kaisbaccour · February 6, 2025 15:23
diff --git a/nginx-config b/nginx-config
 	## start server gateway-grpc-dev-1-distributed-query.dev.distributed-query.io
 	server {
 		server_name gateway-grpc-dev-1-distributed-query.dev.distributed-query.io ;
 		
 		http2 on;
 		
 		listen 80  ;
 		listen [::]:80  ;
 		listen 443  ssl;
 		listen [::]:443  ssl;
 		
 		set $proxy_upstream_name "-";
 		
 		ssl_certificate_by_lua_block {
 			certificate.call()
 		}
 		
 		# Custom code snippet configured for host gateway-grpc-dev-1-distributed-query.dev.distributed-query.io
 		client_max_body_size 10m;
 		
 		location / {
 			
 			set $namespace      "dev-1-distributed-query";
 			set $ingress_name   "gateway-grpc";
 			set $service_name   "gateway";
 			set $service_port   "10000";
 			set $location_path  "/";
 			set $global_rate_limit_exceeding n;
 			
 			rewrite_by_lua_block {
 				lua_ingress.rewrite({
 					force_ssl_redirect = false,
 					ssl_redirect = true,
 					force_no_ssl_redirect = false,
 					preserve_trailing_slash = false,
 					use_port_in_redirects = false,
 					global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
 				})
 				balancer.rewrite()
 				plugins.run()
 			}
 			
 			# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
 			# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
 			# other authentication method such as basic auth or external auth useless - all requests will be allowed.
 			#access_by_lua_block {
 			#}
 			
 			header_filter_by_lua_block {
 				lua_ingress.header()
 				plugins.run()
 			}
 			
 			body_filter_by_lua_block {
 				plugins.run()
 			}
 			
 			log_by_lua_block {
 				balancer.log()
 				
 				monitor.call()
 				
 				plugins.run()
 			}
 			
 			port_in_redirect off;
 			
 			set $balancer_ewma_score -1;
 			set $proxy_upstream_name "dev-1-distributed-query-gateway-10000";
 			set $proxy_host          $proxy_upstream_name;
 			set $pass_access_scheme  $scheme;
 			
 			set $pass_server_port    $server_port;
 			
 			set $best_http_host      $http_host;
 			set $pass_port           $pass_server_port;
 			
 			set $proxy_alternative_upstream_name "";
 			
 			client_max_body_size                    10m;
 			
 			grpc_set_header Host                   $best_http_host;
 			
 			# Pass the extracted client certificate to the backend
 			
 			# Allow websocket connections
 			grpc_set_header                        Upgrade           $http_upgrade;
 			
 			grpc_set_header                        Connection        $connection_upgrade;
 			
 			grpc_set_header X-Request-ID           $req_id;
 			grpc_set_header X-Real-IP              $remote_addr;
 			
 			grpc_set_header X-Forwarded-For        $remote_addr;
 			
 			grpc_set_header X-Forwarded-Host       $best_http_host;
 			grpc_set_header X-Forwarded-Port       $pass_port;
 			grpc_set_header X-Forwarded-Proto      $pass_access_scheme;
 			grpc_set_header X-Forwarded-Scheme     $pass_access_scheme;
 			
 			grpc_set_header X-Scheme               $pass_access_scheme;
 			
 			# Pass the original X-Forwarded-For
 			grpc_set_header X-Original-Forwarded-For $http_x_forwarded_for;
 			
 			# mitigate HTTPoxy Vulnerability
 			# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
 			grpc_set_header Proxy                  "";
 			
 			# Custom headers to proxied server
 			
 			proxy_connect_timeout                   5s;
 			proxy_send_timeout                      10s;
 			proxy_read_timeout                      20s;
 			
 			proxy_buffering                         on;
 			proxy_buffer_size                       4k;
 			proxy_buffers                           4 4k;
 			
 			proxy_max_temp_file_size                1024m;
 			
 			proxy_request_buffering                 on;
 			proxy_http_version                      1.1;
 			
 			proxy_cookie_domain                     off;
 			proxy_cookie_path                       off;
 			
