将nginx代理到ingress-nginx以进行迁移
[英]Proxy nginx to ingress-nginx for migration purpose
问题描述
context 
上下文
I'm migrating from traditional docker host to kubernetes cluster. 我正在从传统的Docker主机迁移到kubernetes集群。
I want to have a continuity of service during that migration. 我希望在迁移期间保持服务的连续性。
For that purpose, I proxy the local nginx to the remote ingress-nginx. 为此,我将本地nginx代理到远程ingress-nginx。 Then, I update dns records. 然后,我更新dns记录。 This is nice setup for 2 reasons: 这是一个不错的设置,有两个原因:
- the traffic continues to flow while the dns propagates 在dns传播时流量继续流动
- I can generate a let's encrypt cert in the ingress-nginx, so once the dns propagated, my clients are served with proper cert 我可以在ingress-nginx中生成一个让我们加密证书的证书,因此,一旦dns传播,我的客户端就会获得适当的证书
In the mean time the cert is not generated, nginx will get served the default self-signed cert. 在此期间,未生成证书,nginx将获得默认的自签名证书。 I know it, so I want to verify against this, but I can't manage to do it. 我知道这一点,因此我想对此进行验证,但是我无法做到这一点。
minimum issue 最低发行
Without discussing much about nginx configuration, we can reproduce the issue with curl only. 无需过多讨论nginx配置,我们只能使用curl重现该问题。
This is how I get the remote self-signed cert: 这是我获取远程自签名证书的方式:
openssl s_client -showcerts -servername standard.ingress.indie.host -connect standard.ingress.indie.host:443 < /dev/null | sed -n -e '/BEGIN\\ CERTIFICATE/,/END\\ CERTIFICATE/ p' > server.pem
And I expect the following command to work: 我希望以下命令能够正常工作:
curl --cacert ./server.pem https://standard.ingress.indie.host
But it doesn't.. I'm wondering what I'm doing wrong, if you could help, it would be awesome! 但事实并非如此。我想知道我在做错什么,如果您能提供帮助,那太好了! Thanks! 谢谢!
PS: this is the real host, so you can test against, the issue is live. PS:这是真正的主持人,因此您可以进行测试,此问题是实时的。
1 个解决方案
解决方案1
0 已采纳 2018-08-05 03:51:58
I think there are two things preventing that curl command from working, in this order: 我认为有两个原因阻止curl命令按此顺序工作:
-
X509v3 Basic Constraints: critical CA:FALSE -
X509v3 Subject Alternative Name: DNS:ingress.local
The O=Acme Co, CN=Kubernetes Ingress Controller Fake Certificate certificate is not a CA, it's just self-signed. O=Acme Co, CN=Kubernetes Ingress Controller Fake Certificate证书不是CA,它是自签名的。 Therefore, (as I understand it) no value of --cacert would represent the "parent" in the X509 hierarchy and enable curl to trust the CA cert's child certificates. 因此,(据我所知),-- --cacert 任何值--cacert不会表示X509层次结构中的“父”, --cacert不会使curl信任CA证书的子证书。
However, even if there was a hypothetical issuing CA for that certificate, it is only issued for a SAN of ingress.local , which standard.ingress.indie.host definitely does not match. 但是,即使为该证书有一个假设的颁发CA,也只会为ingress.local的SAN颁发证书,这与standard.ingress.indie.host绝对不匹配。
I can't tell from your question whether curl --insecure is an option for you, or you are merely using curl to indicate the bad SSL outcome that is happening for the browsers (who don't easily have --insecure ). 我不能从您的问题中看出curl --insecure是否是您的选择,还是您只是使用curl指示浏览器正在发生的不良SSL结果(不容易拥有--insecure的浏览器)。
Having said that, I believe it would be possible to actually generate a fake CA, and then issue a certificate against it, install that in nginx and then feed the fake CA to curl --cafile (or, if required, install the CA into the trusted certificate store of the OS). 话虽如此,我相信实际上可能会生成一个伪造的CA,然后针对它颁发证书,将其安装在nginx中,然后将伪造的CA馈送到curl --cafile (或者,如果需要,将CA安装到操作系统的受信任证书存储)。
Please do follow up if there are more specifics you would find helpful. 如果有更多详细信息对您有所帮助,请继续进行后续操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.