mirror of
https://gitee.com/iresty/apisix.git
synced 2024-12-02 12:07:35 +08:00
improve(CLI): move ngx_tpl to apisix/cli/ngx_tpl.lua (#2581)
This commit is contained in:
parent
be4a108896
commit
952450bd76
@ -2,3 +2,6 @@ std = "ngx_lua"
|
||||
unused_args = false
|
||||
redefined = false
|
||||
max_line_length = 100
|
||||
exclude_files = {
|
||||
"apisix/cli/ngx_tpl.lua",
|
||||
}
|
||||
|
3
Makefile
3
Makefile
@ -138,6 +138,9 @@ install: default
|
||||
$(INSTALL) -d $(INST_LUADIR)/apisix/core
|
||||
$(INSTALL) apisix/core/*.lua $(INST_LUADIR)/apisix/core/
|
||||
|
||||
$(INSTALL) -d $(INST_LUADIR)/apisix/cli
|
||||
$(INSTALL) apisix/cli/*.lua $(INST_LUADIR)/apisix/cli/
|
||||
|
||||
$(INSTALL) -d $(INST_LUADIR)/apisix/discovery
|
||||
$(INSTALL) apisix/discovery/*.lua $(INST_LUADIR)/apisix/discovery/
|
||||
|
||||
|
506
apisix/cli/ngx_tpl.lua
Normal file
506
apisix/cli/ngx_tpl.lua
Normal file
@ -0,0 +1,506 @@
|
||||
--
|
||||
-- Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
-- contributor license agreements. See the NOTICE file distributed with
|
||||
-- this work for additional information regarding copyright ownership.
|
||||
-- The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
-- (the "License"); you may not use this file except in compliance with
|
||||
-- the License. You may obtain a copy of the License at
|
||||
--
|
||||
-- http://www.apache.org/licenses/LICENSE-2.0
|
||||
--
|
||||
-- Unless required by applicable law or agreed to in writing, software
|
||||
-- distributed under the License is distributed on an "AS IS" BASIS,
|
||||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
-- See the License for the specific language governing permissions and
|
||||
-- limitations under the License.
|
||||
--
|
||||
|
||||
return [=[
|
||||
# Configuration File - Nginx Server Configs
|
||||
# This is a read-only file, do not try to modify it.
|
||||
|
||||
master_process on;
|
||||
|
||||
worker_processes {* worker_processes *};
|
||||
{% if os_name == "Linux" and enable_cpu_affinity == true then %}
|
||||
worker_cpu_affinity auto;
|
||||
{% end %}
|
||||
|
||||
error_log {* error_log *} {* error_log_level or "warn" *};
|
||||
pid logs/nginx.pid;
|
||||
|
||||
worker_rlimit_nofile {* worker_rlimit_nofile *};
|
||||
|
||||
events {
|
||||
accept_mutex off;
|
||||
worker_connections {* event.worker_connections *};
|
||||
}
|
||||
|
||||
worker_rlimit_core {* worker_rlimit_core *};
|
||||
|
||||
worker_shutdown_timeout {* worker_shutdown_timeout *};
|
||||
|
||||
env APISIX_PROFILE;
|
||||
|
||||
{% if envs then %}
|
||||
{% for _, name in ipairs(envs) do %}
|
||||
env {*name*};
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
{% if stream_proxy then %}
|
||||
stream {
|
||||
lua_package_path "$prefix/deps/share/lua/5.1/?.lua;$prefix/deps/share/lua/5.1/?/init.lua;]=]
|
||||
.. [=[{*apisix_lua_home*}/?.lua;{*apisix_lua_home*}/?/init.lua;;{*lua_path*};";
|
||||
lua_package_cpath "$prefix/deps/lib64/lua/5.1/?.so;]=]
|
||||
.. [=[$prefix/deps/lib/lua/5.1/?.so;;]=]
|
||||
.. [=[{*lua_cpath*};";
|
||||
lua_socket_log_errors off;
|
||||
|
||||
lua_shared_dict lrucache-lock-stream 10m;
|
||||
|
||||
resolver {% for _, dns_addr in ipairs(dns_resolver or {}) do %} {*dns_addr*} {% end %} valid={*dns_resolver_valid*};
|
||||
resolver_timeout {*resolver_timeout*};
|
||||
|
||||
upstream apisix_backend {
|
||||
server 127.0.0.1:80;
|
||||
balancer_by_lua_block {
|
||||
apisix.stream_balancer_phase()
|
||||
}
|
||||
}
|
||||
|
||||
init_by_lua_block {
|
||||
require "resty.core"
|
||||
apisix = require("apisix")
|
||||
apisix.stream_init()
|
||||
}
|
||||
|
||||
init_worker_by_lua_block {
|
||||
apisix.stream_init_worker()
|
||||
}
|
||||
|
||||
server {
|
||||
{% for _, port in ipairs(stream_proxy.tcp or {}) do %}
|
||||
listen {*port*} {% if enable_reuseport then %} reuseport {% end %} {% if proxy_protocol and proxy_protocol.enable_tcp_pp then %} proxy_protocol {% end %};
|
||||
{% end %}
|
||||
{% for _, port in ipairs(stream_proxy.udp or {}) do %}
|
||||
listen {*port*} udp {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
|
||||
{% if proxy_protocol and proxy_protocol.enable_tcp_pp_to_upstream then %}
|
||||
proxy_protocol on;
|
||||
{% end %}
|
||||
|
||||
preread_by_lua_block {
|
||||
