Terraform AWS NLB TLS 直通 [英] Terraform AWS NLB TLS Passthrough
问题描述
我使用 terraform 在 AWS 中为我的 K3S 集群配置基础设施.我在端口 80 和 443 上为 NLB 提供了两个侦听器,并带有适当的自签名证书.这行得通.我可以通过 nlb 访问集群中的 HTTP 服务.
Using terraform I'm provisioning infra in AWS for my K3S cluster. I have provisioned an NLB with two listeners on port 80 and 443, with appropriate self-signed certs. This works. I can access HTTP services in my cluster via the nlb.
resource "tls_private_key" "agents" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "agents" {
key_algorithm = "RSA"
private_key_pem = tls_private_key.agents.private_key_pem
validity_period_hours = 24
subject {
common_name = "my hostname"
organization = "My org"
}
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth"
]
}
resource "aws_acm_certificate" "agents" {
private_key = tls_private_key.agents.private_key_pem
certificate_body = tls_self_signed_cert.agents.cert_pem
}
resource "aws_lb" "agents" {
name = "basic-load-balancer"
load_balancer_type = "network"
subnet_mapping {
subnet_id = aws_subnet.agents.id
allocation_id = aws_eip.agents.id
}
}
resource "aws_lb_listener" "agents_80" {
load_balancer_arn = aws_lb.agents.arn
protocol = "TCP"
port = 80
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.agents_80.arn
}
}
resource "aws_lb_listener" "agents_443" {
load_balancer_arn = aws_lb.agents.arn
protocol = "TLS"
port = 443
certificate_arn = aws_acm_certificate.agents.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.agents_443.arn
}
}
resource "aws_lb_target_group" "agents_80" {
port = 30000
protocol = "TCP"
vpc_id = var.vpc.id
depends_on = [
aws_lb.agents
]
}
resource "aws_lb_target_group" "agents_443" {
port = 30001
protocol = "TCP"
vpc_id = var.vpc.id
depends_on = [
aws_lb.agents
]
}
resource "aws_autoscaling_attachment" "agents_80" {
autoscaling_group_name = aws_autoscaling_group.agents.name
alb_target_group_arn = aws_lb_target_group.agents_80.arn
}
resource "aws_autoscaling_attachment" "agents_443" {
autoscaling_group_name = aws_autoscaling_group.agents.name
alb_target_group_arn = aws_lb_target_group.agents_443.arn
}
这是我的代码的精简版.
That's a cutdown version of my code.
我已将入口控制器配置为分别在 NodePorts 30000 和 30001 上侦听 HTTP 和 HTTPS.这也有效.
I have configured my ingress controller to listen for HTTP and HTTPS on NodePorts 30000 and 30001 respectively. This works too.
不起作用的是 NLB 正在终止 TLS,但我需要它来传递.我这样做是为了可以访问 Kubernetes 仪表板(以及其他应用程序),但仪表板需要 https 才能登录,如果 tls 在 nlb 处终止,我将无法提供.
The thing that doesn't work is that the NLB is terminating TLS, but I need it to passthrough. I'm doing this so that I can access Kubernetes Dashboard (among other apps), but the dashboard requires https to sign-in, something I can't provide if tls is terminated at the nlb.
我需要帮助配置 nlb 以进行直通.我已经搜索和搜索,找不到任何示例.如果有人知道如何配置它,最好获取一些 tf 代码,或者只是了解在 AWS 中实现它的适当方法,以便我可以自己在 tf 中实现它.
I need help configuring the nlb for passthrough. I have searched and searched and can't find any examples. If anyone knows how to configure this it would be good to get some tf code, or even just an idea of the appropriate way of achieving it in AWS so that I can implement it myself in tf.
推荐答案
NLB 和服务器之间需要 TLS 直通,还是只需要 TLS 通信?还是您只需要配置您的服务器以了解初始连接是 TLS?
Do you need TLS passthrough, or just TLS communication between the NLB and the server? Or do you just need to configure your server to be aware that the initial connection was TLS?
对于 TLS 直通,您需要在服务器上安装 SSL 证书,然后从负载平衡器中删除该证书.您可以将负载均衡器上端口 443 侦听器的协议从TLS"更改为TLS".到TCP".这不是 AWS 上非常典型的设置,您不能在此配置中使用免费的 AWS ACM SSL 证书,您必须在服务器上使用 Let's Encrypt 之类的东西.
For TLS passthrough you would install an SSL certificate on the server, and delete the certificate from the load balancer. You would change the protocol of the port 443 listener on the load balancer from "TLS" to "TCP". This is not a very typical setup on AWS, and you can't use the free AWS ACM SSL certificates in this configuration, you would have to use something like Let's Encrypt on the server.
对于 NLB 和服务器之间的 TLS 通信,您需要在服务器上安装一个证书,自签名证书就可以了,然后只需更改负载均衡器上的目标组设置以指向安全端口在服务器上.
For TLS communication between the NLB and the server, you would install a certificate on the server, a self-signed cert is fine for this, and then just change the target group settings on the load balancer to point to the secure ports on the server.
如果您只是想让服务器知道初始连接协议是 TLS,您可以将服务器配置为使用负载均衡器传递的 x-forwarded-proto 标头来确定是否连接是安全的.
If you just want to make the server aware that the initial connection protocol was TLS, you would configure the server to use the x-forwarded-proto header passed by the load balancer to determine if the connection is secure.
这篇关于Terraform AWS NLB TLS 直通的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
