""; + set $resource_type ""; + set $resource_name ""; + set $resource_namespace ""; + set $service ""; + + listen 0 default_server;listen [::]:0 default_server; + listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; + set_real_ip_from unix:; + real_ip_header proxy_protocol; + ssl_certificate /etc/nginx/secrets/default; + ssl_certificate_key /etc/nginx/secrets/default; + + server_name _; + server_tokens "off"; + + location / { + return ; + } + } + + include /etc/nginx/config-version.conf; + include /etc/nginx/conf.d/*.conf; + + server { + listen unix:/var/lib/nginx/nginx-502-server.sock; + access_log off; + + + + return 502; + } + + server { + listen unix:/var/lib/nginx/nginx-418-server.sock; + access_log off;return 418; + } +} + +stream { + log_format stream-main escape=none + '$remote_addr' + ' $remote_user' + ; + + access_log /dev/stdout stream-main; + # comment + + map_hash_max_size ; + + map $ssl_preread_server_name $dest_internal_passthrough { + default unix:/var/lib/nginx/passthrough-https.sock; + include /etc/nginx/tls-passthrough-hosts.conf; + } + + server { + listen 443; + listen [::]:443; + + + + + ssl_preread on; + + proxy_protocol on; + proxy_pass $dest_internal_passthrough; + } + + + include /etc/nginx/stream-conf.d/*.conf; +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXMasterMinionsWithDifferentHeadersForProxySetHeadersAnnotation - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Coffee "espresso"; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Tea "chai"; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXMasterMinionsWithMultipleDifferentHeadersForProxySetHeadersAnnotation - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Coffee "espresso"; + proxy_set_header X-Forwarded-Minion "coffee"; + proxy_set_header Location "minion"; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header BVC $http_bvc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Tea "chai"; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header BVC $http_bvc; + proxy_set_header Location "master"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithAnnotationForProxySetHeadersAnnotation - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithoutAnnotationMinionsWithCustomValuesProxySetHeadersAnnotation - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Minion "coffee"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Minion "tea"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithoutAnnotationMinionsWithDefaultValuesWithProxySetHeadersAnnotation - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Coffee $http_x_forwarded_coffee; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Tea $http_x_forwarded_tea; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithoutAnnotationMinionsWithDifferentHeadersForProxySetHeadersAnnotation - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Coffee "mocha"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-Tea "green"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXPlus - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location /coffee { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location /tea { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithMasterPathRegex - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location /coffee { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location /tea { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationOnMaster - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location /coffee { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location /tea { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationOnMasterAndMinions - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location ~* "^/coffee" { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location ~* "^/tea" { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationOnMinionsNotOnMaster - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location ~* "^/coffee" { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location ~ "^/tea" { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForNGINXWithProxySetHeadersAnnotationForMinionOverrideMaster - 1] +# configuration for default/cafe-ingress-master + + +server { + + server_tokens ; + + server_name cafe.example.com; + + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + location { + set $service ""; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC "coffee"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + + location { + set $service ""; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + proxy_set_header X-Forwarded-ABC $http_x_forwarded_abc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + proxy_pass http://; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressForProxySetHeaderAnnotation - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location /coffee { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header X-Forwarded-ABC "coffee"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location /tea { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header X-Forwarded-ABC "tea"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressWithOneMinionWithPathRegexAnnotation - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location ~* "^/coffee" { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location /tea { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- + +[TestExecuteTemplate_ForMergeableIngressWithSecondMinionWithPathRegexAnnotation - 1] +# configuration for default/cafe-ingress-master +upstream default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 { + zone default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80 512k; + random two least_conn; + server 10.0.0.1:80 max_fails=1 fail_timeout=10s max_conns=0; +} +upstream default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 { + zone default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80 512k; + random two least_conn; + server 10.0.0.2:80 max_fails=1 fail_timeout=10s max_conns=0; +} + + + + +server { + listen 80;listen [::]:80; + listen 443 ssl;listen [::]:443 ssl; + ssl_certificate /etc/nginx/secrets/default-cafe-secret; + ssl_certificate_key /etc/nginx/secrets/default-cafe-secret; + + server_tokens "on"; + + server_name cafe.example.com; + + status_zone cafe.example.com; + set $resource_type "ingress"; + set $resource_name "cafe-ingress-master"; + set $resource_namespace "default"; + + + if ($scheme = http) { + return 301 https://$host:443$request_uri; + } + + + location /coffee { + set $service "coffee-svc"; + status_zone "coffee-svc"; + # location for minion default/cafe-ingress-coffee-minion + set $resource_name "cafe-ingress-coffee-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80; + + + } + + location ~ "^/tea" { + set $service "tea-svc"; + status_zone "tea-svc"; + # location for minion default/cafe-ingress-tea-minion + set $resource_name "cafe-ingress-tea-minion"; + set $resource_namespace "default"; + proxy_http_version 1.1; + + proxy_connect_timeout 60s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_max_body_size 1m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering on; + proxy_pass http://default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80; + + + } + +} + +--- diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index b7457b3373..ef5c9f020e 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -2,14 +2,25 @@ package version1 import ( "bytes" + "os" "strconv" "strings" "testing" "text/template" + "github.com/gkampitakis/go-snaps/snaps" "github.com/nginxinc/kubernetes-ingress/internal/nginx" ) +func TestMain(m *testing.M) { + v := m.Run() + + // After all tests have run `go-snaps` will sort snapshots + snaps.Clean(m, snaps.CleanOpts{Sort: true}) + + os.Exit(v) +} + func TestExecuteMainTemplateForNGINXPlus(t *testing.T) { t.Parallel() @@ -20,6 +31,7 @@ func TestExecuteMainTemplateForNGINXPlus(t *testing.T) { if err != nil { t.Error(err) } + snaps.MatchSnapshot(t, buf.String()) t.Log(buf.String()) } @@ -33,6 +45,7 @@ func TestExecuteMainTemplateForNGINXPlusR31(t *testing.T) { if err != nil { t.Error(err) } + snaps.MatchSnapshot(t, buf.String()) t.Log(buf.String()) } @@ -46,6 +59,7 @@ func TestExecuteMainTemplateForNGINX(t *testing.T) { if err != nil { t.Error(err) } + snaps.MatchSnapshot(t, buf.String()) t.Log(buf.String()) } @@ -60,6 +74,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlus(t *testing.T) { if err != nil { t.Fatal(err) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINX(t *testing.T) { @@ -73,6 +88,7 @@ func TestExecuteTemplate_ForIngressForNGINX(t *testing.T) { if err != nil { t.Fatal(err) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationCaseSensitiveModifier(t *testing.T) { @@ -91,6 +107,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationCaseSensitiveM if !strings.Contains(buf.String(), wantLocation) { t.Errorf("want %q in generated config", wantLocation) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationCaseInsensitiveModifier(t *testing.T) { @@ -109,6 +126,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationCaseInsensitiv if !strings.Contains(buf.String(), wantLocation) { t.Errorf("want %q in generated config", wantLocation) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationExactMatchModifier(t *testing.T) { @@ -127,6 +145,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationExactMatchModi if !strings.Contains(buf.String(), wantLocation) { t.Errorf("want %q in generated config", wantLocation) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationEmpty(t *testing.T) { @@ -145,6 +164,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRegexAnnotationEmpty(t *testi if !strings.Contains(buf.String(), wantLocation) { t.Errorf("want %q in generated config", wantLocation) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressForNGINXPlus(t *testing.T) { @@ -166,6 +186,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXPlus(t *testing.T) { if !strings.Contains(buf.String(), want) { t.Errorf("want %q in generated