apisix.stream_preread_phase()
|
||||
}
|
||||
|
||||
proxy_pass apisix_backend;
|
||||
|
||||
log_by_lua_block {
|
||||
apisix.stream_log_phase()
|
||||
}
|
||||
}
|
||||
}
|
||||
{% end %}
|
||||
|
||||
http {
|
||||
lua_package_path "$prefix/deps/share/lua/5.1/?.lua;$prefix/deps/share/lua/5.1/?/init.lua;]=]
|
||||
.. [=[{*apisix_lua_home*}/?.lua;{*apisix_lua_home*}/?/init.lua;;{*lua_path*};";
|
||||
lua_package_cpath "$prefix/deps/lib64/lua/5.1/?.so;]=]
|
||||
.. [=[$prefix/deps/lib/lua/5.1/?.so;;]=]
|
||||
.. [=[{*lua_cpath*};";
|
||||
|
||||
lua_shared_dict plugin-limit-req 10m;
|
||||
lua_shared_dict plugin-limit-count 10m;
|
||||
lua_shared_dict prometheus-metrics 10m;
|
||||
lua_shared_dict plugin-limit-conn 10m;
|
||||
lua_shared_dict upstream-healthcheck 10m;
|
||||
lua_shared_dict worker-events 10m;
|
||||
lua_shared_dict lrucache-lock 10m;
|
||||
lua_shared_dict skywalking-tracing-buffer 100m;
|
||||
lua_shared_dict balancer_ewma 10m;
|
||||
lua_shared_dict balancer_ewma_locks 10m;
|
||||
lua_shared_dict balancer_ewma_last_touched_at 10m;
|
||||
lua_shared_dict plugin-limit-count-redis-cluster-slot-lock 1m;
|
||||
lua_shared_dict tracing_buffer 10m; # plugin: skywalking
|
||||
lua_shared_dict plugin-api-breaker 10m;
|
||||
|
||||
# for openid-connect plugin
|
||||
lua_shared_dict discovery 1m; # cache for discovery metadata documents
|
||||
lua_shared_dict jwks 1m; # cache for JWKs
|
||||
lua_shared_dict introspection 10m; # cache for JWT verification results
|
||||
|
||||
# for custom shared dict
|
||||
{% if http.lua_shared_dicts then %}
|
||||
{% for cache_key, cache_size in pairs(http.lua_shared_dicts) do %}
|
||||
lua_shared_dict {*cache_key*} {*cache_size*};
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
{% if enabled_plugins["proxy-cache"] then %}
|
||||
# for proxy cache
|
||||
{% for _, cache in ipairs(proxy_cache.zones) do %}
|
||||
proxy_cache_path {* cache.disk_path *} levels={* cache.cache_levels *} keys_zone={* cache.name *}:{* cache.memory_size *} inactive=1d max_size={* cache.disk_size *} use_temp_path=off;
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
{% if enabled_plugins["proxy-cache"] then %}
|
||||
# for proxy cache
|
||||
map $upstream_cache_zone $upstream_cache_zone_info {
|
||||
{% for _, cache in ipairs(proxy_cache.zones) do %}
|
||||
{* cache.name *} {* cache.disk_path *},{* cache.cache_levels *};
|
||||
{% end %}
|
||||
}
|
||||
{% end %}
|
||||
|
||||
lua_ssl_verify_depth 5;
|
||||
ssl_session_timeout 86400;
|
||||
|
||||
{% if http.underscores_in_headers then %}
|
||||
underscores_in_headers {* http.underscores_in_headers *};
|
||||
{%end%}
|
||||
|
||||
lua_socket_log_errors off;
|
||||
|
||||
resolver {% for _, dns_addr in ipairs(dns_resolver or {}) do %} {*dns_addr*} {% end %} valid={*dns_resolver_valid*};
|
||||
resolver_timeout {*resolver_timeout*};
|
||||
|
||||
lua_http10_buffering off;
|
||||
|
||||
lua_regex_match_limit 100000;
|
||||
lua_regex_cache_max_entries 8192;
|
||||
|
||||
log_format main escape={* http.access_log_format_escape *} '{* http.access_log_format *}';
|
||||
|
||||
access_log {* http.access_log *} main buffer=16384 flush=3;
|
||||
open_file_cache max=1000 inactive=60;
|
||||
client_max_body_size {* http.client_max_body_size *};
|
||||
keepalive_timeout {* http.keepalive_timeout *};
|
||||
client_header_timeout {* http.client_header_timeout *};
|
||||
client_body_timeout {* http.client_body_timeout *};
|
||||
send_timeout {* http.send_timeout *};
|
||||
|
||||
server_tokens off;
|
||||
|
||||
include mime.types;
|
||||
charset utf-8;
|
||||
|
||||
{% if real_ip_header then %}
|
||||
real_ip_header {* real_ip_header *};
|
||||
{% print("\nDeprecated: apisix.real_ip_header has been moved to nginx_config.http.real_ip_header. apisix.real_ip_header will be removed in the future version. Please use nginx_config.http.real_ip_header first.\n\n") %}
|
||||
{% elseif http.real_ip_header then %}
|
||||
real_ip_header {* http.real_ip_header *};
|
||||
{% end %}
|
||||
|
||||
{% if real_ip_from then %}
|
||||
{% print("\nDeprecated: apisix.real_ip_from has been moved to nginx_config.http.real_ip_from. apisix.real_ip_from will be removed in the future version. Please use nginx_config.http.real_ip_from first.\n\n") %}
|
||||
{% for _, real_ip in ipairs(real_ip_from) do %}
