Kubernetes helm chart 一个命名空间包含多个入口文件

Kubernetes helm chart one namespace contains multiple ingress files

我有一个用例需要公开

/swagger-ui.html 没有认证并且

/apis/* 带身份验证

我在 helm chart 中创建了 2 个入口文件

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-method: POST
    nginx.ingress.kubernetes.io/auth-url: {{ .Values.service.authServerUrl }}/authorization
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, PATCH, GET, POST, DELETE, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-headers: '*'
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  labels:
    app: {{ .Chart.Name }}
    appVersion: {{ .Chart.AppVersion | quote }}
    chartVersion: {{ .Chart.Version | quote }}
  name: {{ .Chart.Name }}
spec:
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              serviceName: service
              servicePort: 8080
            path: /apis

还有另一个未经身份验证的入口文件

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  labels:
    app: {{ .Chart.Name }}
    appVersion: {{ .Chart.AppVersion | quote }}
    chartVersion: {{ .Chart.Version | quote }}
  name: {{ .Chart.Name }}
spec:
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              serviceName: service
              servicePort: 8080
            path: /swagger-ui.html

但是第二个入口似乎不起作用。

============================================= ===================

Sagar Velankar 的回答是正确的。只需要更改不同的服务名称

下面是我的最终入口文件

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-method: POST
    nginx.ingress.kubernetes.io/auth-url: {{ .Values.service.authServerUrl }}/authorization
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, PATCH, GET, POST, DELETE, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-headers: '*'
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  labels:
    app: {{ .Chart.Name }}
    appVersion: {{ .Chart.AppVersion | quote }}
    chartVersion: {{ .Chart.Version | quote }}
  name: {{ .Chart.Name }}-api
spec:
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              serviceName: service
              servicePort: 8080
            path: /apis

还有另一个带有 swagger 的入口文件

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  labels:
    app: {{ .Chart.Name }}
    appVersion: {{ .Chart.AppVersion | quote }}
    chartVersion: {{ .Chart.Version | quote }}
  name: {{ .Chart.Name }}-swagger
spec:
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              serviceName: service
              servicePort: 8080
            path: /swagger-ui.html
          - backend:
              serviceName: {{ .Chart.Name }}
              servicePort: 8080
            path: /webjars
          - backend:
              serviceName: {{ .Chart.Name }}
              servicePort: 8080
            path: /swagger-resources
          - backend:
              serviceName: {{ .Chart.Name }}
              servicePort: 8080
            path: /v2/api-docs

请尝试将两个模板的 Ingress 名称更改为唯一。目前我看到两者都设置为低于

name: {{ .Chart.Name }}

我刚刚将 apiVersion 从 extensions/v1beta1 更改为 networking.k8s.io/v1beta1 并将以下 yaml 文件添加到我的 kubernetes 集群

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-method: POST
    nginx.ingress.kubernetes.io/auth-url: "http://www.gool.com/authorization"
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, PATCH, GET, POST, DELETE, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-headers: '*'
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  labels:
    app: nginx
    appVersion: "1"
    chartVersion: "1"
  name: nginx1
spec:
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              serviceName: service
              servicePort: 8080
            path: /apis
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  labels:
    app: nginx
    appVersion: "1"
    chartVersion: "1"
  name: nginx2
spec:
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              serviceName: service
              servicePort: 8080
            path: /swagger-ui.html

它在 Nginx Controller /etc/nginx/nginx.conf 中创建了下面的服务器,它设置了授权的内部位置并将位置 /apis auth_request 指向它。


## start server example.com
server {
server_name example.com ;

listen 80  ;
listen [::]:80  ;
listen 442 proxy_protocol  ssl http2 ;
listen [::]:442 proxy_protocol  ssl http2 ;

set $proxy_upstream_name "-";

ssl_certificate_by_lua_block {
        certificate.call()
}

location /swagger-ui.html/ {

        set $namespace      "kt";
        set $ingress_name   "nginx2";
        set $service_name   "service";
        set $service_port   "8080";
        set $location_path  "/swagger-ui.html";
        set $global_rate_limit_exceeding n;

        rewrite_by_lua_block {
                lua_ingress.rewrite({
                        force_ssl_redirect = false,
                        ssl_redirect = false,
                        force_no_ssl_redirect = false,
                        use_port_in_redirects = false,
                global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
                })
                balancer.rewrite()
                plugins.run()
        }

        # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
        # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
        # other authentication method such as basic auth or external auth useless - all requests will be allowed.
        #access_by_lua_block {
        #}

        header_filter_by_lua_block {
                lua_ingress.header()
                plugins.run()
        }

        body_filter_by_lua_block {
                plugins.run()
        }

        log_by_lua_block {
                balancer.log()

                monitor.call()

                plugins.run()
        }

        port_in_redirect off;

        set $balancer_ewma_score -1;
        set $proxy_upstream_name "kt-service-8080";
        set $proxy_host          $proxy_upstream_name;
        set $pass_access_scheme  $scheme;

        set $pass_server_port    $server_port;

        set $best_http_host      $http_host;
        set $pass_port           $pass_server_port;

        set $proxy_alternative_upstream_name "";

        client_max_body_size                    1m;

        proxy_set_header Host                   $best_http_host;

        # Pass the extracted client certificate to the backend

        # Allow websocket connections
        proxy_set_header                        Upgrade           $http_upgrade;

        proxy_set_header                        Connection        $connection_upgrade;

        proxy_set_header X-Request-ID           $req_id;
        proxy_set_header X-Real-IP              $remote_addr;

        proxy_set_header X-Forwarded-For        $remote_addr;

        proxy_set_header X-Forwarded-Host       $best_http_host;
        proxy_set_header X-Forwarded-Port       $pass_port;
        proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

        proxy_set_header X-Scheme               $pass_access_scheme;

        # Pass the original X-Forwarded-For
        proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

        # mitigate HTTPoxy Vulnerability
        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        proxy_set_header Proxy                  "";

        # Custom headers to proxied server

        proxy_connect_timeout                   5s;
        proxy_send_timeout                      60s;
        proxy_read_timeout                      60s;

        proxy_buffering                         off;
        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;

        proxy_max_temp_file_size                1024m;

        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_cookie_domain                     off;
        proxy_cookie_path                       off;

        # In case of errors try the next upstream server before returning an error
        proxy_next_upstream                     error timeout;
        proxy_next_upstream_timeout             0;
        proxy_next_upstream_tries               3;

        proxy_pass http://upstream_balancer;

        proxy_redirect                          off;

}

location = /swagger-ui.html {

        set $namespace      "kt";
        set $ingress_name   "nginx2";
        set $service_name   "service";
        set $service_port   "8080";
        set $location_path  "/swagger-ui.html";
        set $global_rate_limit_exceeding n;

        rewrite_by_lua_block {
                lua_ingress.rewrite({
                        force_ssl_redirect = false,
                        ssl_redirect = false,
                        force_no_ssl_redirect = false,
                        use_port_in_redirects = false,
                global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
                })
                balancer.rewrite()
                plugins.run()
        }

        # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
        # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
        # other authentication method such as basic auth or external auth useless - all requests will be allowed.
        #access_by_lua_block {
        #}

        header_filter_by_lua_block {
                lua_ingress.header()
                plugins.run()
        }

        body_filter_by_lua_block {
                plugins.run()
        }

        log_by_lua_block {
                balancer.log()

                monitor.call()

                plugins.run()
        }

        port_in_redirect off;

        set $balancer_ewma_score -1;
        set $proxy_upstream_name "kt-service-8080";
        set $proxy_host          $proxy_upstream_name;
        set $pass_access_scheme  $scheme;

        set $pass_server_port    $server_port;

        set $best_http_host      $http_host;
        set $pass_port           $pass_server_port;

        set $proxy_alternative_upstream_name "";

        client_max_body_size                    1m;

        proxy_set_header Host                   $best_http_host;

        # Pass the extracted client certificate to the backend

        # Allow websocket connections
        proxy_set_header                        Upgrade           $http_upgrade;

        proxy_set_header                        Connection        $connection_upgrade;

        proxy_set_header X-Request-ID           $req_id;
        proxy_set_header X-Real-IP              $remote_addr;

        proxy_set_header X-Forwarded-For        $remote_addr;

        proxy_set_header X-Forwarded-Host       $best_http_host;
        proxy_set_header X-Forwarded-Port       $pass_port;
        proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

        proxy_set_header X-Scheme               $pass_access_scheme;

        # Pass the original X-Forwarded-For
        proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

        # mitigate HTTPoxy Vulnerability
        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        proxy_set_header Proxy                  "";

        # Custom headers to proxied server

        proxy_connect_timeout                   5s;
        proxy_send_timeout                      60s;
        proxy_read_timeout                      60s;

        proxy_buffering                         off;
        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;

        proxy_max_temp_file_size                1024m;

