This topic describes the basics of NGINX, how the NGINX Ingress controller works, and the relevant O&M capabilities.
Basics of NGINX
In NGINX, directives can be used to configure the forwarding proxy logic. You can specify directives in the /etc/nginx/nginx.conf configuration file or in another configuration file that is referenced by using the include directive in the nginx.conf configuration file. The NGINX configuration file mainly consists of four blocks: Main (global configurations), Server (host configurations), Upstream (configurations of load balancer servers), and Location (configurations of URL-based location matching).
The following content describes the structure of the NGINX configuration file.
Main block: configures directives that affect the overall operation of NGINX. Generally, this block includes configurations such as the user group under which the NGINX server runs, the path where the NGINX process ID (PID) is stored, the path for log storage, configuration file inclusion, and the number of worker processes that can be generated.
# configuration file /etc/nginx/nginx.conf: # Configuration checksum: 15621323910982901520 # setup custom paths that do not require root access pid /tmp/nginx/nginx.pid; daemon off; worker_processes 31; worker_cpu_affinity auto; worker_rlimit_nofile 1047552; worker_shutdown_timeout 240s ; access_log /var/log/nginx/access.log upstreaminfo if=$loggable; error_log /var/log/nginx/error.log notice;Events block: configures the network connections that affect the NGINX server or end users that initiate network requests, including the maximum number of connections per process and the event-driven model to be used to process connection requests.
events { multi_accept on; worker_connections 65536; use epoll; }HTTP block: configures most features and third-party modules such as the servers, proxying, caching, and logging. Multiple
Serverblocks can be nested under this block, and each one defines the configurations of a specific virtual host or server. Examples of configurations in the HTTP block include file inclusion, Multipurpose Internet Mail Extensions (MIME) type definitions, custom logging, whether to use sendfile for file transmission, connection timeout period, and the number of requests per connection.http { lua_package_path "/etc/nginx/lua/?.lua;;"; lua_shared_dict balancer_ewma 10M; lua_shared_dict balancer_ewma_last_touched_at 10M; lua_shared_dict balancer_ewma_locks 1M; lua_shared_dict certificate_data 20M; lua_shared_dict certificate_servers 5M; lua_shared_dict configuration_data 20M; lua_shared_dict global_throttle_cache 10M; lua_shared_dict ocsp_response_cache 5M; init_by_lua_block { collectgarbage("collect") -- init modules local ok, res ok, res = pcall(require, "lua_ingress") if not ok then error("require failed: " .. tostring(res)) else lua_ingress = res lua_ingress.set_config({ use_forwarded_headers = false, use_proxy_protocol = false, is_ssl_passthrough_enabled = false, http_redirect_code = 308, listen_ports = { ssl_proxy = "442", https = "443" }, hsts = true, hsts_max_age = 15724800, hsts_include_subdomains = true, hsts_preload = false, ... } ... }Server block: configures the parameters for a specific virtual host. Multiple Server blocks can be nested under the HTTP block.
## start server www.exmaple.com server { server_name www.example.com ; listen 80 ; listen [::]:80 ; listen 443 ssl http2 ; listen [::]:443 ssl http2 ; set $proxy_upstream_name "-"; ssl_certificate_by_lua_block { certificate.call() } location / { set $namespace "xapi"; set $ingress_name "xapi-server"; set $service_name "xapi-server-rta"; set $service_port "80"; set $location_path "/"; set $global_rate_limit_exceeding n; rewrite_by_lua_block { lua_ingress.rewrite({ force_ssl_redirect = false, ssl_redirect = false, force_no_ssl_redirect = false, preserve_trailing_slash = false, use_port_in_redirects = false, global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } }, }) balancer.rewrite() plugins.run() } ... } } ## end server www.example.comLocation block: configures the routing of requests and processing of various pages.
location / { proxy_pass http://upstream_balancer; }
The following code shows a sample nginx.conf file, including some common directives and directive blocks:
# the number of worker processes to use
worker_processes 4;
# include additional configuration files
include /etc/nginx/conf.d/*.conf;
http {
# HTTP server settings
server {
# listen on port 80
listen 80;
# server name
server_name www.example.com;
# default location
location / {
# root directory
root /var/www/html;
# index file
index index.html;
}
}
}In this example:
worker_processes: a directive that specifies the number of worker processes to be used by NGINX.include: a directive that specifies other configuration files to include.server: a block that configures the settings of a specific server.location: a block that configures the settings of the default location, which is the root URL of the NGINX server.
