amazon-web-services - AWS 上的 Kubernetes HTTP 到 HTTPS 重定向,ELB 终止 SSL
问题描述
我正在尝试为流向 Kubernetes 集群的流量设置一个简单的 HTTP 到 HTTPS 重定向。SSL 终止发生在 ELB 上。当我尝试使用nginx.ingress.kubernetes.io/ssl-redirect = true
它时,它会导致无限重定向,这导致我设置了一个配置映射来处理这个问题(nginx-ingress:启用 force-ssl 时重定向太多)。
现在似乎根本没有发生重定向。
我的入口服务定义为:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...:certificate/...
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
labels:
k8s-addon: ingress-nginx.addons.k8s.io
name: ingress-nginx
namespace: ingress-nginx
spec:
externalTrafficPolicy: Cluster
ports:
- name: https
port: 443
protocol: TCP
targetPort: http
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: ingress-nginx
type: LoadBalancer
我的配置图定义为:
apiVersion: v1
kind: ConfigMap
data:
client-body-buffer-size: 32M
hsts: "true"
proxy-body-size: 1G
proxy-buffering: "off"
proxy-read-timeout: "600"
proxy-send-timeout: "600"
server-tokens: "false"
ssl-redirect: "false"
upstream-keepalive-connections: "50"
use-proxy-protocol: "true"
http-snippet: |
server {
listen 8080 proxy_protocol;
server_tokens off;
return 307 https://$host$request_uri;
}
metadata:
labels:
app: ingress-nginx
name: nginx-configuration
namespace: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
name: udp-services
namespace: ingress-nginx
并且,入口定义为:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: gateway-ingress
annotations:
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: Authorization, origin, accept
nginx.ingress.kubernetes.io/cors-allow-methods: GET, OPTIONS
nginx.ingress.kubernetes.io/cors-allow-origin: gateway.example.com.com/monitor
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- host: gateway.example.com
http:
paths:
- backend:
serviceName: gateway
servicePort: 8080
path: /
tls:
- hosts:
- gateway.example.com
解决方案
问题是我在负载均衡器上使用的目标端口与重定向服务器正在侦听的端口不匹配:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
这只是将所有内容发送到端口 80。应该是这样的:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
这样它就与 ConfigMap 匹配:
data:
...
http-snippet: |
server {
listen 8080 proxy_protocol;
server_tokens off;
return 307 https://$host$request_uri;
}
推荐阅读
- google-apps-script - 如何在应用现有列的公式时快速向 Google 表格添加新行?
- mysql - MySQL中的分组索引
- roblox - Roblox Studio 如何循环检查玩家姓名是否正确输入到 texbox
- c++ - 在决定是通过参考还是价值传递时,尺寸真的是一个问题吗?
- python - .remove 函数不适用于“if”签入列表
- javascript - Matlab:绘制来自另一个脚本的数据
- serialization - Azure 服务总线消息反序列化在核心转换中中断
- sql-server - SQL Server:应用一对一匹配
- php - 如何限制获取的结果数量然后过滤它们?
- ggplot2 - 使用 ggarrange 添加行和列标题