kubernetes nginx-ingress在https请求时返回默认后端

nle07wnf  于 2023-08-03  发布在  Kubernetes
关注(0)|答案(1)|浏览(156)

我的AKS可以通过nginx入口访问。一切都与https工作,但因为我使用https nginx是无法匹配任何路由,并使用默认的后端。
我使用的是Kubernetes版本1.15。我将域名改为example.com,IP改为51.000.000.128。SSL证书由外部提供商(digicert)签名。

ingress-controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml

字符串

ingress-service

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

入口.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: ingress-nginx
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - kp-user'
spec:
  tls:
  - hosts:
    - example.com
    secretName: ssl-secret
  rules:
  - host: example.com
  - http:
      paths:
      - path: /app1(/|$)(.*)
        backend:
          serviceName: app1-service
          servicePort: 80
      - path: /app2(/|$)(.*)
        backend:
          serviceName: app2-service
          servicePort: 80

Ingress正在运行:

$ kubectl -n ingress-nginx get ing
NAME            HOSTS           ADDRESS          PORTS     AGE
nginx-ingress   example.com     51.000.000.128   80, 443   43h

入口描述:

$ kubectl describe ingress nginx-ingress --namespace=ingress-nginx
Name:             nginx-ingress
Namespace:        ingress-nginx
Address:          51.000.000.128
Default backend:  default-http-backend:80 (<none>)
TLS:
  ssl-secret terminates example.com
Rules:
  Host  Path  Backends
  ----  ----  --------
  *
        /app1(/|$)(.*)   app1-service:80 (10.244.1.10:80,10.244.2.11:80)
        /app2(/|$)(.*)   app2-service:80 (10.244.1.12:80,10.244.2.13:80)
Annotations:
  nginx.ingress.kubernetes.io/rewrite-target:        /$2
  nginx.ingress.kubernetes.io/ssl-passthrough:       true
  nginx.ingress.kubernetes.io/ssl-redirect:          false
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/auth-realm":"Authentication Required - kp-user","nginx.ingress.kubernetes.io/auth-secret":"basic-auth","nginx.ingress.kubernetes.io/auth-type":"basic","nginx.ingress.kubernetes.io/rewrite-target":"/$2","nginx.ingress.kubernetes.io/ssl-passthrough":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false"},"name":"nginx-ingress","namespace":"ingress-nginx"},"spec":{"rules":[{"host":"example.com"},{"http":{"paths":[{"backend":{"serviceName":"app1-service","servicePort":80},"path":"/app1(/|$)(.*)"},{"backend":{"serviceName":"app2-service","servicePort":80},"path":"/app2(/|$)(.*)"}]}}],"tls":[{"hosts":["example.com"],"secretName":"ssl-secret"}]}}

  kubernetes.io/ingress.class:              nginx
  nginx.ingress.kubernetes.io/auth-realm:   Authentication Required - kp-user
  nginx.ingress.kubernetes.io/auth-secret:  basic-auth
  nginx.ingress.kubernetes.io/auth-type:    basic
Events:                                     <none>


就像我在一开始写的,不幸的是,如果我试图通过https访问路由,我每次都会从nginx获得 *404未找到 * 页面。Secret正在工作,因为我可以在浏览器中看到有效的证书。ingress也可以工作,因为使用http我没有遇到任何问题。

问题

http://51.000.000.128/app1 => working
https://51.000.000.128/app1 => working but unsecure (browser use http)
example.com => not working (404 Not Found by nginx | default backend)


当我通过域访问页面时,它将被ingress-controller识别:

$ sudo kubectl logs nginx-ingress-controller-799dbf6fbd-bbxdp -n ingress-nginx

// https request
165.000.00.000 - - [05/Dec/2019:12:26:40 +0000] "GET /app1 HTTP/1.1" 308 177 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 500 0.000 [upstream-default-backend] [] - - - - 323deb61e1babdbca2006844d268b1ce
165.000.00.000 - - [05/Dec/2019:12:26:40 +0000] "GET /app1 HTTP/2.0" 404 179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 306 0.001 [upstream-default-backend] [] 127.0.0.1:8181 190 0.000 404 d0cae28ba059531c78bffff38de2a84d
165.000.00.000 - - [05/Dec/2019:12:26:55 +0000] "GET /app1 HTTP/2.0" 404 179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 44 0.000 [upstream-default-backend] [] 127.0.0.1:8181 190 0.000 404 db153c080e0116f8b730508b5ae0b0f3

// http request
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1 HTTP/1.1" 200 550 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 501 0.004 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 1116 0.000 200 01beb82bb5173e7b0392660a9325c222
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/styles.66c87fc4c5e0902762b4.css HTTP/1.1" 200 10401 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 439 0.001 [ingress-nginx-app1-service-80] [] 10.244.2.11:80 70796 0.000 200 d367dfc0ae4db08c54dc6b0cb96e1f55
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/polyfills-es2015.80abe0a50bdacb904507.js HTTP/1.1" 200 12933 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 464 0.002 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 37277 0.000 200 a2a4cd368a4badf1b6d2b202cf3958c5
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/runtime-es2015.cd056c32d7e60bda4f6b.js HTTP/1.1" 200 1499 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 462 0.000 [ingress-nginx-app1-service-80] [] 10.244.2.11:80 2728 0.000 200 f34c880d21f0172eeee3cc4f058c52a7
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/main-es2015.2bb12b52c456e81e18a1.js HTTP/1.1" 200 164595 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 459 0.029 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 566666 0.028 200 7375f5092851e8407fe299c36c8a1b13
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/18-es2015.b5bfc8f7102d1318aebc.js HTTP/1.1" 200 554 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 426 0.002 [ingress-nginx-app1-service-80] [] 10.244.2.11:80 973 0.000 200 92e549e50e5ab6df5d456b31a8a34d8a
165.000.00.000 - - [05/Dec/2019:12:27:40 +0000] "GET /app1/assets/logo.svg HTTP/1.1" 200 2370 "http://51.000.000.128/app1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 443 0.003 [ingress-nginx-app1-service-80] [] 10.244.1.10:80 4717 0.000 200 c2503ed57519784af2988b70861302ec


据我所知,我的域的请求工作。出于任何原因,入口控制器不能经由https使用/找到入口。我做错了什么。

whhtz7ly

whhtz7ly1#

问题一:
它应该与您的nginx.ingress.kubernetes.io/ssl-passthrough: "true"配置相关。
如果您启用了ssl-passthrough,nginx-入口将不会尝试为您解密通信。它将通过通信直接传递到目标服务进行解密。在这种情况下,基于路径的路由将不起作用,因为路径实际上也是加密的。同样,没有一个其他nginx入口注解不会由于基本上不触及请求的性质。
如果您不希望这样做,您可以删除ssl-passthrough配置,并让nginx-入口为您终止HTTPS。
请参阅以下内容以获取更多信息:

  1. https://docs.giantswarm.io/guides/advanced-ingress-configuration/#ssl-passthrough
  2. https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
    问题二:
    在入口配置中。对于spec =>规则,在http标记之前不应该有-。添加-会将路径路由应用于所有主机,而不仅仅是example.com路由。应该与只将tls应用于example.com主机的tls配置冲突。

相关问题