config", want) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithMasterPathRegex(t *testing.T) { @@ -187,6 +208,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithMasterPathRegex(t *t if !strings.Contains(buf.String(), want) { t.Errorf("want %q in generated config", want) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressWithOneMinionWithPathRegexAnnotation(t *testing.T) { @@ -210,6 +232,7 @@ func TestExecuteTemplate_ForMergeableIngressWithOneMinionWithPathRegexAnnotation if !strings.Contains(buf.String(), want) { t.Errorf("want %q in generated config", want) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressWithSecondMinionWithPathRegexAnnotation(t *testing.T) { @@ -233,6 +256,7 @@ func TestExecuteTemplate_ForMergeableIngressWithSecondMinionWithPathRegexAnnotat if !strings.Contains(buf.String(), want) { t.Errorf("want %q in generated config", want) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationOnMaster(t *testing.T) { @@ -255,6 +279,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationO if !strings.Contains(buf.String(), want) { t.Errorf("want %q in generated config", want) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationOnMasterAndMinions(t *testing.T) { @@ -277,6 +302,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationO if !strings.Contains(buf.String(), want) { t.Errorf("did not get %q in generated config", want) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationOnMinionsNotOnMaster(t *testing.T) { @@ -299,6 +325,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationO if !strings.Contains(buf.String(), want) { t.Errorf("want %q in generated config", want) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithCustomTLSPassthroughPort(t *testing.T) { @@ -325,6 +352,7 @@ func TestExecuteTemplate_ForMainForNGINXWithCustomTLSPassthroughPort(t *testing. t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithCustomTLSPassthroughPort(t *testing.T) { @@ -351,6 +379,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithCustomTLSPassthroughPort(t *test t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithoutCustomTLSPassthroughPort(t *testing.T) { @@ -377,6 +406,7 @@ func TestExecuteTemplate_ForMainForNGINXWithoutCustomTLSPassthroughPort(t *testi t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomTLSPassthroughPort(t *testing.T) { @@ -403,6 +433,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomTLSPassthroughPort(t *t t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXTLSPassthroughDisabled(t *testing.T) { @@ -429,6 +460,7 @@ func TestExecuteTemplate_ForMainForNGINXTLSPassthroughDisabled(t *testing.T) { t.Errorf("unwant %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusTLSPassthroughPortDisabled(t *testing.T) { @@ -455,6 +487,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusTLSPassthroughPortDisabled(t *testin t.Errorf("unwant %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { @@ -483,6 +516,7 @@ func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPAndHTTPSListenerPor t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { @@ -511,6 +545,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPAndHTTPSListene t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithoutCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { @@ -539,6 +574,7 @@ func TestExecuteTemplate_ForMainForNGINXWithoutCustomDefaultHTTPAndHTTPSListener t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { @@ -567,6 +603,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomDefaultHTTPAndHTTPSList t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPListenerPort(t *testing.T) { @@ -595,6 +632,7 @@ func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPListenerPort(t *tes t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPSListenerPort(t *testing.T) { @@ -623,6 +661,7 @@ func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPSListenerPort(t *te t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPListenerPort(t *testing.T) { @@ -651,6 +690,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPListenerPort(t t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPSListenerPort(t *testing.T) { @@ -679,6 +719,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPSListenerPort(t t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithHTTP2On(t *testing.T) { @@ -717,6 +758,7 @@ func TestExecuteTemplate_ForMainForNGINXWithHTTP2On(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2On(t *testing.T) { @@ -755,6 +797,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2On(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXWithHTTP2Off(t *testing.T) { @@ -791,6 +834,7 @@ func TestExecuteTemplate_ForMainForNGINXWithHTTP2Off(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2Off(t *testing.T) { @@ -827,6 +871,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithHTTP2Off(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXWithProxySetHeadersAnnotationWithDefaultValue(t *testing.T) { @@ -873,6 +918,7 @@ func TestExecuteTemplate_ForIngressForNGINXWithProxySetHeadersAnnotationWithDefa