首页 > 系统相关> > nginx-ingress：启用force-ssl时重定向太多

nginx-ingress：启用force-ssl时重定向太多

2019-10-08 10:10:29 作者：互联网

我正在使用nginx-ingress在kubernetes中建立我的第一个入口.我设置了ingress-nginx负载均衡器服务,如下所示：

{
  "kind": "Service",
  "apiVersion": "v1",
  "metadata": {
    "name": "ingress-nginx",
    "namespace": "...",
    "labels": {
      "k8s-addon": "ingress-nginx.addons.k8s.io"
    },
    "annotations": {     
      "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "tcp",
      "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*",
      "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn....",
      "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "443"
    }
  },
  "spec": {
    "ports": [
      {
        "name": "http",
        "protocol": "TCP",
        "port": 80,
        "targetPort": "http",
        "nodePort": 30591
      },
      {
        "name": "https",
        "protocol": "TCP",
        "port": 443,
        "targetPort": "http",
        "nodePort": 32564
      }
    ],
    "selector": {
      "app": "ingress-nginx"
    },
    "clusterIP": "...",
    "type": "LoadBalancer",
    "sessionAffinity": "None",
    "externalTrafficPolicy": "Cluster"
  },
  "status": {
    "loadBalancer": {
      "ingress": [
        {
          "hostname": "blablala.elb.amazonaws.com"
        }
      ]
    }
  }
}

注意https端口如何将其targetPort属性指向端口80(http),以便在负载均衡器处终止ssl.

我的ingress看起来像这样：

apiVersion: extensions/v1beta1
kind: Ingress
metadata: 
  name: something
  namespace: ...
  annotations:
    ingress.kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  rules:
    - host: www.exapmle.com
      http:
        paths:
         - path: /
           backend:
            serviceName: some-service
            servicePort: 2100

现在,当我导航到网址时,我收到了太多的重定向错误.令我困惑的是,当我添加以下标题“X-Forwarded-Proto：https”时,我得到了预期的响应(curl https://www.example.com -v -H“X-Forwarded-Proto：https “).

我有什么想法可以解决这个问题？

附：这对于ingress.kubernetes.io/force-ssl-redirect：“false”来说效果很好,而且似乎没有任何无关的重定向.

解决方法:

这是SSL重定向的注释与ELB上的代理协议和SSL连接的终止相结合的已知问题.

有关它的问题发表于GitHub,这是该线程的fix：

>您应该为Nginx-Ingress创建自定义ConfigMap,而不是使用force-ssl-redirect注释,如下所示：

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: ingress-nginx
  name: nginx-ingress-configuration
  namespace: <ingress-namespace>
data:
  ssl-redirect: "false"
  hsts: "true"
  server-tokens: "false"
  http-snippet: |
    server {
      listen 8080 proxy_protocol;
      server_tokens off;
      return 301 https://$host$request_uri;
    }

该配置将创建一个额外的侦听器,只需简单重定向到https.
>然后,将ConfigMap应用于入口控制器,将NodePort 8080添加到其容器定义和服务中.
>现在,您可以将ELB的端口80指向服务的端口8080.

有了这个额外的倾听者,它就会起作用.

标签：kops,nginx,kubernetes,kubernetes-ingress
来源： https://codeday.me/bug/20191008/1871127.html