For more information, see NGINX official documentation.
The following sections describe the most critical parts of the NGINX configuration file.
Directive blocks
HTTP block
The HTTP block configures the global parameters of the HTTP server. The parameters include the number of worker processes to run, maximum number of connections allowed, and log settings. The following code shows a sample HTTP block:
http {
worker_processes 4;
worker_rlimit_nofile 8192;
client_max_body_size 128m;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
server {
...
}
}In this example, the HTTP block specifies the number of worker processes, maximum number of file descriptors allowed, maximum body size allowed for client requests, and locations of the access log file and error log file. A Server block is nested under the HTTP block, specifying the configurations of a specific web server.
Server block
A Server block defines the processing rules of traffic requests for a specific domain name or a group of domain names. You can configure different settings and behaviors for multiple websites and applications hosted on the same server.
The following code shows a sample Server block:
server {
listen 80;
server_name www.example.com;
location / {
root /var/www/html/example;
index index.html index.htm;
}
location /app {
proxy_pass http://localhost:3000;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}In this example, the server processes only unencrypted traffic of the domain name www.example.com on port 80.
listenspecifies that the server listens for inbound connections on port 80.server_namespecifies the domain name that the Server block processes.listenandserver_nameare used together to specify the domain name and port based on which the server listens for and processes traffic.
server_name
This directive specifies the domain name of a virtual host.
server_name name1 name2 name3
# example:
server_name www.example.com;The following four matching modes are supported to specify a domain name:
Exact match:
server_name www.example.comWildcard match (with a wildcard used to indicate the subdomain):
server_name *.example.comWildcard match (with a wildcard used to indicate the top-level domain):
server_name www.example.*Regular expression match:
server_name ~^www\.example\.*$
The four matching modes in the list are prioritized in descending order.
Location block
A Location block configures the request processing rules of the server for a specific URL path or URL pattern. You can define different behaviors based on different parts of a website or an application, such as providing static files for specific directories or proxying requests to another server.
The following code shows some sample Location blocks:
server {
...
location / {
root /var/www/html/example;
index index.html index.htm;
}
location /app {
proxy_pass http://localhost:3000;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}In this example:
The
/Location block specifies that requests to the root URL of the website are processed by providing files in the/var/www/html/exampledirectory.The
/appLocation block specifies that requests to the/appURL are proxied tolocalhoston port 3000.The
/50x.htmlLocation block specifies how the server handles server errors by serving specific files.
When multiple Location blocks exist, requests are captured and processed by the Location block that is first matched based on the Location block matching rules and priority.
Syntax of matching rule concatenation:
location [ = | ~ | ~* | ^~ ] uri { ... }location @name { ... }
Matching rule | Description |
location = /uri | = indicates an exact match. A Location block takes effect only if it is exactly matched. |
location ^~ /uri | ^~ indicates a prefix match for URL paths before a regular expression match. The search is stopped if a URL path is matched. |
location ~ Regular expression | ~ indicates a case-sensitive regular expression match. |
location ~* Regular expression | ~* indicates a case-insensitive regular expression match. |
location !~ Regular expression | !~ indicates a case-sensitive regular expression mismatch. |
location !~*Regular expression | !~* indicates a case-insensitive regular expression mismatch. |
location /uri | This matching rule uses no character. It indicates a prefix match after a regular expression match. |
location / | A general match. This matching rule applies to a request with no |
location @Name | An internal redirection in NGINX. |
The priority of the matching rules is in the following descending order: = > ^~ > ~ > ~* > No character used.