t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -920,6 +966,7 @@ func TestExecuteTemplate_ForIngressForNGINXMasterWithProxySetHeadersAnnotationWi t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -975,6 +1022,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithoutAnnotationMinio t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -994,6 +1042,7 @@ func TestExecuteTemplate_ForMergeableIngressForProxySetHeaderAnnotation(t *testi if !strings.Contains(buf.String(), wantHeader) { t.Errorf("expected header %q not found in generated coffee config", wantHeader) } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithoutAnnotationMinionsWithCustomValuesProxySetHeadersAnnotation(t *testing.T) { @@ -1048,6 +1097,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithoutAnnotationMinio t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -1103,6 +1153,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithoutAnnotationMinio t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -1157,6 +1208,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXMasterWithAnnotationForProxy t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -1215,6 +1267,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXMasterMinionsWithDifferentHe t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -1267,6 +1320,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXWithProxySetHeadersAnnotatio t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -1330,6 +1384,7 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXMasterMinionsWithMultipleDif t.Errorf("expected header %q not found in generated tea config", wantHeader) } } + snaps.MatchSnapshot(t, buf.String()) } } @@ -1368,6 +1423,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2On(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXWithHTTP2On(t *testing.T) { @@ -1405,6 +1461,7 @@ func TestExecuteTemplate_ForIngressForNGINXWithHTTP2On(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2Off(t *testing.T) { @@ -1440,6 +1497,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithHTTP2Off(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXWithHTTP2Off(t *testing.T) { @@ -1475,6 +1533,7 @@ func TestExecuteTemplate_ForIngressForNGINXWithHTTP2Off(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXWithRequestRateLimit(t *testing.T) { @@ -1505,6 +1564,7 @@ func TestExecuteTemplate_ForIngressForNGINXWithRequestRateLimit(t *testing.T) { t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXWithRequestRateLimitMinions(t *testing.T) { @@ -1540,6 +1600,7 @@ func TestExecuteTemplate_ForIngressForNGINXWithRequestRateLimitMinions(t *testin t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimit(t *testing.T) { @@ -1570,6 +1631,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimit(t *testing.T t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimitMinions(t *testing.T) { @@ -1605,6 +1667,7 @@ func TestExecuteTemplate_ForIngressForNGINXPlusWithRequestRateLimitMinions(t *te t.Errorf("want %q in generated config", want) } } + snaps.MatchSnapshot(t, buf.String()) } func newNGINXPlusIngressTmpl(t *testing.T) *template.Template { diff --git a/internal/configs/version2/__snapshots__/templates_test.snap b/internal/configs/version2/__snapshots__/templates_test.snap new file mode 100644 index 0000000000..ff2b738552 --- /dev/null +++ b/internal/configs/version2/__snapshots__/templates_test.snap @@ -0,0 +1,6127 @@ + +[TestExecuteTemplateForTransportServerWithBackupServerForNGINXPlus - 1] + +upstream udp-upstream { + zone udp-upstream 512k; + server 10.0.0.20:5001 max_fails=0 fail_timeout= max_conns=0; + server clustertwo.corp.local:8080 resolve backup; +} + + +match match_udp-upstream { + + send "GET / HTTP/1.0\r\nHost: localhost\r\n\r\n"; + + + + expect ~* "200 OK"; + +} +server { + + status_zone udp-app; + proxy_requests 1; + proxy_responses 2; + + proxy_pass udp-upstream; + + + health_check interval=5s port=8080 + passes=1 jitter=0 fails=1 udp match=match_udp-upstream; + health_check_timeout 5s; + + + proxy_timeout 10s; + proxy_connect_timeout 10s; + proxy_next_upstream on; + proxy_next_upstream_timeout 10s; + proxy_next_upstream_tries 5; +} + +--- + +[TestExecuteTemplateForTransportServerWithResolver - 1] + +upstream udp-upstream { + zone udp-upstream 512k; + server 10.0.0.20:5001 max_fails=0 fail_timeout= max_conns=0 resolve; +} + + +match match_udp-upstream { + + send "GET / HTTP/1.0\r\nHost: localhost\r\n\r\n"; + + + + expect ~* "200 OK"; + +} +server { + + status_zone udp-app; + proxy_requests 1; + proxy_responses 2; + + proxy_pass udp-upstream; + + + health_check interval=5s port=8080 + passes=1 jitter=0 fails=1 udp match=match_udp-upstream; + health_check_timeout 5s; + + + proxy_timeout 10s; + proxy_connect_timeout 10s; + proxy_next_upstream on; + proxy_next_upstream_timeout 10s; + proxy_next_upstream_tries 5; +} + +--- + +[TestExecuteVirtualServerTemplateWithBackupServerNGINXPlus - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + server clustertwo.corp.local:8080 backup resolve; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplateWithJWKSWithToken - 1] + +upstream vs_default_cafe_tea { + zone vs_default_cafe_tea ; + server 10.0.0.20:80 max_fails=0 fail_timeout= max_conns=0; + keepalive 16; + + +} + +upstream vs_default_cafe_coffee { + zone vs_default_cafe_coffee ; + server 10.0.0.30:80 max_fails=0 fail_timeout= max_conns=0; + keepalive 16; + + +} + +proxy_cache_path /var/cache/nginx/jwks_uri_cafe levels=1 keys_zone=jwks_uri_cafe:1m max_size=10m; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name cafe.example.com; + status_zone cafe.example.com; + set $resource_type "virtualserver"; + set $resource_name "cafe"; + set $resource_namespace "default"; + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + auth_jwt "Spec Realm API" token=$http_token; + + auth_jwt_key_cache 1h; + auth_jwt_key_request /_jwks_uri_server_default/jwt-policy; + location = /_jwks_uri_server_default/jwt-policy { + internal; + proxy_method GET; + proxy_set_header Content-Length ""; + proxy_cache jwks_uri_cafe; + proxy_cache_valid 200 12h; + proxy_set_header Host idp.spec.example.com; + set $idp_backend idp.spec.example.com; + proxy_pass https://$idp_backend:443/spec-keys; + } + location = /_jwks_uri_server_default/jwt-policy-route { + internal; + proxy_method GET; + proxy_set_header Content-Length ""; + proxy_cache jwks_uri_cafe; + proxy_cache_valid 200 12h; + proxy_set_header Host idp.route.example.com; + set $idp_backend idp.route.example.com; + proxy_pass http://$idp_backend:80/route-keys; + } + # server snippet + + + + + location /tea { + set $service "tea-svc"; + status_zone "tea-svc"; + auth_jwt "Route Realm API" token=$http_token; + + auth_jwt_key_cache 1h; + auth_jwt_key_request /_jwks_uri_server_default/jwt-policy-route; + + + set $default_connection_header ""; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host "$host"; + proxy_pass http://vs_default_cafe_tea; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 0s; + proxy_next_upstream_tries 0; + } + location /coffee { + set $service "coffee-svc"; + status_zone "coffee-svc"; + auth_jwt "Route Realm API" token=$http_token; + + auth_jwt_key_cache 1h; + auth_jwt_key_request /_jwks_uri_server_default/jwt-policy-route; + + + set $default_connection_header ""; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host "$host"; + proxy_pass http://vs_default_cafe_coffee; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 0s; + proxy_next_upstream_tries 0; + } +} + +--- + +[TestExecuteVirtualServerTemplateWithJWKSWithoutToken - 1] + +upstream vs_default_cafe_tea { + zone vs_default_cafe_tea ; + server 10.0.0.20:80 max_fails=0 fail_timeout= max_conns=0; + keepalive 16; + + +} + +upstream vs_default_cafe_coffee { + zone vs_default_cafe_coffee ; + server 10.0.0.30:80 max_fails=0 fail_timeout= max_conns=0; + keepalive 16; + + +} + +proxy_cache_path /var/cache/nginx/jwks_uri_cafe levels=1 keys_zone=jwks_uri_cafe:1m max_size=10m; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name cafe.example.com; + status_zone cafe.example.com; + set $resource_type "virtualserver"; + set $resource_name "cafe"; + set $resource_namespace "default"; + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + auth_jwt "Spec Realm API"; + + auth_jwt_key_cache 1h; + auth_jwt_key_request /_jwks_uri_server_default/jwt-policy; + location = /_jwks_uri_server_default/jwt-policy { + internal; + proxy_method GET; + proxy_set_header Content-Length ""; + proxy_cache jwks_uri_cafe; + proxy_cache_valid 200 12h; + proxy_set_header Host idp.spec.example.com; + set $idp_backend idp.spec.example.com; + proxy_pass https://$idp_backend:443/spec-keys; + } + location = /_jwks_uri_server_default/jwt-policy-route { + internal; + proxy_method GET; + proxy_set_header Content-Length ""; + proxy_cache jwks_uri_cafe; + proxy_cache_valid 200 12h; + proxy_set_header Host idp.route.example.com; + set $idp_backend idp.route.example.com; + proxy_pass http://$idp_backend:80/route-keys; + } + # server snippet + + + + + location /tea { + set $service "tea-svc"; + status_zone "tea-svc"; + auth_jwt "Route Realm API"; + + auth_jwt_key_cache 1h; + auth_jwt_key_request /_jwks_uri_server_default/jwt-policy-route; + + + set $default_connection_header ""; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host "$host"; + proxy_pass http://vs_default_cafe_tea; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 0s; + proxy_next_upstream_tries 0; + } + location /coffee { + set $service "coffee-svc"; + status_zone "coffee-svc"; + auth_jwt "Route Realm API"; + + auth_jwt_key_cache 1h; + auth_jwt_key_request /_jwks_uri_server_default/jwt-policy-route; + + + set $default_connection_header ""; + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + client_max_body_size ; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host "$host"; + proxy_pass http://vs_default_cafe_coffee; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 0s; + proxy_next_upstream_tries 