kubernetes 入口 TLS 验证和重定向问题
kubernetes ingress TLS validation and redirection issue
我有两个 kubernetes 环境,它们使用入口作为代理来重定向请求以服务静态(前端)和后端休息服务。
这样的请求可以被其中一个环境中的两个主机 URL 访问(一个主机配置了 tls 证书密码),而在另一个环境中,我没有配置任何 tls 密码并且它只能被一台主机访问URL
在第一个环境中(只有一个主机且没有 TLS 密钥)我有以下内容:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
creationTimestamp: "XXXX"
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress
namespace: myapp-namespace
resourceVersion: "25745018"
selfLink: /apis/extensions/v1beta1/namespaces/my-app-namespace/ingresses/my-app-ingress
uid: 34c3d902-1517
spec:
rules:
- host: hostOne
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostOne
status:
loadBalancer:
ingress:
- {}
在这个中,我可以完美地通过 HTTP 发出请求,并且一切正常。对于 HTTPS 请求,我得到一个 SSLExcepcion,因为客户端中没有安装证书(这是正常且明显的)
在第二个集群中,我有 TLS 密钥和两个主机 URL:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
creationTimestamp: "XXXX"
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress
namespace: myapp-namespace
resourceVersion: "25745018"
selfLink: /apis/extensions/v1beta1/namespaces/my-app-namespace/ingresses/my-app-ingress
uid: 34c3d902-1517
spec:
rules:
- host: hostOne
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
- host: hostTwo
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostTwo
secretName: tlsSecret
- hosts:
- hostOne
status:
loadBalancer:
ingress:
- {}
在这种情况下,当使用 HTTP 请求时,我在两个 URLs(hostOne 和 hostTwo)
中都收到重定向到 HTTPS 的 803 错误
我希望在仅对配置有证书和 TLS 机密的 hostTwo 使用 http 时进行重定向。
为什么 ingress 响应了 http 的重定向,而在第一种情况下却没有?我应该改变什么?
当我使用 RestTemplate 向 https 发送请求时,我收到 SSLException:
2020-05-08 12:57:05,586 ERROR class=ExceptionHandler Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
我尝试按照此处的说明安装证书和广告 TLS1.2:
但它没有用,我无法通过 http 发送请求,只是为了检查服务代码是否正确。
我建议您有 2 个单独的 Ingress 对象。一个用于 SSL 主机,另一个用于非 SSL 主机。请检查以下 2 个入口对象。
对于 HostOne - 不需要重定向的地方
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress-non-ssl
namespace: myapp-namespace
spec:
rules:
- host: hostOne
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostOne
status:
loadBalancer:
ingress:
- {}
For HostTwo - 需要重定向的地方#添加了重定向注解
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress-ssl
namespace: myapp-namespace
spec:
rules:
- host: hostTwo
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostTwo
secretName: tlsSecret
status:
loadBalancer:
ingress:
- {}
我找到了。
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
刚刚添加
nginx.ingress.kubernetes.io/force-ssl-redirect:"false",因为默认值是true。
@nischay,您的解决方案不起作用,因为在第一个入口中应该添加 nginx.ingress.kubernetes.io/force-ssl-redirect: "false" 并且拆分入口比仅添加注释更复杂,
总之非常感谢。
我有两个 kubernetes 环境,它们使用入口作为代理来重定向请求以服务静态(前端)和后端休息服务。
这样的请求可以被其中一个环境中的两个主机 URL 访问(一个主机配置了 tls 证书密码),而在另一个环境中,我没有配置任何 tls 密码并且它只能被一台主机访问URL
在第一个环境中(只有一个主机且没有 TLS 密钥)我有以下内容:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
creationTimestamp: "XXXX"
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress
namespace: myapp-namespace
resourceVersion: "25745018"
selfLink: /apis/extensions/v1beta1/namespaces/my-app-namespace/ingresses/my-app-ingress
uid: 34c3d902-1517
spec:
rules:
- host: hostOne
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostOne
status:
loadBalancer:
ingress:
- {}
在这个中,我可以完美地通过 HTTP 发出请求,并且一切正常。对于 HTTPS 请求,我得到一个 SSLExcepcion,因为客户端中没有安装证书(这是正常且明显的)
在第二个集群中,我有 TLS 密钥和两个主机 URL:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
creationTimestamp: "XXXX"
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress
namespace: myapp-namespace
resourceVersion: "25745018"
selfLink: /apis/extensions/v1beta1/namespaces/my-app-namespace/ingresses/my-app-ingress
uid: 34c3d902-1517
spec:
rules:
- host: hostOne
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
- host: hostTwo
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostTwo
secretName: tlsSecret
- hosts:
- hostOne
status:
loadBalancer:
ingress:
- {}
在这种情况下,当使用 HTTP 请求时,我在两个 URLs(hostOne 和 hostTwo)
中都收到重定向到 HTTPS 的 803 错误我希望在仅对配置有证书和 TLS 机密的 hostTwo 使用 http 时进行重定向。
为什么 ingress 响应了 http 的重定向,而在第一种情况下却没有?我应该改变什么?
当我使用 RestTemplate 向 https 发送请求时,我收到 SSLException:
2020-05-08 12:57:05,586 ERROR class=ExceptionHandler Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
我尝试按照此处的说明安装证书和广告 TLS1.2:
但它没有用,我无法通过 http 发送请求,只是为了检查服务代码是否正确。
我建议您有 2 个单独的 Ingress 对象。一个用于 SSL 主机,另一个用于非 SSL 主机。请检查以下 2 个入口对象。
对于 HostOne - 不需要重定向的地方
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress-non-ssl
namespace: myapp-namespace
spec:
rules:
- host: hostOne
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostOne
status:
loadBalancer:
ingress:
- {}
For HostTwo - 需要重定向的地方#添加了重定向注解
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1000"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1000"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
generation: 9
labels:
app: myapp
chart: myapp-0.1.0
heritage: Helm
release: myapp-ingress
name: myapp-ingress-ssl
namespace: myapp-namespace
spec:
rules:
- host: hostTwo
http:
paths:
- backend:
serviceName: myapp-front
servicePort: 8080
path: /(.*)
- backend:
serviceName: myapp-backend
servicePort: 8080
path: /myappapi/(.+)
tls:
- hosts:
- hostTwo
secretName: tlsSecret
status:
loadBalancer:
ingress:
- {}
我找到了。 https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
刚刚添加 nginx.ingress.kubernetes.io/force-ssl-redirect:"false",因为默认值是true。 @nischay,您的解决方案不起作用,因为在第一个入口中应该添加 nginx.ingress.kubernetes.io/force-ssl-redirect: "false" 并且拆分入口比仅添加注释更复杂, 总之非常感谢。