|
||||
set_real_ip_from {*real_ip*};
|
||||
{% end %}
|
||||
{% elseif http.real_ip_from then %}
|
||||
{% for _, real_ip in ipairs(http.real_ip_from) do %}
|
||||
set_real_ip_from {*real_ip*};
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
upstream apisix_backend {
|
||||
server 0.0.0.1;
|
||||
balancer_by_lua_block {
|
||||
apisix.http_balancer_phase()
|
||||
}
|
||||
|
||||
keepalive 320;
|
||||
}
|
||||
|
||||
init_by_lua_block {
|
||||
require "resty.core"
|
||||
apisix = require("apisix")
|
||||
|
||||
local dns_resolver = { {% for _, dns_addr in ipairs(dns_resolver or {}) do %} "{*dns_addr*}", {% end %} }
|
||||
local args = {
|
||||
dns_resolver = dns_resolver,
|
||||
}
|
||||
apisix.http_init(args)
|
||||
}
|
||||
|
||||
init_worker_by_lua_block {
|
||||
apisix.http_init_worker()
|
||||
}
|
||||
|
||||
{% if enable_admin and port_admin then %}
|
||||
server {
|
||||
{%if https_admin then%}
|
||||
listen {* port_admin *} ssl;
|
||||
|
||||
{%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and
|
||||
admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and
|
||||
admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= ""
|
||||
then%}
|
||||
ssl_verify_client on;
|
||||
ssl_certificate {* admin_api_mtls.admin_ssl_cert *};
|
||||
ssl_certificate_key {* admin_api_mtls.admin_ssl_cert_key *};
|
||||
ssl_client_certificate {* admin_api_mtls.admin_ssl_ca_cert *};
|
||||
{% else %}
|
||||
ssl_certificate cert/apisix_admin_ssl.crt;
|
||||
ssl_certificate_key cert/apisix_admin_ssl.key;
|
||||
{%end%}
|
||||
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_protocols {* ssl.ssl_protocols *};
|
||||
ssl_ciphers {* ssl.ssl_ciphers *};
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
{% else %}
|
||||
listen {* port_admin *};
|
||||
{%end%}
|
||||
log_not_found off;
|
||||
location /apisix/admin {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
content_by_lua_block {
|
||||
apisix.http_admin()
|
||||
}
|
||||
}
|
||||
|
||||
location /apisix/dashboard {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
alias dashboard/;
|
||||
|
||||
try_files $uri $uri/index.html /index.html =404;
|
||||
}
|
||||
|
||||
location =/robots.txt {
|
||||
return 200 'User-agent: *\nDisallow: /';
|
||||
}
|
||||
}
|
||||
{% end %}
|
||||
|
||||
server {
|
||||
{% for _, port in ipairs(node_listen) do %}
|
||||
listen {* port *} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% if ssl.enable then %}
|
||||
{% for _, port in ipairs(ssl.listen_port) do %}
|
||||
listen {* port *} ssl {% if ssl.enable_http2 then %} http2 {% end %} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% end %}
|
||||
{% if proxy_protocol and proxy_protocol.listen_http_port then %}
|
||||
listen {* proxy_protocol.listen_http_port *} proxy_protocol;
|
||||
{% end %}
|
||||
{% if proxy_protocol and proxy_protocol.listen_https_port then %}
|
||||
listen {* proxy_protocol.listen_https_port *} ssl {% if ssl.enable_http2 then %} http2 {% end %} proxy_protocol;
|
||||
{% end %}
|
||||
|
||||
{% if enable_ipv6 then %}
|
||||
{% for _, port in ipairs(node_listen) do %}
|
||||
listen [::]:{* port *} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% if ssl.enable then %}
|
||||
{% for _, port in ipairs(ssl.listen_port) do %}
|
||||
listen [::]:{* port *} ssl {% if ssl.enable_http2 then %} http2 {% end %} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% end %}
|
||||
{% end %} {% -- if enable_ipv6 %}
|
||||
|
||||
ssl_certificate cert/apisix.crt;
|
||||
ssl_certificate_key cert/apisix.key;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
{% if ssl.ssl_trusted_certificate ~= nil then %}
|
||||
lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};
|
||||
{% end %}
|
||||
|
||||
ssl_protocols {* ssl.ssl_protocols *};
|
||||
ssl_ciphers {* ssl.ssl_ciphers *};
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
{% if with_module_status then %}
|
||||
location = /apisix/nginx_status {
|
||||
allow 127.0.0.0/24;
|
||||
deny all;
|
||||
access_log off;
|
||||
stub_status;
|
||||
}
|
||||
{% end %}
|
||||
|
||||
{% if enable_admin and not port_admin then %}
|
||||
location /apisix/admin {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
content_by_lua_block {
|
||||
apisix.http_admin()
|
||||
}
|
||||
}
|
||||
|
||||
