我的环境托管在 AWS 中。我已经stable/nginx-ingress以 TCP 模式部署了 Helm Chart(我需要一个 TCP 模式的 AWS ELB 用于 WebSocket。我正好需要 ELB classic!),此外,我还需要使用 AWS ACM 证书,而我的后端则不需要它。因此,它应该是这样的:
TCP:80 -> TCP:30452 (Kubernetes)
SSL(TCP):443 -> TCP:31453 (Kubernetes)
我的“nginx-ingress”是:
controller:
name: controller
image:
repository: quay.io/kubernetes-ingress-controller/nginx-ingress-controller
tag: "0.27.0"
pullPolicy: IfNotPresent
# www-data -> uid 101
runAsUser: 101
allowPrivilegeEscalation: true
# Configures the ports the nginx-controller listens on
containerPort:
http: 80
https: 80
# Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
config:
allow-backend-server-header: "true"
use-proxy-protocol: "true"
server-tokens: "false"
use-forwarded-headers: "true"
ssl-redirect: "true"
http-redirect-code: "301"
proxy_redirect: "off"
ingressClass: websocket
service:
enabled: true
annotations:
# Enable PROXY protocol
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '120'
# SSL
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-1:123123123123:certificate/123123123123123123123"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https'
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'tcp'
ports:
http: 80
https: 443
targetPorts:
http: http
https: http
type: LoadBalancer
nodePorts:
http: ""
https: ""
tcp: {}
udp: {}
我的服务 INGRESS 配置:
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: websocket
hosts:
- host: example.com
paths:
- /
如何设置从 HTTP 到 HTTPS 的重定向?当我nginx.ingress.kubernetes.io/force-ssl-redirect: "true"在入口处使用时,我得到重定向循环 :(
答案1
这是一个已知问题当在 TCP 模式(第 4 层)下使用 SSL 终止与 ELB Classic 结合时。
您可以使用以下解决方法,包括:
1 - 使用以下命令为 nginx-ingress 创建自定义 ConfigMaphttp-snippet:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: ingress-nginx
name: nginx-configuration
namespace: <ingress-namespace>
data:
ssl-redirect: "false"
hsts: "true"
server-tokens: "false"
# You may not want to use proxy_protocol here
http-snippet: |
server {
listen 8000 proxy_protocol;
server_tokens off;
return 301 https://$host$request_uri;
}
2 - 确保您的 Ingress 配置为使用上述 configMap,例如这。
3 - 创建新的NodePort并将定义添加到 nginx ingress 容器和服务。示例:
容器:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: http-redirect
containerPort: 8000
服务:
ports:
# As you are using SSL termination, note that this does Service(443)-->Container(80)
- name: https
port: 443
protocol: TCP
targetPort: http # <-- Container port 80
nodePort: 31453
- name: http
port: 8000
protocol: TCP
targetPort: http-redirect
nodePort: 32000
4-将 ELB 的端口 80 指向 nginx ingress 服务的端口 8000。
TCP:80 -> TCP:32000 (Kubernetes)
SSL(TCP):443 -> TCP:31453 (Kubernetes)
这将创建一个额外的监听器,其唯一功能是进行重定向。由于它只被调用一次,重定向循环将被解决。请求的行为应如下所示:
ELB(80) --> Nginx Service(32000) --> Nginx Container(8000) --Redirect--> ELB(443) --> Nginx Service(31453) -- Nginx Container (80)
答案2
https://github.com/ranjith-ka/Docker/blob/master/minikube/nginx/values.yaml
试试这个,我配置 ELB 将流量转发到 http 端口,这对我来说很好。无论如何,我想使用 terraform 来启动 ELB,而不是 nginx helm charts