 			# In case of errors try the next upstream server before returning an error
 			proxy_next_upstream                     error timeout;
 			proxy_next_upstream_timeout             0;
 			proxy_next_upstream_tries               3;
 			
 			grpc_pass_header *;
 			
 			grpc_pass grpc://upstream_balancer;
 			
 			proxy_redirect                          off;
 			
 		}
 		
 	}
 	## end server gateway-grpc-dev-1-distributed-query.dev.distributed-query.io
	## start server gateway-grpc-dev-1-distributed-query.dev.distributed-query.io
	server {
	server_name gateway-grpc-dev-1-distributed-query.dev.distributed-query.io ;

	http2 on;

	listen 80 ;
	listen [::]:80 ;
	listen 443 ssl;
	listen [::]:443 ssl;

	set $proxy_upstream_name "-";

	ssl_certificate_by_lua_block {
	certificate.call()
	}

	# Custom code snippet configured for host gateway-grpc-dev-1-distributed-query.dev.distributed-query.io
	client_max_body_size 10m;

	location / {

	set $namespace "dev-1-distributed-query";
	set $ingress_name "gateway-grpc";
	set $service_name "gateway";
	set $service_port "10000";
	set $location_path "/";
	set $global_rate_limit_exceeding n;

	rewrite_by_lua_block {
	lua_ingress.rewrite({
	force_ssl_redirect = false,
	ssl_redirect = true,
	force_no_ssl_redirect = false,
	preserve_trailing_slash = false,
	use_port_in_redirects = false,
	global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
	})
	balancer.rewrite()
	plugins.run()
	}

	# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
	# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
	# other authentication method such as basic auth or external auth useless - all requests will be allowed.
	#access_by_lua_block {
	#}

	header_filter_by_lua_block {
	lua_ingress.header()
	plugins.run()
	}

	body_filter_by_lua_block {
	plugins.run()
	}

	log_by_lua_block {
	balancer.log()

	monitor.call()

	plugins.run()
	}

	port_in_redirect off;

	set $balancer_ewma_score -1;
	set $proxy_upstream_name "dev-1-distributed-query-gateway-10000";
	set $proxy_host $proxy_upstream_name;
	set $pass_access_scheme $scheme;

	set $pass_server_port $server_port;

	set $best_http_host $http_host;
	set $pass_port $pass_server_port;

	set $proxy_alternative_upstream_name "";

	client_max_body_size 10m;

	grpc_set_header Host $best_http_host;

	# Pass the extracted client certificate to the backend

	# Allow websocket connections
	grpc_set_header Upgrade $http_upgrade;

	grpc_set_header Connection $connection_upgrade;

	grpc_set_header X-Request-ID $req_id;
	grpc_set_header X-Real-IP $remote_addr;

	grpc_set_header X-Forwarded-For $remote_addr;

	grpc_set_header X-Forwarded-Host $best_http_host;
	grpc_set_header X-Forwarded-Port $pass_port;
	grpc_set_header X-Forwarded-Proto $pass_access_scheme;
	grpc_set_header X-Forwarded-Scheme $pass_access_scheme;

	grpc_set_header X-Scheme $pass_access_scheme;

	# Pass the original X-Forwarded-For
	grpc_set_header X-Original-Forwarded-For $http_x_forwarded_for;

	# mitigate HTTPoxy Vulnerability
	# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
	grpc_set_header Proxy "";

	# Custom headers to proxied server

	proxy_connect_timeout 5s;
	proxy_send_timeout 10s;
	proxy_read_timeout 20s;

	proxy_buffering on;
	proxy_buffer_size 4k;
	proxy_buffers 4 4k;

	proxy_max_temp_file_size 1024m;

	proxy_request_buffering on;
	proxy_http_version 1.1;

	proxy_cookie_domain off;
	proxy_cookie_path off;

	# In case of errors try the next upstream server before returning an error
	proxy_next_upstream error timeout;
	proxy_next_upstream_timeout 0;
	proxy_next_upstream_tries 3;

	grpc_pass_header *;

	grpc_pass grpc://upstream_balancer;

	proxy_redirect off;

	}

	}
	## end server gateway-grpc-dev-1-distributed-query.dev.distributed-query.io