Trying to get rid of needing custom full Kong nginx templates for better management #13373
Replies: 1 comment
-
We're not overly happy with custom nginx templates in general, but they do provide a useful way of changing Kong Gateway's behavior, which is why they are there. It prevents us from having to expose more direct ways of configuration for less common use cases, but still providing a way for users to do it. That said, if you can describe your particular use case with more precision, it might be that we can distill out functionality that'd be beneficial in general. Please describe what you want to achieve and how you achieve it with a custom nginx template, but without just pasting the whole thing into the discussion leaving it for us to figure out what you mean and want. Thank you!
I think this is a separate issue. Maybe #12733 fixes it already, but if it does not, consider opening a separate issue. |
Beta Was this translation helpful? Give feedback.
-
So I have a template like so now with as much tuning as I think I could do moving a bunch of custom stuff to ENV vars:
I think the only things that are actually custom now(i believe) are the:
kong_mtls
block, which deals with modsecurity and global MTLS settings verifying the clients @ the webserver level. But otherwise its almost an identicalkong
server block.Setting some headers to nil to not leak kong/nginx/openresty versions ever to clients as good security measures, personally I think Kong should do this by default but not a biggie:
My question is: Is there any approaches in Kong right now I can use to help pull out the kong_mtls block into a seperate file and not have to run the kong prepare on a full nginx template file where I constantly have to diff and worry about Kong changes version to version? And a good way to handle the nil of server and via headers in the response to clients globally vs how I am doing now?
nginx.template
file below:Beta Was this translation helpful? Give feedback.
All reactions