[英]Proxy nginx to ingress-nginx for migration purpose
I'm migrating from traditional docker host to kubernetes cluster. 我正在从传统的Docker主机迁移到kubernetes集群。
I want to have a continuity of service during that migration. 我希望在迁移期间保持服务的连续性。
For that purpose, I proxy the local nginx to the remote ingress-nginx. 为此,我将本地nginx代理到远程ingress-nginx。 Then, I update dns records.
然后,我更新dns记录。 This is nice setup for 2 reasons:
这是一个不错的设置,有两个原因:
In the mean time the cert is not generated, nginx will get served the default self-signed cert. 在此期间,未生成证书,nginx将获得默认的自签名证书。 I know it, so I want to verify against this, but I can't manage to do it.
我知道这一点,因此我想对此进行验证,但是我无法做到这一点。
Without discussing much about nginx configuration, we can reproduce the issue with curl only. 无需过多讨论nginx配置,我们只能使用curl重现该问题。
This is how I get the remote self-signed cert: 这是我获取远程自签名证书的方式:
openssl s_client -showcerts -servername standard.ingress.indie.host -connect standard.ingress.indie.host:443 < /dev/null | sed -n -e '/BEGIN\\ CERTIFICATE/,/END\\ CERTIFICATE/ p' > server.pem
And I expect the following command to work: 我希望以下命令能够正常工作:
curl --cacert ./server.pem https://standard.ingress.indie.host
But it doesn't.. I'm wondering what I'm doing wrong, if you could help, it would be awesome! 但事实并非如此。我想知道我在做错什么,如果您能提供帮助,那太好了! Thanks!
谢谢!
PS: this is the real host, so you can test against, the issue is live. PS:这是真正的主持人,因此您可以进行测试,此问题是实时的。
I think there are two things preventing that curl
command from working, in this order: 我认为有两个原因阻止
curl
命令按此顺序工作:
X509v3 Basic Constraints: critical CA:FALSE
X509v3 Subject Alternative Name: DNS:ingress.local
The O=Acme Co, CN=Kubernetes Ingress Controller Fake Certificate
certificate is not a CA, it's just self-signed. O=Acme Co, CN=Kubernetes Ingress Controller Fake Certificate
证书不是CA,它是自签名的。 Therefore, (as I understand it) no value of --cacert
would represent the "parent" in the X509 hierarchy and enable curl to trust the CA cert's child certificates. 因此,(据我所知),--
--cacert
任何值--cacert
不会表示X509层次结构中的“父”, --cacert
不会使curl信任CA证书的子证书。
However, even if there was a hypothetical issuing CA for that certificate, it is only issued for a SAN of ingress.local
, which standard.ingress.indie.host
definitely does not match. 但是,即使为该证书有一个假设的颁发CA,也只会为
ingress.local
的SAN颁发证书,这与standard.ingress.indie.host
绝对不匹配。
I can't tell from your question whether curl --insecure
is an option for you, or you are merely using curl to indicate the bad SSL outcome that is happening for the browsers (who don't easily have --insecure
). 我不能从您的问题中看出
curl --insecure
是否是您的选择,还是您只是使用curl指示浏览器正在发生的不良SSL结果(不容易拥有--insecure
的浏览器)。
Having said that, I believe it would be possible to actually generate a fake CA, and then issue a certificate against it, install that in nginx and then feed the fake CA to curl --cafile
(or, if required, install the CA into the trusted certificate store of the OS). 话虽如此,我相信实际上可能会生成一个伪造的CA,然后针对它颁发证书,将其安装在nginx中,然后将伪造的CA馈送到
curl --cafile
(或者,如果需要,将CA安装到操作系统的受信任证书存储)。
Please do follow up if there are more specifics you would find helpful. 如果有更多详细信息对您有所帮助,请继续进行后续操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.