location /apisix/dashboard {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
alias dashboard/;
|
||||
|
||||
try_files $uri $uri/index.html /index.html =404;
|
||||
}
|
||||
{% end %}
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
apisix.http_ssl_phase()
|
||||
}
|
||||
|
||||
location / {
|
||||
set $upstream_mirror_host '';
|
||||
set $upstream_scheme 'http';
|
||||
set $upstream_host $host;
|
||||
set $upstream_upgrade '';
|
||||
set $upstream_connection '';
|
||||
set $upstream_uri '';
|
||||
|
||||
access_by_lua_block {
|
||||
apisix.http_access_phase()
|
||||
}
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $upstream_host;
|
||||
proxy_set_header Upgrade $upstream_upgrade;
|
||||
proxy_set_header Connection $upstream_connection;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_pass_header Server;
|
||||
proxy_pass_header Date;
|
||||
|
||||
### the following x-forwarded-* headers is to send to upstream server
|
||||
|
||||
set $var_x_forwarded_for $remote_addr;
|
||||
set $var_x_forwarded_proto $scheme;
|
||||
set $var_x_forwarded_host $host;
|
||||
set $var_x_forwarded_port $server_port;
|
||||
|
||||
if ($http_x_forwarded_for != "") {
|
||||
set $var_x_forwarded_for "${http_x_forwarded_for}, ${realip_remote_addr}";
|
||||
}
|
||||
if ($http_x_forwarded_proto != "") {
|
||||
set $var_x_forwarded_proto $http_x_forwarded_proto;
|
||||
}
|
||||
if ($http_x_forwarded_host != "") {
|
||||
set $var_x_forwarded_host $http_x_forwarded_host;
|
||||
}
|
||||
if ($http_x_forwarded_port != "") {
|
||||
set $var_x_forwarded_port $http_x_forwarded_port;
|
||||
}
|
||||
|
||||
proxy_set_header X-Forwarded-For $var_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $var_x_forwarded_proto;
|
||||
proxy_set_header X-Forwarded-Host $var_x_forwarded_host;
|
||||
proxy_set_header X-Forwarded-Port $var_x_forwarded_port;
|
||||
|
||||
{% if enabled_plugins["proxy-cache"] then %}
|
||||
### the following configuration is to cache response content from upstream server
|
||||
|
||||
set $upstream_cache_zone off;
|
||||
set $upstream_cache_key '';
|
||||
set $upstream_cache_bypass '';
|
||||
set $upstream_no_cache '';
|
||||
set $upstream_hdr_expires '';
|
||||
set $upstream_hdr_cache_control '';
|
||||
|
||||
proxy_cache $upstream_cache_zone;
|
||||
proxy_cache_valid any {% if proxy_cache.cache_ttl then %} {* proxy_cache.cache_ttl *} {% else %} 10s {% end %};
|
||||
proxy_cache_min_uses 1;
|
||||
proxy_cache_methods GET HEAD;
|
||||
proxy_cache_lock_timeout 5s;
|
||||
proxy_cache_use_stale off;
|
||||
proxy_cache_key $upstream_cache_key;
|
||||
proxy_no_cache $upstream_no_cache;
|
||||
proxy_cache_bypass $upstream_cache_bypass;
|
||||
|
||||
proxy_hide_header Cache-Control;
|
||||
proxy_hide_header Expires;
|
||||
add_header Cache-Control $upstream_hdr_cache_control;
|
||||
add_header Expires $upstream_hdr_expires;
|
||||
add_header Apisix-Cache-Status $upstream_cache_status always;
|
||||
{% end %}
|
||||
|
||||
proxy_pass $upstream_scheme://apisix_backend$upstream_uri;
|
||||
|
||||
{% if enabled_plugins["proxy-mirror"] then %}
|
||||
mirror /proxy_mirror;
|
||||
{% end %}
|
||||
|
||||
header_filter_by_lua_block {
|
||||
apisix.http_header_filter_phase()
|
||||
}
|
||||
|
||||
body_filter_by_lua_block {
|
||||
apisix.http_body_filter_phase()
|
||||
}
|
||||
|
||||
log_by_lua_block {
|
||||
apisix.http_log_phase()
|
||||
}
|
||||
}
|
||||
|
||||
location @grpc_pass {
|
||||
|
||||
access_by_lua_block {
|
||||
apisix.grpc_access_phase()
|
||||
}
|
||||
|
||||
grpc_set_header Content-Type application/grpc;
|
||||
grpc_socket_keepalive on;
|
||||
grpc_pass grpc://apisix_backend;
|
||||
|
||||
header_filter_by_lua_block {
|
||||
apisix.http_header_filter_phase()
|
||||
}
|
||||
|
||||
body_filter_by_lua_block {
|
||||
apisix.http_body_filter_phase()
|
||||
}
|
||||
|
||||
log_by_lua_block {
|
||||
apisix.http_log_phase()
|
||||
}
|
||||
}
|
||||
|
||||
{% if enabled_plugins["proxy-mirror"] then %}
|
||||
location = /proxy_mirror {
|
||||
internal;
|
||||
|
||||
if ($upstream_mirror_host = "") {
|
||||
return 200;
|
||||
}
|
||||
|
||||
proxy_pass $upstream_mirror_host$request_uri;
|
||||
}
|
||||
{% end %}
|
||||
}
|
||||
}
|
||||
]=]
|
492
bin/apisix
492
bin/apisix
@ -17,6 +17,8 @@
|
||||
-- limitations under the License.
