nginx-ingress:启用force-ssl时重定向过多 [英] nginx-ingress: Too many redirects when force-ssl is enabled
问题描述
我正在使用nginx-ingress在kubernetes中设置我的第一个入口.我像这样设置ingress-nginx负载均衡器服务:
I am setting up my first ingress in kubernetes using nginx-ingress. I set up the ingress-nginx load balancer service like so:
{
"kind": "Service",
"apiVersion": "v1",
"metadata": {
"name": "ingress-nginx",
"namespace": "...",
"labels": {
"k8s-addon": "ingress-nginx.addons.k8s.io"
},
"annotations": {
"service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "tcp",
"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*",
"service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn....",
"service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "443"
}
},
"spec": {
"ports": [
{
"name": "http",
"protocol": "TCP",
"port": 80,
"targetPort": "http",
"nodePort": 30591
},
{
"name": "https",
"protocol": "TCP",
"port": 443,
"targetPort": "http",
"nodePort": 32564
}
],
"selector": {
"app": "ingress-nginx"
},
"clusterIP": "...",
"type": "LoadBalancer",
"sessionAffinity": "None",
"externalTrafficPolicy": "Cluster"
},
"status": {
"loadBalancer": {
"ingress": [
{
"hostname": "blablala.elb.amazonaws.com"
}
]
}
}
}
请注意https端口如何将其targetPort属性指向端口80(http),以便在负载均衡器处终止ssl.
Notice how the https port has its targetPort property pointing to port 80 (http) in order to terminate ssl at the load balancer.
我的入口看起来像这样:
My ingress looks something like this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: something
namespace: ...
annotations:
ingress.kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
rules:
- host: www.exapmle.com
http:
paths:
- path: /
backend:
serviceName: some-service
servicePort: 2100
现在,当我导航到URL时,会得到一个Too many redirects error.让我感到困惑的是,当我添加以下标头"X-Forwarded-Proto:https"时,我得到了预期的响应(curl https://www.example.com -v -H "X-Forwarded-Proto: https").
Now when I navigate to the url I get a Too many redirects error. Something that is confusing me is that when I add the following header "X-Forwarded-Proto: https" I get the expected response (curl https://www.example.com -v -H "X-Forwarded-Proto: https").
有什么想法可以解决该问题吗?
Any ideas how I can resolve the issue?
P.S. ingress.kubernetes.io/force-ssl-redirect: "false"可以正常工作,而且似乎没有任何多余的重定向.
P.S. this works just fine with ingress.kubernetes.io/force-ssl-redirect: "false" and it doesn't seem that there are any extraneous redirects.
推荐答案
这是annotation的SSL重定向与代理协议和ELB上的SSL连接终止结合在一起的已知问题.
That is a known issue with the annotation for SSL-redirection in combination with proxy-protocol and termination of SSL connections on ELB.
关于它的问题发布在 GitHub 上,这是一个
Question about it was published on GitHub and here is a fix from that thread:
-
您应该为Nginx-Ingress创建一个自定义ConfigMap,而不是使用
force-ssl-redirect注释,如下所示:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: ingress-nginx
name: nginx-ingress-configuration
namespace: <ingress-namespace>
data:
ssl-redirect: "false"
hsts: "true"
server-tokens: "false"
http-snippet: |
server {
listen 8080 proxy_protocol;
server_tokens off;
return 301 https://$host$request_uri;
}
该配置将创建一个简单的重定向到https的附加侦听器.
That configuration will create an additional listener with a simple redirection to https.
有了该附加的侦听器,它将起作用.
With that additional listener, it will work.
这篇关于nginx-ingress:启用force-ssl时重定向过多的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