0; + } +} + +--- + +[TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2Off - 1] + +upstream test-upstream {zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s max_conns=31; + keepalive 32; +} + +upstream coffee-v1 {zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; +} + +upstream coffee-v2 {zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2On - 1] + +upstream test-upstream {zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s max_conns=31; + keepalive 32; +} + +upstream coffee-v1 {zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; +} + +upstream coffee-v2 {zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2Off - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2On - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListener - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 8082 proxy_protocol; + listen [::]:8082 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPOnly - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 8082 proxy_protocol; + listen [::]:8082 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSOnly - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipNotSet - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipOff - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipOn - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server {gunzip on; + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithSessionCookieSameSite - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s samesite=strict path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestTLSPassthroughHosts - 1] +# mapping between TLS Passthrough hosts and unix sockets + +app.example.com unix:/var/lib/nginx/passthrough-default_secure-app.sock; + + +--- + +[TestTransportServerForNginx - 1] + +upstream udp-upstream { + zone udp-upstream 512k; + server 10.0.0.20:5001 max_fails=0 fail_timeout= max_conns=0; +} +server { + proxy_requests 1; + proxy_responses 2; + + proxy_pass udp-upstream; + + proxy_timeout 10s; + proxy_connect_timeout 10s; + proxy_next_upstream on; + proxy_next_upstream_timeout 10s; + proxy_next_upstream_tries 5; +} + +--- + +[TestTransportServerWithSSL - 1] + +upstream udp-upstream { + zone udp-upstream 512k; + server 10.0.0.20:5001 max_fails=0 fail_timeout= max_conns=0; +} + + +match match_udp-upstream { + + send "GET / HTTP/1.0\r\nHost: localhost\r\n\r\n"; + + + + expect ~* "200 OK"; + +} +server { + listen 1234 ssl udp; + listen [::]:1234 ssl udp; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + + status_zone udp-app; + proxy_requests 1; + proxy_responses 2; + + proxy_pass udp-upstream; + + + health_check interval=5s port=8080 + passes=1 jitter=0 fails=1 udp match=match_udp-upstream; + health_check_timeout 5s; + + + proxy_timeout 10s; + proxy_connect_timeout 10s; + proxy_next_upstream on; + proxy_next_upstream_timeout 10s; + proxy_next_upstream_tries 5; +} + +--- + +[TestVirtualServerForNginx - 1] + +upstream test-upstream {zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s max_conns=31; + keepalive 32; +} + +upstream coffee-v1 {zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; +} + +upstream coffee-v2 {zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestVirtualServerForNginxPlus - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 80 proxy_protocol; + listen [::]:80 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 443 ssl proxy_protocol; + listen [::]:443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s + fails=1 passes=1 + mandatory persistent + keepalive_time=; + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s + fails=1 passes=1 + + type=grpc grpc_status=12 + grpc_service=tea-servicev2 keepalive_time=; + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index 28ea24e599..b9860be9be 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -3,9 +3,21 @@ package version2 import ( "bytes" "fmt" + "os" "testing" + + "github.com/gkampitakis/go-snaps/snaps" ) +func TestMain(m *testing.M) { + v := m.Run() + + // After all tests have run `go-snaps` will sort snapshots + snaps.Clean(m, snaps.CleanOpts{Sort: true}) + + os.Exit(v) +} + func createPointerFromInt(n int) *int { return &n } @@ -35,6 +47,7 @@ func TestVirtualServerForNginxPlus(t *testing.T) { if err != nil { t.Errorf("Failed to execute template: %v", err) } + snaps.MatchSnapshot(t, string(data)) t.Log(string(data)) } @@ -48,6 +61,7 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipOn(t *testi if !bytes.Contains(got, []byte("gunzip on;")) { t.Error("want `gunzip on` directive, got no directive") } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -61,6 +75,7 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipOff(t *test if bytes.Contains(got, []byte("gunzip on;")) { t.Error("want no directive, got `gunzip on`") } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -74,6 +89,7 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipNotSet(t *t if bytes.Contains(got, []byte("gunzip on;")) { t.Error("want no directive, got `gunzip on` directive") } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -87,6 +103,7 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithSessionCookieSameSite(t if !bytes.Contains(got, []byte("samesite=strict")) { t.Error("want `samesite=strict` in generated template") } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -108,6 +125,7 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListener(t *testi t.Errorf("want `%s` in generated template", want) } } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -136,6 +154,7 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPOnly( t.Errorf("unwant `%s` in generated template", want) } } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -164,6 +183,7 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSOnly t.Errorf("want no `%s` in generated template", want) } } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -195,6 +215,7 @@ func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2On(t *testing. t.Errorf("unwant `%s` in generated template", want) } } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -225,6 +246,7 @@ func TestExecuteVirtualServerTemplate_RendersPlusTemplateWithHTTP2Off(t *testing t.Errorf("unwant `%s` in generated template", want) } } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -257,6 +279,7 @@ func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2On(t *testing.T t.Errorf("unwant `%s` in generated template", want) } } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -287,6 +310,7 @@ func TestExecuteVirtualServerTemplate_RendersOSSTemplateWithHTTP2Off(t *testing. t.Errorf("unwant `%s` in generated template", want) } } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -308,6 +332,7 @@ func TestVirtualServerForNginx(t *testing.T) { if err != nil { t.Errorf("Failed to execute template: %v", err) } + snaps.MatchSnapshot(t, string(data)) t.Log(string(data)) } @@ -324,10 +349,11 @@ func TestTransportServerForNginxPlus(t *testing.T) { func TestExecuteTemplateForTransportServerWithResolver(t *testing.T) { t.Parallel() executor := newTmplExecutorNGINXPlus(t) - _, err := executor.ExecuteTransportServerTemplate(&transportServerCfgWithResolver) + got, err := executor.ExecuteTransportServerTemplate(&transportServerCfgWithResolver) if err != nil { t.Errorf("Failed to execute template: %v", err) } + snaps.MatchSnapshot(t, string(got)) } func TestTransportServerForNginx(t *testing.T) { @@ -337,6 +363,7 @@ func TestTransportServerForNginx(t *testing.T) { if err != nil { t.Errorf("Failed to execute template: %v", err) } + snaps.MatchSnapshot(t, string(data)) t.Log(string(data)) } @@ -403,6 +430,7 @@ func TestExecuteTemplateForTransportServerWithBackupServerForNGINXPlus(t *testin if !bytes.Contains(got, []byte(want)) { t.Errorf("want backup %q in the transport server config", want) } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -413,6 +441,7 @@ func TestTransportServerWithSSL(t *testing.T) { if err != nil { t.Errorf("Failed to execute template: %v", err) } + snaps.MatchSnapshot(t, string(data)) t.Log(string(data)) } @@ -428,6 +457,7 @@ func TestTLSPassthroughHosts(t *testing.T) { if err != nil { t.Errorf("Failed to execute template: %v", err) } + snaps.MatchSnapshot(t, string(data)) t.Log(string(data)) } @@ -447,6 +477,7 @@ func TestExecuteVirtualServerTemplateWithJWKSWithToken(t *testing.T) { if !bytes.Contains(got, []byte("proxy_cache_valid 200 12h;")) { t.Error("want `proxy_cache_valid 200 12h;` in generated template") } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -466,6 +497,7 @@ func TestExecuteVirtualServerTemplateWithJWKSWithoutToken(t *testing.T) { if !bytes.Contains(got, []byte("proxy_cache_valid 200 12h;")) { t.Error("want `proxy_cache_valid 200 12h;` in generated template") } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -490,6 +522,7 @@ func TestExecuteVirtualServerTemplateWithBackupServerNGINXPlus(t *testing.T) { if !bytes.Contains(got, []byte(want)) { t.Errorf("want %q in generated template", want) } + snaps.MatchSnapshot(t, string(got)) t.Log(string(got)) } @@ -633,6 +666,7 @@ func vsConfig() VirtualServerConfig { WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -980,6 +1014,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -1325,6 +1360,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -1670,6 +1706,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -2016,6 +2053,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -2362,6 +2400,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -2707,6 +2746,7 @@ var ( WAF: &WAF{ ApBundle: "/fake/bundle/path/NginxDefaultPolicy.tgz", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -3059,6 +3099,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -3682,6 +3723,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -4030,6 +4072,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"}, @@ -4378,6 +4421,7 @@ var ( WAF: &WAF{ ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", ApSecurityLogEnable: true, + Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, Snippets: []string{"# server snippet"},