|
||||
--
|
||||
|
||||
local ngx_tpl = require "apisix.cli.ngx_tpl"
|
||||
|
||||
local function trim(s)
|
||||
return (s:gsub("^%s*(.-)%s*$", "%1"))
|
||||
end
|
||||
@ -83,496 +85,6 @@ end
|
||||
local yaml = require("tinyyaml")
|
||||
local template = require("resty.template")
|
||||
|
||||
local ngx_tpl = [=[
|
||||
# Configuration File - Nginx Server Configs
|
||||
# This is a read-only file, do not try to modify it.
|
||||
|
||||
master_process on;
|
||||
|
||||
worker_processes {* worker_processes *};
|
||||
{% if os_name == "Linux" and enable_cpu_affinity == true then %}
|
||||
worker_cpu_affinity auto;
|
||||
{% end %}
|
||||
|
||||
error_log {* error_log *} {* error_log_level or "warn" *};
|
||||
pid logs/nginx.pid;
|
||||
|
||||
worker_rlimit_nofile {* worker_rlimit_nofile *};
|
||||
|
||||
events {
|
||||
accept_mutex off;
|
||||
worker_connections {* event.worker_connections *};
|
||||
}
|
||||
|
||||
worker_rlimit_core {* worker_rlimit_core *};
|
||||
|
||||
worker_shutdown_timeout {* worker_shutdown_timeout *};
|
||||
|
||||
env APISIX_PROFILE;
|
||||
|
||||
{% if envs then %}
|
||||
{% for _, name in ipairs(envs) do %}
|
||||
env {*name*};
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
{% if stream_proxy then %}
|
||||
stream {
|
||||
lua_package_path "$prefix/deps/share/lua/5.1/?.lua;$prefix/deps/share/lua/5.1/?/init.lua;]=]
|
||||
.. [=[{*apisix_lua_home*}/?.lua;{*apisix_lua_home*}/?/init.lua;;{*lua_path*};";
|
||||
lua_package_cpath "$prefix/deps/lib64/lua/5.1/?.so;]=]
|
||||
.. [=[$prefix/deps/lib/lua/5.1/?.so;;]=]
|
||||
.. [=[{*lua_cpath*};";
|
||||
lua_socket_log_errors off;
|
||||
|
||||
lua_shared_dict lrucache-lock-stream 10m;
|
||||
|
||||
resolver {% for _, dns_addr in ipairs(dns_resolver or {}) do %} {*dns_addr*} {% end %} valid={*dns_resolver_valid*};
|
||||
resolver_timeout {*resolver_timeout*};
|
||||
|
||||
upstream apisix_backend {
|
||||
server 127.0.0.1:80;
|
||||
balancer_by_lua_block {
|
||||
apisix.stream_balancer_phase()
|
||||
}
|
||||
}
|
||||
|
||||
init_by_lua_block {
|
||||
require "resty.core"
|
||||
apisix = require("apisix")
|
||||
apisix.stream_init()
|
||||
}
|
||||
|
||||
init_worker_by_lua_block {
|
||||
apisix.stream_init_worker()
|
||||
}
|
||||
|
||||
server {
|
||||
{% for _, port in ipairs(stream_proxy.tcp or {}) do %}
|
||||
listen {*port*} {% if enable_reuseport then %} reuseport {% end %} {% if proxy_protocol and proxy_protocol.enable_tcp_pp then %} proxy_protocol {% end %};
|
||||
{% end %}
|
||||
{% for _, port in ipairs(stream_proxy.udp or {}) do %}
|
||||
listen {*port*} udp {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
|
||||
{% if proxy_protocol and proxy_protocol.enable_tcp_pp_to_upstream then %}
|
||||
proxy_protocol on;
|
||||
{% end %}
|
||||
|
||||
preread_by_lua_block {
|
||||
apisix.stream_preread_phase()
|
||||
}
|
||||
|
||||
proxy_pass apisix_backend;
|
||||
|
||||
log_by_lua_block {
|
||||
apisix.stream_log_phase()
|
||||
}
|
||||
}
|
||||
}
|
||||
{% end %}
|
||||
|
||||
http {
|
||||
lua_package_path "$prefix/deps/share/lua/5.1/?.lua;$prefix/deps/share/lua/5.1/?/init.lua;]=]
|
||||
.. [=[{*apisix_lua_home*}/?.lua;{*apisix_lua_home*}/?/init.lua;;{*lua_path*};";
|
||||
lua_package_cpath "$prefix/deps/lib64/lua/5.1/?.so;]=]
|
||||
.. [=[$prefix/deps/lib/lua/5.1/?.so;;]=]
|
||||
.. [=[{*lua_cpath*};";
|
||||
|
||||
lua_shared_dict plugin-limit-req 10m;
|
||||
lua_shared_dict plugin-limit-count 10m;
|
||||
lua_shared_dict prometheus-metrics 10m;
|
||||
lua_shared_dict plugin-limit-conn 10m;
|
||||
lua_shared_dict upstream-healthcheck 10m;
|
||||
lua_shared_dict worker-events 10m;
|
||||
lua_shared_dict lrucache-lock 10m;
|
||||
lua_shared_dict skywalking-tracing-buffer 100m;
|
||||
lua_shared_dict balancer_ewma 10m;
|
||||
lua_shared_dict balancer_ewma_locks 10m;
|
||||
lua_shared_dict balancer_ewma_last_touched_at 10m;
|
||||
lua_shared_dict plugin-limit-count-redis-cluster-slot-lock 1m;
|
||||
lua_shared_dict tracing_buffer 10m; # plugin: skywalking