Example:
# Default general match. This matching rule applies to a request with no Location block hitting other matching rules.
location = / {
}
# Prefix match.
location ^~ /xx/ {
# If a request prefixed with /xx/ is matched, the search is stopped.
}
# Prefix match without a regular expression.
location /uri {
}
location / {
# Match all requests because all requests start with /. However, Location blocks defined by using regular expressions and those with longer prefix matches are prioritized to be matched.
}
# Regular expression match.
location ~*.(gif|jpg|jpeg)$ {
# Match any request that ends with gif, jpg, or jpeg.
}An NGINX Ingress sorts multiple Ingress paths of a host in descending order of length. For more information, see Ingress Path Matching and Understanding Nginx Server and Location Block Selection Algorithms.
Directive inheritance and override
In NGINX configuration, directives follow an inheritance mechanism from the outer to the inner contexts. An inner child context inherits configuration directives from its outer parent context. For example, the directives specified in the http{} context are inherited by all nested server{} and location{} contexts. Similarly, the directives specified in the server{} context are inherited by all nested location{} contexts. Take note that if a directive is specified in both a parent context and a child context, the configuration in the child context overrides, rather than combining with, that in the parent context.
Example:
http {
add_header X-HTTP-LEVEL-HEADER 1;
add_header X-ANOTHER-HTTP-LEVEL-HEADER 1;
server {
listen 8080;
location / {
return 200 "OK";
}
}
server {
listen 8081;
add_header X-SERVER-LEVEL-HEADER 1;
location / {
return 200 "OK";
}
location /test {
add_header X-LOCATION-LEVEL-HEADER 1;
return 200 "OK";
}
location /correct {
add_header X-HTTP-LEVEL-HEADER 1;
add_header X-ANOTHER-HTTP-LEVEL-HEADER 1;
add_header X-SERVER-LEVEL-HEADER 1;
add_header X-LOCATION-LEVEL-HEADER 1;
return 200 "OK";
}
}
}Reverse proxy configurations of NGINX
proxy_pass
The reverse proxy configurations of NGINX allow NGINX to operate as a proxy server that listens for client requests and forwards them to one or more backend servers. This enables NGINX to receive and route requests to appropriate backend servers for processing. To configure NGINX as a reverse proxy, you can use the proxy_pass directive in a Location block in the NGINX configuration file.
Example:
server {
listen 80;
server_name www.example.com;
location / {
proxy_pass http://localhost:3000;
}
}In this example, the / Location block specifies that all requests to the domain name www.example.com are proxied to the local host on port 3000. This means that NGINX receives and forwards requests to the server that runs on port 3000 on the local host.
proxy_set_header
You can use the proxy_set_header directive to specify additional headers to add to the proxy request.
Example:
server {
listen 80;
server_name www.example.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:3000;
}
}In this example, the proxy_set_header directive adds the Host and X-Real-IP headers to the proxy request, setting the hostname of the incoming request and the IP address to their respective values. These headers are useful for ensuring that the upstream server receives accurate information about the request.
Common NGINX directives
Directive | Description |
| Specifies the backend server to which the request is forwarded. The value can be an IP address with a port number or a domain name. |
| Specifies the headers to be forwarded to the backend server, such as Host and X-Real-IP. |
| Sets the timeout period for establishing a connection with the backend server. |
| Set the buffer size for caching responses of the backend server. |
Common NGINX commands
Command | Description |
| Sends a signal to the main process to reload the configuration file and perform a hot restart. |
| Restarts the NGINX server. |
| Shuts down the NGINX server. |
| Shuts down the NGINX server after the worker processes complete processing. |
| Displays the final NGINX configurations. |
| Checks the configuration file for errors. |
NGINX Ingress controller
How it works
The NGINX Ingress controller is an implementation that integrates both the control plane and the data plane. Each pod has a controller process and relevant NGINX processes.
