我在虚拟机上的 IaaS Kubernetes k8s 上。
我已经设置了 nginx 和一些其他运行良好的应用程序。(我可以访问我的应用程序)
我正在使用 nginx 入口控制器。
当我尝试在节点外访问 Jenkins 时,我收到一个空的回复,但入口日志显示 403
当我在节点内部 curl jenkins 时,我可以毫无问题地访问它
当我重新启动 Jenkins 容器时,我可以访问该Please wait while Jenkins is getting ready to work ...页面,但在准备就绪后,我再次收到 403。
知道为什么会发生这种情况吗?
入口资源:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
labels:
project: cicd
managedFields:
- apiVersion: networking.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
manager: nginx-ingress-controller
operation: Update
time: "2020-04-02T17:11:25Z"
- apiVersion: extensions/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:kubernetes.io/ingress.class: {}
f:labels:
.: {}
f:project: {}
f:spec:
f:rules: {}
manager: kubectl
operation: Update
time: "2020-04-02T17:12:56Z"
name: jenkins
namespace: jenkins
spec:
rules:
- host: jenkins.com
http:
paths:
- backend:
serviceName: jenkins
servicePort: 8080
path: /
pathType: ImplementationSpecific
nginx.conf
## start server jenkins.com
server {
server_name jenkins.com ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "jenkins";
set $ingress_name "jenkins";
set $service_name "jenkins";
set $service_port "8080";
set $location_path "/";
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = true,
force_no_ssl_redirect = false,
use_port_in_redirects = false,
})
balancer.rewrite()
plugins.run()
}
header_filter_by_lua_block {
plugins.run()
}
body_filter_by_lua_block {
}
log_by_lua_block {
balancer.log()
monitor.call()
plugins.run()
}
port_in_redirect off;
set $balancer_ewma_score -1;
set $proxy_upstream_name "jenkins-jenkins-8080";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;
set $pass_server_port $server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
client_max_body_size 10m;
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 86400s;
proxy_read_timeout 86400s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
}
curl -v 命令
* Connected to jenkins.com (xxx.xxx.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.com
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: openresty/1.15.8.2
< Date: Sun, 05 Apr 2020 18:09:23 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 793
< Connection: keep-alive
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< Set-Cookie: JSESSIONID.fe94dd2e=node01swwo52ouan0zf0m57265cwjo109.node0; Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Hudson: 1.395
< X-Jenkins: 2.222.1
< X-Jenkins-Session: efb06340
< X-Hudson-CLI-Port: 50000
< X-Jenkins-CLI-Port: 50000
< X-Jenkins-CLI2-Port: 50000
< X-You-Are-Authenticated-As: anonymous
< X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
< X-Required-Permission: hudson.model.Hudson.Read
< X-Permission-Implied-By: hudson.security.Permission.GenericRead
< X-Permission-Implied-By: hudson.model.Hudson.Administer
<
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
我正在编辑 /etc/hosts 以便将 jenkins.com 指向我的节点(在尝试访问 jenkins 并获取 403 的机器上)
答案1
这是一个社区维基答案。
此问题最常见的解决方案有三种:
如果你不介意降低 Jenkins 安装的安全性,你可以取消选中 jenkins.com/configureSecurity 部分中的“防止跨站点请求伪造漏洞”
更安全的方法:“配置全局安全”选项中的“启用代理兼容性”
如果你的访问问题是由于 crumb token 问题,你可以关注这个简短的指南来解决它。
如果有帮助的话请告诉我。