|
||||
lua_shared_dict plugin-api-breaker 10m;
|
||||
|
||||
# for openid-connect plugin
|
||||
lua_shared_dict discovery 1m; # cache for discovery metadata documents
|
||||
lua_shared_dict jwks 1m; # cache for JWKs
|
||||
lua_shared_dict introspection 10m; # cache for JWT verification results
|
||||
|
||||
# for custom shared dict
|
||||
{% if http.lua_shared_dicts then %}
|
||||
{% for cache_key, cache_size in pairs(http.lua_shared_dicts) do %}
|
||||
lua_shared_dict {*cache_key*} {*cache_size*};
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
{% if enabled_plugins["proxy-cache"] then %}
|
||||
# for proxy cache
|
||||
{% for _, cache in ipairs(proxy_cache.zones) do %}
|
||||
proxy_cache_path {* cache.disk_path *} levels={* cache.cache_levels *} keys_zone={* cache.name *}:{* cache.memory_size *} inactive=1d max_size={* cache.disk_size *} use_temp_path=off;
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
{% if enabled_plugins["proxy-cache"] then %}
|
||||
# for proxy cache
|
||||
map $upstream_cache_zone $upstream_cache_zone_info {
|
||||
{% for _, cache in ipairs(proxy_cache.zones) do %}
|
||||
{* cache.name *} {* cache.disk_path *},{* cache.cache_levels *};
|
||||
{% end %}
|
||||
}
|
||||
{% end %}
|
||||
|
||||
lua_ssl_verify_depth 5;
|
||||
ssl_session_timeout 86400;
|
||||
|
||||
{% if http.underscores_in_headers then %}
|
||||
underscores_in_headers {* http.underscores_in_headers *};
|
||||
{%end%}
|
||||
|
||||
lua_socket_log_errors off;
|
||||
|
||||
resolver {% for _, dns_addr in ipairs(dns_resolver or {}) do %} {*dns_addr*} {% end %} valid={*dns_resolver_valid*};
|
||||
resolver_timeout {*resolver_timeout*};
|
||||
|
||||
lua_http10_buffering off;
|
||||
|
||||
lua_regex_match_limit 100000;
|
||||
lua_regex_cache_max_entries 8192;
|
||||
|
||||
log_format main escape={* http.access_log_format_escape *} '{* http.access_log_format *}';
|
||||
|
||||
access_log {* http.access_log *} main buffer=16384 flush=3;
|
||||
open_file_cache max=1000 inactive=60;
|
||||
client_max_body_size {* http.client_max_body_size *};
|
||||
keepalive_timeout {* http.keepalive_timeout *};
|
||||
client_header_timeout {* http.client_header_timeout *};
|
||||
client_body_timeout {* http.client_body_timeout *};
|
||||
send_timeout {* http.send_timeout *};
|
||||
|
||||
server_tokens off;
|
||||
|
||||
include mime.types;
|
||||
charset utf-8;
|
||||
|
||||
{% if real_ip_header then %}
|
||||
real_ip_header {* real_ip_header *};
|
||||
{% print("\nDeprecated: apisix.real_ip_header has been moved to nginx_config.http.real_ip_header. apisix.real_ip_header will be removed in the future version. Please use nginx_config.http.real_ip_header first.\n\n") %}
|
||||
{% elseif http.real_ip_header then %}
|
||||
real_ip_header {* http.real_ip_header *};
|
||||
{% end %}
|
||||
|
||||
{% if real_ip_from then %}
|
||||
{% print("\nDeprecated: apisix.real_ip_from has been moved to nginx_config.http.real_ip_from. apisix.real_ip_from will be removed in the future version. Please use nginx_config.http.real_ip_from first.\n\n") %}
|
||||
{% for _, real_ip in ipairs(real_ip_from) do %}
|
||||
set_real_ip_from {*real_ip*};
|
||||
{% end %}
|
||||
{% elseif http.real_ip_from then %}
|
||||
{% for _, real_ip in ipairs(http.real_ip_from) do %}
|
||||
set_real_ip_from {*real_ip*};
|
||||
{% end %}
|
||||
{% end %}
|
||||
|
||||
upstream apisix_backend {
|
||||
server 0.0.0.1;
|
||||
balancer_by_lua_block {
|
||||
apisix.http_balancer_phase()
|
||||
}
|
||||
|
||||
keepalive 320;
|
||||
}
|
||||
|
||||
init_by_lua_block {
|
||||
require "resty.core"
|
||||
apisix = require("apisix")
|
||||
|
||||
local dns_resolver = { {% for _, dns_addr in ipairs(dns_resolver or {}) do %} "{*dns_addr*}", {% end %} }
|
||||
local args = {
|
||||
dns_resolver = dns_resolver,
|
||||
}
|
||||
apisix.http_init(args)
|
||||
}
|
||||
|
||||
init_worker_by_lua_block {
|
||||
apisix.http_init_worker()
|
||||
}
|
||||
|
||||
{% if enable_admin and port_admin then %}
