不要在Kubernetes的入口级别终止SSL [英] Don not terminate SSL at ingress level for Kubernetes

问题描述

我在tomcat服务器(位于pod内)中运行了一个Java应用程序，该应用程序配置为可与https一起使用.我正在使用nginx入口.问题是，nginx入口正在终止SSL并将仅纯HTTP转发到tomcat服务器(实际上是转发到pod).由于tomcat服务器配置为仅使用HTTPS，因此它不接受流量.

I have a Java application running inside tomcat server (which is inside a pod), which is configured to work with https. I am using nginx ingress. The problem is, the nginx ingress is terminating the SSL and forwarding only plain http to the tomcat server (to the pod actually). Since the tomcat server is configured to work with only HTTPS, it is not accepting the traffic.

以下操作无效:

nginx.ingress.kubernetes.io/ssl-passthrough: "true"

推荐答案

最后我找到了答案:

我必须添加以下两行:

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

所以入口是这样的(我还添加了一些注释来描述并还显示了我尝试过和不起作用的选项，以免浪费时间):

So the ingress is like this (I have also added some comment to describe and also to show which options I tried and didn't work, so that you don't waste your time):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-resource-staging
  namespace: staging-space
  annotations:
    kubernetes.io/ingress.class: nginx #You may deploy any number of ingress controllers within a cluster. When you create an ingress, you should annotate each ingress with the appropriate ingress.class to indicate which ingress controller should be used if more than one exists within your cluster.
    #If you do not define a class, your cloud provider may use a default ingress controller.
    #nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    ##Following 2 lines are important, otherwise the SSL is terminated at the ingress level and the
    ## traffic sent to the service is plain http and then tomcat complains that the host and port combination
    ## needs https connection (in the tomcat server we have enabled the HTTPS internally)
    ## We want to forward the HTTPS traffic to the pods
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

spec:
  #tls:
  #  - hosts:
  #      - yourhost.com
  rules:
    - host: yourhost.com
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: my-app-service
                port:
                  #number: 8080
                  number: 8443

这篇关于不要在Kubernetes的入口级别终止SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！