        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_cookie_domain                     off;
        proxy_cookie_path                       off;

        # In case of errors try the next upstream server before returning an error
        proxy_next_upstream                     error timeout;
        proxy_next_upstream_timeout             0;
        proxy_next_upstream_tries               3;

        proxy_pass http://upstream_balancer;

        proxy_redirect                          off;

}

location = /_external-auth-L2FwaXMv-Prefix {
        internal;

        # ngx_auth_request module overrides variables in the parent request,
        # therefore we have to explicitly set this variable again so that when the parent request
        # resumes it has the correct value set for this variable so that Lua can pick backend correctly
        set $proxy_upstream_name "kt-service-8080";

        proxy_pass_request_body     off;
        proxy_set_header            Content-Length          "";
        proxy_set_header            X-Forwarded-Proto       "";
        proxy_set_header            X-Request-ID            $req_id;

        proxy_method                POST;
        proxy_set_header            X-Original-URI          $request_uri;
        proxy_set_header            X-Scheme                $pass_access_scheme;

        proxy_set_header            Host                    www.gool.com;
        proxy_set_header            X-Original-URL          $scheme://$http_host$request_uri;
        proxy_set_header            X-Original-Method       $request_method;
        proxy_set_header            X-Sent-From             "nginx-ingress-controller";
        proxy_set_header            X-Real-IP               $remote_addr;

        proxy_set_header            X-Forwarded-For        $remote_addr;

        proxy_set_header            X-Auth-Request-Redirect $request_uri;

        proxy_buffering                         off;

        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;
        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_ssl_server_name       on;
        proxy_pass_request_headers  on;

        client_max_body_size        1m;

        # Pass the extracted client certificate to the auth provider

        set $target http://www.gool.com/authorization;
        proxy_pass $target;
}

location /apis/ {

        set $namespace      "kt";
        set $ingress_name   "nginx1";
        set $service_name   "service";
        set $service_port   "8080";
        set $location_path  "/apis";
        set $global_rate_limit_exceeding n;

        rewrite_by_lua_block {
                lua_ingress.rewrite({
                        force_ssl_redirect = false,
                        ssl_redirect = false,
                        force_no_ssl_redirect = false,
                        use_port_in_redirects = false,
                global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
                })
                balancer.rewrite()
                plugins.run()
        }

        # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
        # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
        # other authentication method such as basic auth or external auth useless - all requests will be allowed.
        #access_by_lua_block {
        #}

        header_filter_by_lua_block {
                lua_ingress.header()
                plugins.run()
        }

        body_filter_by_lua_block {
                plugins.run()
        }

        log_by_lua_block {
                balancer.log()

                monitor.call()

                plugins.run()
        }

        port_in_redirect off;

        set $balancer_ewma_score -1;
        set $proxy_upstream_name "kt-service-8080";
        set $proxy_host          $proxy_upstream_name;
        set $pass_access_scheme  $scheme;

        set $pass_server_port    $server_port;

        set $best_http_host      $http_host;
        set $pass_port           $pass_server_port;

        set $proxy_alternative_upstream_name "";

        # this location requires authentication
        auth_request        /_external-auth-L2FwaXMv-Prefix;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
        add_header          Set-Cookie $auth_cookie;

        client_max_body_size                    1m;

        proxy_set_header Host                   $best_http_host;

        # Pass the extracted client certificate to the backend

        # Allow websocket connections
        proxy_set_header                        Upgrade           $http_upgrade;

        proxy_set_header                        Connection        $connection_upgrade;

        proxy_set_header X-Request-ID           $req_id;
        proxy_set_header X-Real-IP              $remote_addr;

        proxy_set_header X-Forwarded-For        $remote_addr;

        proxy_set_header X-Forwarded-Host       $best_http_host;
        proxy_set_header X-Forwarded-Port       $pass_port;
        proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

        proxy_set_header X-Scheme               $pass_access_scheme;

        # Pass the original X-Forwarded-For
        proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

        # mitigate HTTPoxy Vulnerability
        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        proxy_set_header Proxy                  "";

        # Custom headers to proxied server

        proxy_connect_timeout                   5s;
        proxy_send_timeout                      60s;
        proxy_read_timeout                      60s;

        proxy_buffering                         off;
        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;

        proxy_max_temp_file_size                1024m;

        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_cookie_domain                     off;
        proxy_cookie_path                       off;