Core modules of the NGINX Ingress data plane
Third-party modules:
NGINX Ingresses in Container Service for Kubernetes (ACK) are integrated with this module. This module implements the integration with the tracing feature of Real-Time Monitoring Service (ARMS). For more information, see Enable tracing for NGINX Ingress Controller.
You can enable this module for NGINX Ingresses by using a ConfigMap.
data: enable-opentelemetry: "true" otlp-collector-host: "otel-coll-collector.otel.svc" ## OpenTelemetry endpoint
For more information, see NGINX official documentation.
Implementation of configuration synchronization
The following figure shows how configuration synchronization is implemented. This helps you understand how to reduce the frequency of configuration reloads and when it is necessary to perform configuration reloads.
The NGINX Ingress controller monitors resources such as Ingresses, services, pods, and endpoints to update configurations to the nginx.conf file or the Lua table. The Lua table mainly includes the configurations of upstream server endpoints, canary releases, and certificates. They correspond to some related variables of NGINX. Changes to these configurations also trigger updates to the nginx.conf file, thereby triggering a reload. For more information, see When a reload is required in the NGINX Ingress community documentation.
Configurations of the NGINX Ingress control plane
Startup arguments
For more information, see Command line arguments.
You can view the container startup arguments from Deployment Spec or Pod Spec of NGINX Ingresses, as shown in the following code:
containers:
- args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader-nginx
- --ingress-class=nginx
- --watch-ingress-without-class
- --controller-class=k8s.io/ingress-nginx
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --annotations-prefix=nginx.ingress.kubernetes.io
- --publish-service=$(POD_NAMESPACE)/nginx-ingress-lb
- --enable-annotation-validation
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --v=2-v specifies the log level.
--v=2: displays detailed information about configuration changes in NGINX.--v=3: displays detailed information about services, Ingress rules, and endpoint changes, and dumps NGINX configuration in JSON format.--v=5: enables the debug mode.
Load balancing
NGINX Ingresses allow you to specify a global default load balancing algorithm. The Round_robin and Ewma algorithms are supported. By default, Round_robin is used. The Round_robin algorithm cyclically distributes requests among backend workloads to achieve even distribution. However, uneven load balancing may occur if the performance of backend workloads varies greatly. The Ewma algorithm sends requests to the backend workload with the lowest weighted average load. The weighted load index gradually changes as requests arrive. This ensures more balanced load distribution.
For load balancing based on consistent hashing by using variables such as the IP address, consider using the nginx.ingress.kubernetes.io/upstream-hash-by annotation. For session cookie-based load balancing, consider using the nginx.ingress.kubernetes.io/affinity annotation.
Related implementations:
Related timeout configurations
Global timeout configurations
You can use the following configuration options to specify global timeout configurations of NGINX Ingresses:
Configuration option | Description | Default value |
| Sets the timeout period for establishing a connection with the proxy server. In general, the value cannot exceed 75s. | 5s |
| Sets the timeout period for reading a response from the proxy server. This timeout period applies between two consecutive read operations, rather than to the transmission of the entire response. | 60s |
| Sets the timeout period for sending a request to the proxy server. This timeout period applies between two consecutive write operations, rather than to the transmission of the entire request. | 60s |
| Limits the amount of time allowed to pass a connection to the next server. If you set the value to 0, no limit is imposed. | 600s |
| Sets the timeout period between two consecutive read or write operations on a client or proxy server connection. If no data is transmitted within the period, the connection is closed. | 600s |
| Sets a timeout period for keeping an idle connection open with upstream servers. |
|
| Sets the timeout period for a graceful shutdown. | 240s |
| Sets the timeout period for receiving the proxy protocol header. The default value prevents the Transport Layer Security (TLS) passthrough handler from waiting indefinitely for a broken connection. | 5s |
| Sets the validity period for SSL session parameters in the session cache. The expiration time is subject to the creation time. Each session cache occupies about 0.25 MB of space. | 10m |
| Sets the timeout period for reading the client request body. | 60s |
| Sets the timeout period for reading the client request headers. | 60s |
Resource-specific custom timeout configurations
The following table describes the options for resource-specific custom timeout configurations.