|
||||
server {
|
||||
{%if https_admin then%}
|
||||
listen {* port_admin *} ssl;
|
||||
|
||||
{%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and
|
||||
admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and
|
||||
admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= ""
|
||||
then%}
|
||||
ssl_verify_client on;
|
||||
ssl_certificate {* admin_api_mtls.admin_ssl_cert *};
|
||||
ssl_certificate_key {* admin_api_mtls.admin_ssl_cert_key *};
|
||||
ssl_client_certificate {* admin_api_mtls.admin_ssl_ca_cert *};
|
||||
{% else %}
|
||||
ssl_certificate cert/apisix_admin_ssl.crt;
|
||||
ssl_certificate_key cert/apisix_admin_ssl.key;
|
||||
{%end%}
|
||||
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_protocols {* ssl.ssl_protocols *};
|
||||
ssl_ciphers {* ssl.ssl_ciphers *};
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
{% else %}
|
||||
listen {* port_admin *};
|
||||
{%end%}
|
||||
log_not_found off;
|
||||
location /apisix/admin {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
content_by_lua_block {
|
||||
apisix.http_admin()
|
||||
}
|
||||
}
|
||||
|
||||
location /apisix/dashboard {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
alias dashboard/;
|
||||
|
||||
try_files $uri $uri/index.html /index.html =404;
|
||||
}
|
||||
|
||||
location =/robots.txt {
|
||||
return 200 'User-agent: *\nDisallow: /';
|
||||
}
|
||||
}
|
||||
{% end %}
|
||||
|
||||
server {
|
||||
{% for _, port in ipairs(node_listen) do %}
|
||||
listen {* port *} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% if ssl.enable then %}
|
||||
{% for _, port in ipairs(ssl.listen_port) do %}
|
||||
listen {* port *} ssl {% if ssl.enable_http2 then %} http2 {% end %} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% end %}
|
||||
{% if proxy_protocol and proxy_protocol.listen_http_port then %}
|
||||
listen {* proxy_protocol.listen_http_port *} proxy_protocol;
|
||||
{% end %}
|
||||
{% if proxy_protocol and proxy_protocol.listen_https_port then %}
|
||||
listen {* proxy_protocol.listen_https_port *} ssl {% if ssl.enable_http2 then %} http2 {% end %} proxy_protocol;
|
||||
{% end %}
|
||||
|
||||
{% if enable_ipv6 then %}
|
||||
{% for _, port in ipairs(node_listen) do %}
|
||||
listen [::]:{* port *} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% if ssl.enable then %}
|
||||
{% for _, port in ipairs(ssl.listen_port) do %}
|
||||
listen [::]:{* port *} ssl {% if ssl.enable_http2 then %} http2 {% end %} {% if enable_reuseport then %} reuseport {% end %};
|
||||
{% end %}
|
||||
{% end %}
|
||||
{% end %} {% -- if enable_ipv6 %}
|
||||
|
||||
ssl_certificate cert/apisix.crt;
|
||||
ssl_certificate_key cert/apisix.key;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
{% if ssl.ssl_trusted_certificate ~= nil then %}
|
||||
lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};
|
||||
{% end %}
|
||||
|
||||
ssl_protocols {* ssl.ssl_protocols *};
|
||||
ssl_ciphers {* ssl.ssl_ciphers *};
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
{% if with_module_status then %}
|
||||
location = /apisix/nginx_status {
|
||||
allow 127.0.0.0/24;
|
||||
deny all;
|
||||
access_log off;
|
||||
stub_status;
|
||||
}
|
||||
{% end %}
|
||||
|
||||
{% if enable_admin and not port_admin then %}
|
||||
location /apisix/admin {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
content_by_lua_block {
|
||||
apisix.http_admin()
|
||||
}
|
||||
}
|
||||
|
||||
location /apisix/dashboard {
|
||||
{%if allow_admin then%}
|
||||
{% for _, allow_ip in ipairs(allow_admin) do %}
|
||||
allow {*allow_ip*};
|
||||
{% end %}
|
||||
deny all;
|
||||
{%else%}
|
||||
allow all;
|
||||
{%end%}
|
||||
|
||||
alias dashboard/;
|
||||
|
||||
try_files $uri $uri/index.html /index.html =404;
|
||||
}
|
||||
{% end %}
|
||||
|
||||
ssl_certificate_by_lua_block {
|
||||
apisix.http_ssl_phase()
|
||||
}
|
||||
|
||||
location / {
|
||||
set $upstream_mirror_host '';
|
||||
set $upstream_scheme 'http';
|
||||
set $upstream_host $host;