        # In case of errors try the next upstream server before returning an error
        proxy_next_upstream                     error timeout;
        proxy_next_upstream_timeout             0;
        proxy_next_upstream_tries               3;

        proxy_pass http://upstream_balancer;

        proxy_redirect                          off;

}

location = /_external-auth-L2FwaXM-Exact {
        internal;

        # ngx_auth_request module overrides variables in the parent request,
        # therefore we have to explicitly set this variable again so that when the parent request
        # resumes it has the correct value set for this variable so that Lua can pick backend correctly
        set $proxy_upstream_name "kt-service-8080";

        proxy_pass_request_body     off;
        proxy_set_header            Content-Length          "";
        proxy_set_header            X-Forwarded-Proto       "";
        proxy_set_header            X-Request-ID            $req_id;

        proxy_method                POST;
        proxy_set_header            X-Original-URI          $request_uri;
        proxy_set_header            X-Scheme                $pass_access_scheme;

        proxy_set_header            Host                    www.gool.com;
        proxy_set_header            X-Original-URL          $scheme://$http_host$request_uri;
        proxy_set_header            X-Original-Method       $request_method;
        proxy_set_header            X-Sent-From             "nginx-ingress-controller";
        proxy_set_header            X-Real-IP               $remote_addr;

        proxy_set_header            X-Forwarded-For        $remote_addr;

        proxy_set_header            X-Auth-Request-Redirect $request_uri;

        proxy_buffering                         off;

        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;
        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_ssl_server_name       on;
        proxy_pass_request_headers  on;

        client_max_body_size        1m;

        # Pass the extracted client certificate to the auth provider

        set $target http://www.gool.com/authorization;
        proxy_pass $target;
}

location = /apis {

        set $namespace      "kt";
        set $ingress_name   "nginx1";
        set $service_name   "service";
        set $service_port   "8080";
        set $location_path  "/apis";
        set $global_rate_limit_exceeding n;

        rewrite_by_lua_block {
                lua_ingress.rewrite({
                        force_ssl_redirect = false,
                        ssl_redirect = false,
                        force_no_ssl_redirect = false,
                        use_port_in_redirects = false,
                global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
                })
                balancer.rewrite()
                plugins.run()
        }

        # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
        # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
        # other authentication method such as basic auth or external auth useless - all requests will be allowed.
        #access_by_lua_block {
        #}

        header_filter_by_lua_block {
                lua_ingress.header()
                plugins.run()
        }

        body_filter_by_lua_block {
                plugins.run()
        }

        log_by_lua_block {
                balancer.log()

                monitor.call()

                plugins.run()
        }

        port_in_redirect off;

        set $balancer_ewma_score -1;
        set $proxy_upstream_name "kt-service-8080";
        set $proxy_host          $proxy_upstream_name;
        set $pass_access_scheme  $scheme;

        set $pass_server_port    $server_port;

        set $best_http_host      $http_host;
        set $pass_port           $pass_server_port;

        set $proxy_alternative_upstream_name "";

        # this location requires authentication
        auth_request        /_external-auth-L2FwaXM-Exact;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
        add_header          Set-Cookie $auth_cookie;

        client_max_body_size                    1m;

        proxy_set_header Host                   $best_http_host;

        # Pass the extracted client certificate to the backend

        # Allow websocket connections
        proxy_set_header                        Upgrade           $http_upgrade;

        proxy_set_header                        Connection        $connection_upgrade;

        proxy_set_header X-Request-ID           $req_id;
        proxy_set_header X-Real-IP              $remote_addr;

        proxy_set_header X-Forwarded-For        $remote_addr;

        proxy_set_header X-Forwarded-Host       $best_http_host;
        proxy_set_header X-Forwarded-Port       $pass_port;
        proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

        proxy_set_header X-Scheme               $pass_access_scheme;

        # Pass the original X-Forwarded-For
        proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

        # mitigate HTTPoxy Vulnerability
        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        proxy_set_header Proxy                  "";

        # Custom headers to proxied server

        proxy_connect_timeout                   5s;
        proxy_send_timeout                      60s;
        proxy_read_timeout                      60s;

        proxy_buffering                         off;
        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;

        proxy_max_temp_file_size                1024m;

        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_cookie_domain                     off;
        proxy_cookie_path                       off;

        # In case of errors try the next upstream server before returning an error
        proxy_next_upstream                     error timeout;
        proxy_next_upstream_timeout             0;
        proxy_next_upstream_tries               3;

        proxy_pass http://upstream_balancer;

        proxy_redirect                          off;

