HTTPS 308 永久重定向 k8s ingress nginx

HTTPS 308 永久重定向 k8s ingress nginx

我按照 AWS EKS 中的示例创建了一个 EKS 集群,并在 kubernetes/nginx 上部署了 nginx 入口控制器,创建了一个指向后端 k8s 服务的入口资源,但是,当我尝试通过curl -kv https://dev01.cricket.com/demo/hello 它进行查询时,它返回永久重定向 308

这是我的 service-nlb.yaml

    --- (service-nlb.yaml)
kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: default
  annotations:
    **service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http**
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
    service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0"
    **service.beta.kubernetes.io/aws-load-balancer-ssl-cert:  "arn:aws:acm:us-west-2:xxxxx:certificate/x-037xxxd-4a1e-x-x"**
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
    **service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https**
spec:
  ports:
    - name: https
      port: 443
      targetPort: 80

入口文件

```apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
    app: jg
    env: dev
  name: jg-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
    **ingress.kubernetes.io/ssl-redirect: "false"**
spec:
  rules:
    - host: dev01.cricket.com
      http:
        paths:
          - backend:
              serviceName: jg-service
              servicePort: 8080
            path: /demo
    - host: dev02.cricket.com
      http:
        paths:
          - backend:
              serviceName: sad-service
              servicePort: 8080
            path: /sad
  tls:
   - hosts:
        - dev01.cricket.com
     secretName: my-tls-secret```

当我curl -kv dev01.cricket.com这样做时,它返回 308 永久重定向

curl -kv https://dev01.cricket.com/demo/hello
*   Trying 10.41.168.92...
* TCP_NODELAY set
* Connected to dev01.cricket.com (10.41.168.92) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=dev01.cricket.com; OU=management:idms.group.140787; O=Cricket Inc.; ST=California; C=US
*  start date: Apr 19 08:37:06 2021 GMT
*  expire date: May 19 08:37:05 2023 GMT
*  issuer: CN=Cricket Corporate Server CA 1; OU=Certification Authority; O=Cricket Inc.; C=US
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ff9eb80d200)
> GET /demo/hello HTTP/2
> Host: dev01.cricket.com
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 308
< server: Cricket
< date: Tue, 04 May 2021 16:38:38 GMT
< content-type: text/html
< content-length: 171
< location: https://dev01.cricket.com/demo/hello
< strict-transport-security: max-age=31536000; includeSubdomains
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
<
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
* Connection #0 to host dev01.cricket.com left intact
* Closing connection 0

我不确定为什么 TLS 终止没有发生,并且发生了永久重定向错误,如果我在 http 上执行相同的 curl,它会返回 301

curl -kv http://dev01.cricket.com/demo/hello
*   Trying 10.41.162.164...
* TCP_NODELAY set
* Connected to dev01.cricket.com (10.41.162.164) port 80 (#0)
> GET /demo/hello HTTP/1.1
> Host: dev01.cricket.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: Cricket
< Date: Tue, 04 May 2021 19:17:26 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: https://dev01.cricket.com/demo/hello
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>Cricket</center>
</body>
</html>
* Connection #0 to host dev01.cricket.com left intact
* Closing connection 0

后端服务.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jgdeployment
  labels:
    app: jg
spec:
  replicas: 3
  selector:
    matchLabels:
      app: jg
  template:
    metadata:
      labels:
        app: jg
    spec:
      containers:
      - name: jg
        image: docker.cricket.com/jga:1.0.0
        ports:
        - containerPort: 8080
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /demo/hello
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 10
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /demo/hello
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 10
---
apiVersion: v1
kind: Service
metadata:
  name: jg-service
  namespace: "default"
spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: 8080
  selector:
    app: jg

不确定我做了什么导致 https 上出现 308 错误。

答案1

这是回答来自 github 的用户 Ariseaz问题Azeez Adeniji 在回答中提到。


在 EKS 上使用 helm ingress-nginx chart
编辑 configmap ingress-nginx-controller
kubectl edit configmap ingress-nginx-controller -n ingress-nginx
添加
data: server-snippet: | listen 8000; if ( $server_port = 80 ) { return 308 https://$host$request_uri; } ssl-redirect: "false"

编辑 service/ingress-nginx-controller,添加
meta.helm.sh/release-namespace: ingress-nginx service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <acm arn> service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https service.beta.kubernetes.io/aws-load-balancer-type: nlb

在入口控制器中设置您的端口,使其看起来像下面这样:
NB:特殊端口是您要添加到入口容器端口的端口

  • 名称:http
    端口:80
    协议:TCP
    目标端口:80
  • 名称:https
    端口:443
    协议:TCP
    目标端口:特殊

现在编辑入口控制器部署容器端口
kubectl edit deployment.apps/ingress-nginx-controller -n ingress-nginx
添加:

  • 容器端口:8000
    名称:特殊
    协议:TCP

答案2

我不确定为什么 TLS 终止没有发生,并且发生了永久重定向错误

鉴于您的服务规范:

spec:
  ports:
    - name: https
      port: 443
      targetPort: 80

导致以下情况发生:

User -- [Internet] -HTTPS-> :443 [NLB] -HTTPS-> :443 [iptables] -HTTP-> :80 [nginx]

因此,由于 nginx 无法意识到它前面有 TLS,并且在集群内部流量是 HTTP,因此 nginx 认为将请求重定向到其443端口是有帮助的,从而确保了请求的安全

我还没有用国家法律顾问委员会但理论上,想法是一样的:您需要使用从 NLB 到 nginx 443 端口上的(可能是自签名的)证书的 TLS,因为——在其他条件相同的情况下——AWS LB 不会验证 nginx 证书的有效性。因此,虽然您确实有一个 MITM,但不会有任何从用户浏览器到 nginx 的明文协议通信,这让它很开心,不再是 308

我确实看到了您在 Ingress 上突出显示的注释,但我强烈怀疑您所遇到的机制在到达特定 Ingress 资源之前就发生了,可能是由于 ConfigMap 设置或其他原因。可能可以按照您认为的要求调整 nginx,但我相信“伪端到端 TLS”实际上很容易修复,因此您不需要寻找解决方法

答案3

阅读我对此主题的评论: https://github.com/kubernetes/ingress-nginx/issues/2724

评论来自 Ariseaz

答案4

默认情况下,如果为该 Ingress 启用了 TLS,则控制器会使用 308 永久重定向响应将 HTTP 客户端重定向到 HTTPS 端口 443。

可以使用 NGINX 配置映射全局禁用此功能,或者使用特定资源中的注释ssl-redirect: "false"为每个 Ingress 禁用此功能。nginx.ingress.kubernetes.io/ssl-redirect: "false"

 # kubectl edit cm ingress-nginx-controller -n ingress-nginx

参考: https://kubernetes.github.io/ingress-nginx/user-guide/tls/

相关内容