nginx-configuration | Utilities and templates to create and manage | Runtime Evironment library

Changing the command doesn't work because the /docker-entrypoint.sh contains:

Firstly take a look at this issue: ip-whitelist-support.

IPs are not whitelisted for TCP services, an alternative would be to create a separate firewall for the TCP services and whitelist the IPs at the firewall level.

For specific location {{ $path }} we have defined {{ if isLocationAllowed $location }}.

Check official Ingress documentation: ingress-kubernetes.

Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource.

An Ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.

You must have an Ingress controller to satisfy an Ingress. Only creating an Ingress resource has no effect.

In this case Ingress resource instrument ingress-controller how to deal with http/https requests. In this approach nginx-ingress controller as a software (introduce layer-7 functionality/loadbalancing).

If you are interested with nginx ingress tcp support:

Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags --tcp-services-configmap and --udp-services-configmap

See: exposing-tcp-udp-services

If you want to check more granular configuration while working with your tcp service you should consider using L4 loadbalancing/firewall settings provided by your cloud provider.

The issue with your ingress.yaml is that the route for your ui should be /* and placed below the backend routing. Also, check your routing for APIs

In fact, it was more vicious than that.

It had nothing to do with the sessionAffinity, nor the rate limiting (in fact there's none by default, I didn't get it at first, the rate limit is only there if we want to limit for ddos purpose).

The prob was, I added in the configmap the options for modsecurity AND owasp rules.

And because of that, the request processing was so slow, it limited the number of request per seconds. When the sessionAffinity was not set, I didn't see the prob, as the req/s were fair, as distributed among all pods.

But with the sessionAffinity, so a load test on a single pod, the prob was clearly visible.

So I had to remove modsecurity and owasp, and it'll be the apps who will be responsible for that.

A little sad, as I wanted more central security on nginx so apps don't need to handle it, but not at that cost...

I'd be curious to understand what modsecurity is doing exatly to be so slow.

I don't know the actual root cause but I deleted all the TLS secrets, certificates and ingresses that were being constantly being updated and recreated them. It solved this issue.

Different incidents happened prior to this issue and might have been related to it: 2 of my 3 ingress nodes failed, during the upgrade the wrong CRDs were applied before being quickly fixed.

That's all I can say at the moment, but deleting the resources related to the ingresses being constantly updated and recreating them do solve the issue.

Remove one of the server_name s.

Remember to nginx -s reload. The rest of your code seams fine.

Did you use certbot --nginx to get ssl for example.com or www.example.com? Because I see both of them here.

If you still have the same issue, I suggest you remove the file, and also the shortcut, and start over. Once you make sure both example.com or www.example.com work correctly, then go after issuing the ssl.
And remember, you just need to get ssl for either example.com or www.example.com.

TL;DR

You can split your Ingress resource on multiple objects (which will work together) to add Annotations to only specific hosts.

Annotations can only be set on the whole kubernetes resource, as they are part of the resource metadata. The ingress spec doesn't include that functionality at a lower level.

-- Stackoverflow.com: Questions: Apply nginx-ingress annotations at path level

Extending on the answer to give an example of how such setup could be created. Let's assume (example):

• All required domains pointing to the Service of type LoadBalancer of nginx-ingress-controller:
  • hello.kubernetes.docker.internal - used in host .spec
  • hello-two.kubernetes.docker.internal - used in annotations .metadata
  • --
  • goodbye.kubernetes.docker.internal - used in host .spec
  • goodbye-two.kubernetes.docker.internal- used in annotations .metadata

Skipping the Deployment and Service definitions, the Ingress resources should look like below:

hello-ingress.yaml

It's failing because kubernetes cannot download the specified image. Check the events section Warning Failed 3s kubelet Failed to pull image "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:master": rpc error: code = Unknown desc = Error response from daemon: Get https://quay.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

Maybe you dont have internet connectivity or this image does not exist. You can try running docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:master from your computer

I have used old cluster.yaml file and added 'allowUninstallWithVolumes: false' under cleanupPolicy. That solves everything.