入口和SSL直通 [英] Ingress and SSL Passthrough
问题描述
我最近一直在使用nginxdemo/nginx-ingress控制器.
I have recently been using the nginxdemo/nginx-ingress controller.
据我所知,该控制器无法进行SSL直通(这意味着我将客户端证书一直传递到后端服务以进行身份验证),所以我一直在通过标头传递客户端主题DN.
As I understand it this controller cannot do SSL Passthrough (by that I mean pass the client certificate all the way through to the backend service for authentication), so instead I have been passing the clients subject DN through a header.
最终,我希望使用SSL传递,并且一直在研究显然支持SSL传递的kubernetes/ingress-nginx项目.
Ultimately I would prefer SSL-Passthrough and have been looking at the kubernetes/ingress-nginx project which apparently supports SSL passthrough.
任何人都有使用此控制器和SSL直通的经验.
Does anyone have an experience with this controller and SSL Passthrough.
我发现的一些显示直通的Ingress示例将路径设置留为空白.
The few Ingress examples showing passthrough that I have found leave the path setting blank.
这是因为直通必须在TCP级别(4)而不是HTTP(7)进行吗?
Is this because passthrough has to take place at the TCP level (4) rather then at HTTP (7)?
现在,我有一条主机规则可以服务多个路径.
Right now, I have a single host rule that services mutiple paths.
推荐答案
在lch答案上完成我想补充一点,就是我最近也遇到了同样的问题,我对它进行了修改,以修改Ingress-service部署(我知道,它应该成为DaemonSet,但这是一个不同的故事)
completing on lch answer I would like to add that I had the same problem recently and I sorted it out modifiying the ingress-service deployment (I know, it should be a DaemonSet but that's a different story)
更改是将参数添加到spec.containers.args:
The change was adding the parameter to spec.containers.args:
--enable-ssl-passthrough
然后,我在入口中添加了以下注释:
Then I've added the following annotations to my ingress:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
重要的是安全后端和ssl-passthrough,但如果您不希望那里有HTTP流量,我认为其余的方法是个好主意.
The important one are secure-backends and ssl-passthrough but I think the rest are a good idea, provided you're not expecting http traffic there
这篇关于入口和SSL直通的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!