AWS 上的 Kubernetes HTTP 到 HTTPS 重定向，ELB 终止 SSL [英] Kubernetes HTTP to HTTPS Redirect on AWS with ELB terminating SSL

问题描述

我正在尝试为流向 Kubernetes 集群的流量设置一个简单的 HTTP 到 HTTPS 重定向.SSL 终止发生在 ELB 上.当我尝试使用 nginx.ingress.kubernetes.io/ssl-redirect = true 时，它会导致无限重定向，这导致我设置了一个配置映射来处理这个问题(nginx-ingress:启用 force-ssl 时重定向过多).

I'm trying to set up a simple HTTP to HTTPS redirect for traffic going to a Kubernetes cluster. The SSL termination is happening on the ELB. When I try to use the nginx.ingress.kubernetes.io/ssl-redirect = true it results in an infinite redirect which led me to setting up a config map to handle this (nginx-ingress: Too many redirects when force-ssl is enabled).

现在似乎根本没有发生重定向.

Now there seems to be no redirection happening at all.

我的入口服务定义为:

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...:certificate/...
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
  labels:
    k8s-addon: ingress-nginx.addons.k8s.io
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Cluster
  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: http
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  selector:
    app: ingress-nginx
  type: LoadBalancer

我的配置映射定义为:

apiVersion: v1
kind: ConfigMap
data:
  client-body-buffer-size: 32M
  hsts: "true"
  proxy-body-size: 1G
  proxy-buffering: "off"
  proxy-read-timeout: "600"
  proxy-send-timeout: "600"
  server-tokens: "false"
  ssl-redirect: "false"
  upstream-keepalive-connections: "50"
  use-proxy-protocol: "true"
  http-snippet: |
    server {
      listen 8080 proxy_protocol;
      server_tokens off;
      return 307 https://$host$request_uri;
    }
metadata:
  labels:
    app: ingress-nginx
  name: nginx-configuration
  namespace: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: udp-services
  namespace: ingress-nginx

并且，入口定义为:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: gateway-ingress
  annotations:
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-headers: Authorization, origin, accept
    nginx.ingress.kubernetes.io/cors-allow-methods: GET, OPTIONS
    nginx.ingress.kubernetes.io/cors-allow-origin: gateway.example.com.com/monitor
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - host: gateway.example.com
    http:
      paths:
      - backend:
          serviceName: gateway
          servicePort: 8080
        path: /
  tls:
  - hosts:
    - gateway.example.com

推荐答案

问题是我在负载均衡器上使用的目标端口与重定向服务器正在侦听的端口不匹配:

The issue was the target port I was using on the load balancer not matching the port the redirection server was listening on:

ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: http

这只是将所有内容发送到端口 80.应该是这样的:

This was just sending everything to port 80. It should have been this:

ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080

这样它就与 ConfigMap 的匹配:

That way it matches up with the ConfigMap's:

data:
  ...
  http-snippet: |
    server {
      listen 8080 proxy_protocol;
      server_tokens off;
      return 307 https://$host$request_uri;
    }

这篇关于AWS 上的 Kubernetes HTTP 到 HTTPS 重定向，ELB 终止 SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！