}

location = /_external-auth-Lw-Prefix {
        internal;

        # ngx_auth_request module overrides variables in the parent request,
        # therefore we have to explicitly set this variable again so that when the parent request
        # resumes it has the correct value set for this variable so that Lua can pick backend correctly
        set $proxy_upstream_name "upstream-default-backend";

        proxy_pass_request_body     off;
        proxy_set_header            Content-Length          "";
        proxy_set_header            X-Forwarded-Proto       "";
        proxy_set_header            X-Request-ID            $req_id;

        proxy_method                POST;
        proxy_set_header            X-Original-URI          $request_uri;
        proxy_set_header            X-Scheme                $pass_access_scheme;

        proxy_set_header            Host                    www.gool.com;
        proxy_set_header            X-Original-URL          $scheme://$http_host$request_uri;
        proxy_set_header            X-Original-Method       $request_method;
        proxy_set_header            X-Sent-From             "nginx-ingress-controller";
        proxy_set_header            X-Real-IP               $remote_addr;

        proxy_set_header            X-Forwarded-For        $remote_addr;

        proxy_set_header            X-Auth-Request-Redirect $request_uri;

        proxy_buffering                         off;

        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;
        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_ssl_server_name       on;
        proxy_pass_request_headers  on;

        client_max_body_size        1m;

        # Pass the extracted client certificate to the auth provider

        set $target http://www.gool.com/authorization;
        proxy_pass $target;
}

location / {

        set $namespace      "kt";
        set $ingress_name   "nginx1";
        set $service_name   "";
        set $service_port   "";
        set $location_path  "/";
        set $global_rate_limit_exceeding n;

        rewrite_by_lua_block {
                lua_ingress.rewrite({
                        force_ssl_redirect = false,
                        ssl_redirect = false,
                        force_no_ssl_redirect = false,
                        use_port_in_redirects = false,
                global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
                })
                balancer.rewrite()
                plugins.run()
        }

        # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
        # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
        # other authentication method such as basic auth or external auth useless - all requests will be allowed.
        #access_by_lua_block {
        #}

        header_filter_by_lua_block {
                lua_ingress.header()
                plugins.run()
        }

        body_filter_by_lua_block {
                plugins.run()
        }

        log_by_lua_block {
                balancer.log()

                monitor.call()

                plugins.run()
        }

        port_in_redirect off;

        set $balancer_ewma_score -1;
        set $proxy_upstream_name "upstream-default-backend";
        set $proxy_host          $proxy_upstream_name;
        set $pass_access_scheme  $scheme;

        set $pass_server_port    $server_port;

        set $best_http_host      $http_host;
        set $pass_port           $pass_server_port;

        set $proxy_alternative_upstream_name "";

        # this location requires authentication
        auth_request        /_external-auth-Lw-Prefix;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
        add_header          Set-Cookie $auth_cookie;

        client_max_body_size                    1m;

        proxy_set_header Host                   $best_http_host;

        # Pass the extracted client certificate to the backend

        # Allow websocket connections
        proxy_set_header                        Upgrade           $http_upgrade;

        proxy_set_header                        Connection        $connection_upgrade;

        proxy_set_header X-Request-ID           $req_id;
        proxy_set_header X-Real-IP              $remote_addr;

        proxy_set_header X-Forwarded-For        $remote_addr;

        proxy_set_header X-Forwarded-Host       $best_http_host;
        proxy_set_header X-Forwarded-Port       $pass_port;
        proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

        proxy_set_header X-Scheme               $pass_access_scheme;

        # Pass the original X-Forwarded-For
        proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

        # mitigate HTTPoxy Vulnerability
        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        proxy_set_header Proxy                  "";

        # Custom headers to proxied server

        proxy_connect_timeout                   5s;
        proxy_send_timeout                      60s;
        proxy_read_timeout                      60s;

        proxy_buffering                         off;
        proxy_buffer_size                       4k;
        proxy_buffers                           4 4k;

        proxy_max_temp_file_size                1024m;

        proxy_request_buffering                 on;
        proxy_http_version                      1.1;

        proxy_cookie_domain                     off;
        proxy_cookie_path                       off;

        # In case of errors try the next upstream server before returning an error
        proxy_next_upstream                     error timeout;
        proxy_next_upstream_timeout             0;
        proxy_next_upstream_tries               3;

        proxy_pass http://upstream_balancer;

        proxy_redirect                          off;

}

}
## end server example.com