nginx-ingress:启用 force-ssl 时重定向过多 [英] nginx-ingress: Too many redirects when force-ssl is enabled
问题描述
我正在使用 nginx-ingress 在 kubernetes 中设置我的第一个入口.我像这样设置 ingress-nginx 负载均衡器服务:
I am setting up my first ingress in kubernetes using nginx-ingress. I set up the ingress-nginx load balancer service like so:
{
"kind": "Service",
"apiVersion": "v1",
"metadata": {
"name": "ingress-nginx",
"namespace": "...",
"labels": {
"k8s-addon": "ingress-nginx.addons.k8s.io"
},
"annotations": {
"service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "tcp",
"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*",
"service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn....",
"service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "443"
}
},
"spec": {
"ports": [
{
"name": "http",
"protocol": "TCP",
"port": 80,
"targetPort": "http",
"nodePort": 30591
},
{
"name": "https",
"protocol": "TCP",
"port": 443,
"targetPort": "http",
"nodePort": 32564
}
],
"selector": {
"app": "ingress-nginx"
},
"clusterIP": "...",
"type": "LoadBalancer",
"sessionAffinity": "None",
"externalTrafficPolicy": "Cluster"
},
"status": {
"loadBalancer": {
"ingress": [
{
"hostname": "blablala.elb.amazonaws.com"
}
]
}
}
}
请注意 https 端口如何使其 targetPort 属性指向端口 80 (http),以便在负载均衡器上终止 ssl.
Notice how the https port has its targetPort property pointing to port 80 (http) in order to terminate ssl at the load balancer.
我的入口看起来像这样:
My ingress looks something like this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: something
namespace: ...
annotations:
ingress.kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
rules:
- host: www.exapmle.com
http:
paths:
- path: /
backend:
serviceName: some-service
servicePort: 2100
现在,当我导航到该 url 时,我收到一个 重定向过多错误.让我感到困惑的是,当我添加以下标题X-Forwarded-Proto: https"时,我得到了预期的响应 (curl https://www.example.com -v -H "X-Forwarded-原型:https").
Now when I navigate to the url I get a Too many redirects error. Something that is confusing me is that when I add the following header "X-Forwarded-Proto: https" I get the expected response (curl https://www.example.com -v -H "X-Forwarded-Proto: https").
有什么想法可以解决这个问题吗?
Any ideas how I can resolve the issue?
附言这与 ingress.kubernetes.io/force-ssl-redirect: "false" 配合得很好,而且似乎没有任何无关的重定向.
P.S. this works just fine with ingress.kubernetes.io/force-ssl-redirect: "false" and it doesn't seem that there are any extraneous redirects.
推荐答案
这是 annotation 的一个已知问题,用于 SSL 重定向与代理协议和 ELB 上 SSL 连接的终止相结合.
That is a known issue with the annotation for SSL-redirection in combination with proxy-protocol and termination of SSL connections on ELB.
有关它的问题已发布在 GitHub 上,这里是 修复来自该线程:
Question about it was published on GitHub and here is a fix from that thread:
您应该为 Nginx-Ingress 创建自定义 ConfigMap,而不是使用
force-ssl-redirect注释,如下所示:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: ingress-nginx
name: nginx-ingress-configuration
namespace: <ingress-namespace>
data:
ssl-redirect: "false"
hsts: "true"
server-tokens: "false"
http-snippet: |
server {
listen 8080 proxy_protocol;
server_tokens off;
return 301 https://$host$request_uri;
}
该配置将创建一个额外的侦听器,并通过简单的重定向到 https.
That configuration will create an additional listener with a simple redirection to https.
有了那个额外的监听器,它就会起作用.
With that additional listener, it will work.
这篇关于nginx-ingress:启用 force-ssl 时重定向过多的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
