启用NLB代理协议导致Nginx入口控制器抛出错误请求

yr9zkbsy  于 12个月前  发布在  Nginx
关注(0)|答案(1)|浏览(142)

我有一个托管在AWS(EKS)中的Kubernetes集群。
我正在尝试保留客户端的IP。为此,我尝试在集群前面的网络负载均衡器中启用代理协议v2,并配置Nginx ingress控制器来处理它。
尽管如此,我还是收到了一个坏的请求错误,每个请求都没有任何额外的信息。
这是我的Nginx ingress控制器

apiVersion: v1
data:
  allow-snippet-annotations: "true"
  compute-full-forwarded-for: "true"
  enable-real-ip: "true"
  server-snippet: "listen 8000;\nif ( $server_port = 80 ) {\n   return 308 https://$host$request_uri;\n}
    \  \n"
  ssl-redirect: "false"
  use-forwarded-headers: "true"
  use-proxy-protocol: "true"

字符串
这在Nginx配置中转换为

## start server 
    server {
        server_name [REDACTED] ;
        
        listen 80 proxy_protocol ;
        listen 443 proxy_protocol ssl http2 ;
        
        set $proxy_upstream_name "-";
        
        ssl_certificate_by_lua_block {
            certificate.call()
        }
        
        location / {
            
            set $namespace      "[REDACTED]";
            set $ingress_name   "[REDACTED]";
            set $service_name   "[REDACTED]";
            set $service_port   "[REDACTED]";
            set $location_path  "/";
            set $global_rate_limit_exceeding n;
            
            rewrite_by_lua_block {
                lua_ingress.rewrite({
                    force_ssl_redirect = false,
                    ssl_redirect = false,
                    force_no_ssl_redirect = false,
                    preserve_trailing_slash = false,
                    use_port_in_redirects = false,
                    global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
                })
                balancer.rewrite()
                plugins.run()
            }
                        
            header_filter_by_lua_block {
                lua_ingress.header()
                plugins.run()
            }
            
            body_filter_by_lua_block {
                plugins.run()
            }
            
            log_by_lua_block {
                balancer.log()
                
                monitor.call()
                
                plugins.run()
            }
            
            port_in_redirect off;
            
            set $balancer_ewma_score -1;
            set $proxy_upstream_name "[REDACTED]";
            set $proxy_host          $proxy_upstream_name;
            set $pass_access_scheme  $scheme;
            
            set $pass_server_port    $proxy_protocol_server_port;
            
            set $best_http_host      $http_host;
            set $pass_port           $pass_server_port;
            
            set $proxy_alternative_upstream_name "";
            
            client_max_body_size                    20m;
            
            proxy_set_header Host                   $best_http_host;
                        
            # Allow websocket connections
            proxy_set_header                        Upgrade           $http_upgrade;
            
            proxy_set_header                        Connection        $connection_upgrade;
            
            proxy_set_header X-Request-ID           $req_id;
            proxy_set_header X-Real-IP              $remote_addr;
            
            proxy_set_header X-Forwarded-For        $full_x_forwarded_for;
            
            proxy_set_header X-Forwarded-Host       $best_http_host;
            proxy_set_header X-Forwarded-Port       $pass_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
            proxy_set_header X-Forwarded-Scheme     $pass_access_scheme;
            
            proxy_set_header X-Scheme               $pass_access_scheme;
            
            # Pass the original X-Forwarded-For
            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
            
            proxy_set_header Proxy                  "";
                        
            proxy_connect_timeout                   5s;
            proxy_send_timeout                      3600s;
            proxy_read_timeout                      3600s;
            
            proxy_buffering                         off;
            proxy_buffer_size                       4k;
            proxy_buffers                           4 4k;
            
            proxy_max_temp_file_size                1024m;
            
            proxy_request_buffering                 on;
            proxy_http_version                      1.1;
            
            proxy_cookie_domain                     off;
            proxy_cookie_path                       off;
            
            proxy_next_upstream                     error timeout;
            proxy_next_upstream_timeout             0;
            proxy_next_upstream_tries               3;
            
            proxy_pass http://upstream_balancer;
            
            proxy_redirect                          off;
            
        }
        
        # Custom code snippet configured in the configuration configmap
        listen 8000;
        if ( $server_port = 80 ) {
            return 308 https://$host$request_uri;
        }   
        
    }
    ## end server


代理协议v2通过AWS控制台在我的HTTP目标组中启用,但当我访问服务的任何端点时,结果是

<html>

<head>
    <title>400 Bad Request</title>
</head>

<body>
    <center>
        <h1>400 Bad Request</h1>
    </center>
    <hr>
    <center>nginx</center>
</body>

</html>


任何帮助将是伟大的。
先谢了。

ftf50wuq

ftf50wuq1#

要配置NGINX接受PROXY协议头,请将proxy_protocol参数添加到http {}stream {}块中服务器块的listen指令中。https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/

  • 添加下面为我工作
http {

    server {
        listen 80   proxy_protocol;

    }
}

字符串

相关问题