|
||||
set $upstream_upgrade '';
|
||||
set $upstream_connection '';
|
||||
set $upstream_uri '';
|
||||
|
||||
access_by_lua_block {
|
||||
apisix.http_access_phase()
|
||||
}
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $upstream_host;
|
||||
proxy_set_header Upgrade $upstream_upgrade;
|
||||
proxy_set_header Connection $upstream_connection;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_pass_header Server;
|
||||
proxy_pass_header Date;
|
||||
|
||||
### the following x-forwarded-* headers is to send to upstream server
|
||||
|
||||
set $var_x_forwarded_for $remote_addr;
|
||||
set $var_x_forwarded_proto $scheme;
|
||||
set $var_x_forwarded_host $host;
|
||||
set $var_x_forwarded_port $server_port;
|
||||
|
||||
if ($http_x_forwarded_for != "") {
|
||||
set $var_x_forwarded_for "${http_x_forwarded_for}, ${realip_remote_addr}";
|
||||
}
|
||||
if ($http_x_forwarded_proto != "") {
|
||||
set $var_x_forwarded_proto $http_x_forwarded_proto;
|
||||
}
|
||||
if ($http_x_forwarded_host != "") {
|
||||
set $var_x_forwarded_host $http_x_forwarded_host;
|
||||
}
|
||||
if ($http_x_forwarded_port != "") {
|
||||
set $var_x_forwarded_port $http_x_forwarded_port;
|
||||
}
|
||||
|
||||
proxy_set_header X-Forwarded-For $var_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $var_x_forwarded_proto;
|
||||
proxy_set_header X-Forwarded-Host $var_x_forwarded_host;
|
||||
proxy_set_header X-Forwarded-Port $var_x_forwarded_port;
|
||||
|
||||
{% if enabled_plugins["proxy-cache"] then %}
|
||||
### the following configuration is to cache response content from upstream server
|
||||
|
||||
set $upstream_cache_zone off;
|
||||
set $upstream_cache_key '';
|
||||
set $upstream_cache_bypass '';
|
||||
set $upstream_no_cache '';
|
||||
set $upstream_hdr_expires '';
|
||||
set $upstream_hdr_cache_control '';
|
||||
|
||||
proxy_cache $upstream_cache_zone;
|
||||
proxy_cache_valid any {% if proxy_cache.cache_ttl then %} {* proxy_cache.cache_ttl *} {% else %} 10s {% end %};
|
||||
proxy_cache_min_uses 1;
|
||||
proxy_cache_methods GET HEAD;
|
||||
proxy_cache_lock_timeout 5s;
|
||||
proxy_cache_use_stale off;
|
||||
proxy_cache_key $upstream_cache_key;
|
||||
proxy_no_cache $upstream_no_cache;
|
||||
proxy_cache_bypass $upstream_cache_bypass;
|
||||
|
||||
proxy_hide_header Cache-Control;
|
||||
proxy_hide_header Expires;
|
||||
add_header Cache-Control $upstream_hdr_cache_control;
|
||||
add_header Expires $upstream_hdr_expires;
|
||||
add_header Apisix-Cache-Status $upstream_cache_status always;
|
||||
{% end %}
|
||||
|
||||
proxy_pass $upstream_scheme://apisix_backend$upstream_uri;
|
||||
|
||||
{% if enabled_plugins["proxy-mirror"] then %}
|
||||
mirror /proxy_mirror;
|
||||
{% end %}
|
||||
|
||||
header_filter_by_lua_block {
|
||||
apisix.http_header_filter_phase()
|
||||
}
|
||||
|
||||
body_filter_by_lua_block {
|
||||
apisix.http_body_filter_phase()
|
||||
}
|
||||
|
||||
log_by_lua_block {
|
||||
apisix.http_log_phase()
|
||||
}
|
||||
}
|
||||
|
||||
location @grpc_pass {
|
||||
|
||||
access_by_lua_block {
|
||||
apisix.grpc_access_phase()
|
||||
}
|
||||
|
||||
grpc_set_header Content-Type application/grpc;
|
||||
grpc_socket_keepalive on;
|
||||
grpc_pass grpc://apisix_backend;
|
||||
|
||||
header_filter_by_lua_block {
|
||||
apisix.http_header_filter_phase()
|
||||
}
|
||||
|
||||
body_filter_by_lua_block {
|
||||
apisix.http_body_filter_phase()
|
||||
}
|
||||
|
||||
log_by_lua_block {
|
||||
apisix.http_log_phase()
|
||||
}
|
||||
}
|
||||
|
||||
{% if enabled_plugins["proxy-mirror"] then %}
|
||||
location = /proxy_mirror {
|
||||
internal;
|
||||
|
||||
if ($upstream_mirror_host = "") {
|
||||
return 200;
|
||||
}
|
||||
|
||||
proxy_pass $upstream_mirror_host$request_uri;
|
||||
}
|
||||
{% end %}
|
||||
}
|
||||
}
|
||||
]=]
|
||||
|
||||
local function write_file(file_path, data)
|
||||
local file, err = io.open(file_path, "w+")
|
||||
if not file then
|
||||
|
Loading…
Reference in New Issue
Block a user