Configuration option | Description |
| Sets the timeout period for establishing a connection with the proxy server. |
| Sets the timeout period for sending data to the proxy server. |
| Sets the timeout period for reading data from the proxy server. |
| Configures retry policies or retry conditions. Separate multiple items with spaces. For example, you can use
|
| Sets the number of retries allowed if the retry conditions are met. |
| Specifies whether to enable the request buffering feature. Valid values:
|
General global ConfigMap configurations
For more information, see ConfigMaps.
Other annotations
For more information, see Annotations.
Custom snippet configurations
nginx.ingress.kubernetes.io/configuration-snippet: The configuration applies to the Location block.nginx.ingress.kubernetes.io/server-snippet: The configuration applies to the Server block.nginx.ingress.kubernetes.io/stream-snippet: The configuration applies to the Stream block.
Configurations of the NGINX Ingress data plane
The data plane of NGINX Ingresses is implemented by combining NGINX with the ngx_lua module (OpenResty). NGINX uses a multi-modular design, which divides HTTP request processing into multiple phases. This design allows multiple modules to work together, where each module is responsible for handling an independent and simple feature. This makes request processing more efficient and reliable, and improves the scalability of the system.
OpenResty can inject custom handlers to process requests in different processing phases of NGINX, including the Rewrite/Access phase, Content phase, and Log phase. Together with the initialization phase of system startup, which is the Master phase, OpenResty provides a total of 11 phases. These phases enable Lua scripts to intervene in HTTP request processing. The following figure shows the main available phases of OpenResty.
HTTP block
http {
lua_package_path "/etc/nginx/lua/?.lua;;";
lua_shared_dict balancer_ewma 10M;
lua_shared_dict balancer_ewma_last_touched_at 10M;
lua_shared_dict balancer_ewma_locks 1M;
lua_shared_dict certificate_data 20M;
lua_shared_dict certificate_servers 5M;
lua_shared_dict configuration_data 20M;
lua_shared_dict global_throttle_cache 10M;
lua_shared_dict ocsp_response_cache 5M;
...
}init_by_lua_block
The following Lua-related modules are loaded during the initialization:
configurationbalancermonitorcertificateplugins
init_worker_by_lua_block
init_worker_by_lua_block {
lua_ingress.init_worker()
balancer.init_worker()
monitor.init_worker(10000)
plugins.run()
}upstream and balancer_by_lua_block
upstream upstream_balancer {
### Attention!!!
#
# We no longer create "upstream" section for every backend.
# Backends are handled dynamically using Lua. If you would like to debug
# and see what backends ingress-nginx has in its memory you can
# install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
# Once you have the plugin you can use "kubectl ingress-nginx backends" command to
# inspect current backends.
#
###
server 0.0.0.1; # placeholder
balancer_by_lua_block {
balancer.balance()
}
keepalive 8000;
keepalive_time 1h;
keepalive_timeout 60s;
keepalive_requests 10000;
}Stream block
Logs
access_log off;
error_log /var/log/nginx/error.log notice;In this example,
access_logis disabled.The error log level is set to
notice. The following levels are supported:debug(debug_core,debug_alloc,debug_event,debug_http, ...),info,warn,error,crit,alert, andemerg. The higher the level, the less information is recorded.
Run the following command to check the errors recorded in the pod logs of NGINX Ingresses:
kubectl logs -f <nginx-ingress-pod-name> -n kube-system |grep -E '^[WE]'References
For more information about NGINX Ingress configurations, see NGINX Configuration.
For more information about NGINX Ingress troubleshooting, see Commonly used diagnostic methods in the "NGINX Ingress controller troubleshooting" topic.
For more information about the advanced usage of NGINX Ingresses, see Advanced NGINX Ingress configurations.