# # Edge reverse proxy: 42.194.185.163 # Forwards public 80/443 traffic (L4 passthrough) to the K8s worker nodes # that run the warmcheck/nginx DaemonSet (hostNetwork hostPort 80/443). # # Worker public IPs (cross-VPC, so we must use public addresses): # - vm-0-6-opencloudos / 10.1.0.6 # - vm-32-10-tencentos / 172.16.32.10 # - vm-32-16-tencentos / 172.16.32.16 # # Master (43.139.80.61 / 172.16.16.16) is excluded — DaemonSet nodeAffinity # skips control-plane nodes, so it does NOT listen on :80/:443. # user nginx; worker_processes auto; worker_rlimit_nofile 65535; error_log /var/log/nginx/error.log notice; pid /run/nginx.pid; # Load dynamic modules (stream module ships as a dynamic module on # OpenCloudOS 9 / RHEL 9 and lives in /usr/share/nginx/modules/). include /usr/share/nginx/modules/*.conf; events { worker_connections 8192; use epoll; multi_accept on; } # ============================================================ # L4 stream passthrough (HTTP 80 + HTTPS 443 + WSS) # ============================================================ stream { log_format basic '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" ' '"$upstream_connect_time"'; access_log /var/log/nginx/stream-access.log basic buffer=32k flush=5s; # ---- HTTP upstream (80) ---- upstream k8s_http { # 3 workers; passive health check via max_fails/fail_timeout. server 10.1.0.6:80 max_fails=3 fail_timeout=30s; server 172.16.32.10:80 max_fails=3 fail_timeout=30s; server 172.16.32.16:80 max_fails=3 fail_timeout=30s; } # ---- HTTPS upstream (443, SNI passthrough) ---- upstream k8s_https { server 10.1.0.6:443 max_fails=3 fail_timeout=30s; server 172.16.32.10:443 max_fails=3 fail_timeout=30s; server 172.16.32.16:443 max_fails=3 fail_timeout=30s; } # ---- Listeners ---- server { listen 80; listen [::]:80; proxy_pass k8s_http; proxy_connect_timeout 5s; proxy_timeout 300s; # long enough for WS keep-alive proxy_socket_keepalive on; } server { listen 443; listen [::]:443; proxy_pass k8s_https; proxy_connect_timeout 5s; proxy_timeout 300s; # long enough for WSS keep-alive proxy_socket_keepalive on; } } # ============================================================ # Local-only HTTP block for status / health probing on :8080 # (bound to 127.0.0.1 so it doesn't clash with stream :80) # ============================================================ http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; server { listen 127.0.0.1:8080; server_name _; location = /edge-health { return 200 "edge-ok\n"; add_header Content-Type text/plain; } location / { return 404; } } }